Description | This article contains frequently asked questions related to virtual wire pairs. For more information about virtual wire pairs, see the documentation. |
Scope | FortiGate. |
Solution |
In a virtual wire pair, will ARP be forwarded without a specific policy?
ARP will be allowed without the need for a policy. For example:
# show system virtual-wire-pair config system virtual-wire-pair edit "virtualWP" set member "port2" "port3" next end
# dia sniffer packet any "host 10.1.1.8" 4 0 l
How is it possible to identify the traffic flowing through a virtual wired pair? Use flow filter to monitor the packets passing through a virtual wired pair.
id=65308 trace_id=1 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 10.1.1.8:6116->10.1.1.5:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=6116, seq=1."
How is it possible to check virtual-wire-pair policy from the CLI? The virtual-wire-pair policy can only be created under firewall policy. The interface will not show under Select Entries options. Make sure to remove all the reference of the interfaces.
Is it possible to add VLAN or IPSEC interfaces to a virtual wire pair?
No, only physical interfaces can be added.
How is it possible to fix an issue where the virtual-wire-pair field is greyed out and cannot be edited?
Check if there is a policy created for a virtual-wire-pair. Go to Policy & Objects -> Firewall Virtual Wire Pair Policy:
Only one-way communication is happening in the virtual wire pair. How is it possible to fix this?
Ensure two-way communication is selected in the virtual wire pair policy:
Is it possible to forward the traffic from one virtual wire pair to another virtual wire pair?
No, a virtual wire pair consists of two interfaces that do not have IP addressing and are treated like a transparent mode VDOM. All traffic received by one interface in the virtual wire pair can only be forwarded to the other interface.
Is it possible to add more than two interfaces to a virtual wire pair?
No, virtual wire pairs can only be created between two interfaces.
Why are virtual wire pairs used?
When a virtual wire pair is in use, FortiGate will not perform a Reverse path check, will not use the Routing table to select the egress interface, and will not maintain the ARP entries of source or destination IP addresses.
Will FortiGate perform inspection of traffic passing through a virtual wire pair?
Yes, FortiGate will maintain the session for the traffic and inspect the packets.
Is it possible to apply NAT in a virtual wire pair?
Yes, but it is necessary to call the Dynamic IP pool. The 'Use Outgoing Interface Address' option is not available because virtual wire pairs do not have an IP address. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.