Virtual Wire Pair

A virtual wire pair consists of two interfaces that do not have IP addressing and are treated like a transparent mode VDOM. All traffic received by one interface in the virtual wire pair can only be forwarded to the other interface, provided a virtual wire pair firewall policy allows this traffic. Traffic from other interfaces cannot be routed to the interfaces in a virtual wire pair.

Virtual wire pairs are useful for a typical topology where MAC addresses do not behave normally. For example, port pairing can be used in a Direct Server Return (DSR) topology where the response MAC address pair may not match the request’s MAC address pair.

Sample topology

In this example, a virtual wire pair (port3 and port4) makes it easier to protect a web server that is behind a FortiGate operating as an Internal Segmentation Firewall (ISFW). Users on the internal network access the web server through the ISFW over the virtual wire pair.

To add a virtual wire pair using the GUI:

1. Go to Network > Interfaces.
2. Click Create New > Virtual Wire Pair.
3. Select the Interface Members to add to the virtual wire pair.

These interfaces cannot be part of a switch, such as the default LAN/internal interface.

4. If desired, enable Wildcard VLAN.

To add a virtual wire pair using the CLI:

config system virtual-wire-pair edit “VWP-name”

set member “port3” “port4” set wildcard-vlan enable/disable

next

end

To create a virtual wire pair policy using the GUI:

1. Go to Policy & Objects > IPv4 Virtual Wire PairPolicy.
2. Click Create New.
3. Select the direction that traffic is allowed to flow.
4. Configure the other fields.
5. Click OK.

To create a virtual wire pair policy using the CLI:

config firewall policy edit 1 set name “VWP-Policy” set srcintf “port3” “port4” set dstintf “port3” “port4” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set utm-status enable set fsso disable

next

end