System Configuration – Virtual Wire Pair – FortiOS 6.2

Virtual Wire Pair

A virtual wire pair consists of two interfaces that do not have IP addressing and are treated like a transparent mode VDOM. All traffic received by one interface in the virtual wire pair can only be forwarded to the other interface, provided a virtual wire pair firewall policy allows this traffic. Traffic from other interfaces cannot be routed to the interfaces in a virtual wire pair.

Virtual wire pairs are useful for a typical topology where MAC addresses do not behave normally. For example, port pairing can be used in a Direct Server Return (DSR) topology where the response MAC address pair may not match the request’s MAC address pair.

Sample topology

In this example, a virtual wire pair (port3 and port4) makes it easier to protect a web server that is behind a FortiGate operating as an Internal Segmentation Firewall (ISFW). Users on the internal network access the web server through the ISFW over the virtual wire pair.

To add a virtual wire pair using the GUI:

  1. Go to Network > Interfaces.
  2. Click Create New > Virtual Wire Pair.
  3. Select the Interface Members to add to the virtual wire pair.

These interfaces cannot be part of a switch, such as the default LAN/internal interface.

  1. If desired, enable Wildcard VLAN.

To add a virtual wire pair using the CLI:

config system virtual-wire-pair edit “VWP-name”

set member “port3” “port4” set wildcard-vlan enable/disable



To create a virtual wire pair policy using the GUI:

  1. Go to Policy & Objects > IPv4 Virtual Wire PairPolicy.
  2. Click Create New.
  3. Select the direction that traffic is allowed to flow.
  4. Configure the other fields.
  5. Click OK.

To create a virtual wire pair policy using the CLI:

config firewall policy edit 1 set name “VWP-Policy” set srcintf “port3” “port4” set dstintf “port3” “port4” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set utm-status enable set fsso disable



This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.