Virtual Wire Pair
A virtual wire pair consists of two interfaces that do not have IP addressing and are treated like a transparent mode VDOM. All traffic received by one interface in the virtual wire pair can only be forwarded to the other interface, provided a virtual wire pair firewall policy allows this traffic. Traffic from other interfaces cannot be routed to the interfaces in a virtual wire pair.
Virtual wire pairs are useful for a typical topology where MAC addresses do not behave normally. For example, port pairing can be used in a Direct Server Return (DSR) topology where the response MAC address pair may not match the request’s MAC address pair.
Sample topology
In this example, a virtual wire pair (port3 and port4) makes it easier to protect a web server that is behind a FortiGate operating as an Internal Segmentation Firewall (ISFW). Users on the internal network access the web server through the ISFW over the virtual wire pair.
To add a virtual wire pair using the GUI:
- Go to Network > Interfaces.
- Click Create New > Virtual Wire Pair.
- Select the Interface Members to add to the virtual wire pair.
These interfaces cannot be part of a switch, such as the default LAN/internal interface.
- If desired, enable Wildcard VLAN.
To add a virtual wire pair using the CLI:
config system virtual-wire-pair edit “VWP-name”
set member “port3” “port4” set wildcard-vlan enable/disable
next
end
To create a virtual wire pair policy using the GUI:
- Go to Policy & Objects > IPv4 Virtual Wire PairPolicy.
- Click Create New.
- Select the direction that traffic is allowed to flow.
- Configure the other fields.
- Click OK.
To create a virtual wire pair policy using the CLI:
config firewall policy edit 1 set name “VWP-Policy” set srcintf “port3” “port4” set dstintf “port3” “port4” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set utm-status enable set fsso disable
next
end