Creating a virtual wire pair

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this example, you will create a virtual wire pair (consisting of port3 and port4) to make it easier to protect a web server that is behind a FortiGate operating as an Internal Segmentation Firewall (ISFW). Users on the internal network will access the web server through the ISFW over the virtual wire pair.

A virtual wire pair consists of two interfaces that have no IP addresses and all traffic received by one interface in the pair can only be forwarded out the other; as controlled by firewall policies. Since the interfaces do not have IP addresses, you can insert a virtual wire pair into a network without having to make any changes to the network.

In FortiOS 5.4, virtual wire pair replaces the feature port pairing from earlier firmware versions. Unlike port pairing, virtual wire pair can be used for a FortiGate in NAT/Route mode, as well as Transparent mode.

 

 

Find this recipe for other FortiOS versions
5.2 | 5.4

1. Adding a virtual wire pair

Interfaces used in a virtual wire pair cannot be used for admin access to the ISFW FortiGate. Before creating a virtual wire pair, make sure you have a different port (in the example, port1) configured to allow admin access using your preferred protocol.

 

Go to Network > Interfaces and select Create New > Virtual Wire Pair.

Add port3 and port4 add to the virtual wire pair.

 

2. Adding virtual wire pair firewall policies

Go to Policy & Objects > IPv4 Virtual Wire Pair Policy and create a policy will allow users on the internal network to connect to the server. Give the policy an appropriate name (in the example, Network-server-access).

Select the direction that traffic is allowed to flow (from port3 to port4).

Configure the other firewall options as needed. In the example, AntiVirus is enabled to protect the server.

 

Create a second virtual wire pair policy allowing traffic from port4 to exit out of port3. This policy allows the server to connect to the Internet, in order to download updates.

 

3. Results

To test both virtual wire pair policies, connect to the web server from a PC on the internal network, and also connect to the Internet from the web server.

Go to FortiView > Policies to see traffic flowing through both policies.  
Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin
  • Was this helpful?
  • Yes   No
If the interfaces you wish to use are part of a switch, such as the default lan/internal interface, you will need to remove them before they can be added to the virtual wire pair.
  • David Wear

    Will Broadcast/Multicast traffic flow through a virtual wire pair unhindered?

    • Victoria Martin

      Hi David,

      Yes, this should be possible.

  • Niko Georget

    Hey Victoria

    I would like to tagged (802.1Q) a port of my switch fortigate (have several vlans on the same port) 100D v5.4
    How should I do?

  • HT MNS

    Hello Foripeople,

    If I’m trying to do LDAP users/groups in 5.4 do I add them to the virtual wire policy?

    • Victoria Martin

      Hello,

      Once a virtual wire pair has been configured, it’s treated like any other interface in a policy, so you would add users to this policy in the same manner you’d add them to a policy using the regular lan and wan interfaces. For more information, you can take a look at the authentication recipes we have available: http://cookbook.fortinet.com/authentication/

  • HT MNS

    HI Victoria,

    Here is the setup: FG1 > Transparent FG > PC.

    FG1 has a default config so it should be assigning DHCP. I created a VWire with ports 6 and 7 on the transparent FG and policies in both directions. I also enabled broadcast-forward enable on both ports. I connected FG1 to port 7 and my PC to port 6 but I can’t get DHCP from FG1. What am I missing?

  • Deepak A

    This is really cool- thanks for the share!

  • Hi Victoria,
    if we have 2 virtual wire between 2 cisco devices with trunk mode port, any solution to prevent loop or mac-flap?
    thanks,

  • BG72

    if there is lacp between internal network and web servers’ switch. can we use the same config or do we need to create lacp first on Fortinet then need to do virtual wire between two LACP ports.

    • bdickie

      I am not 100% sure if I understand your question, but to make a connection between the FortiGate and the web server’s switch you need create an LACP port on the FortiGate that matches the web server switch LACP configuration. When you create the virtual wire pair it must include this LACP port and another interface. That other interface does not have to be an LACP port, it can be any interface.

      At this time we are not able to test this configuration so if it doesn’t work for you or if you need more information, please contact Fortinet Support. See http://cookbook.fortinet.com/how-to-work-with-fortinet-support/ for details.

  • Serhan

    Hi,

    Can I import a Fortigate with a virtual wire pair to FortiManager?

    Regards,

    • Victoria Martin

      Hello Serhan,

      Yes, you can, but you must be using FortiManager 5.4 since it’s required to support features that are new to FortiOS 5.4.

      • Serhan

        Hi Victoria and thank you for your answer.
        Actually I did it (configured virtual wire pair on Fgate 5.4 and added it to FortiManager 5.4) but I can’t see this interface under the FortiManager.
        Should I see it or it’s not supported via the FortiManager?

        • Victoria Martin

          You should be able to see information about it in the Device Manager on the Device Dashboard under ‘CLI-Only Objects.’