Technical Tip: FAQs regarding virtual wire pairs

nithincs · ‎02-09-2023

Description

This article contains frequently asked questions related to virtual wire pairs. For more information about virtual wire pairs, see the documentation.

Scope

FortiGate.

Solution

In a virtual wire pair, will ARP be forwarded without a specific policy?

ARP will be allowed without the need for a policy. For example:

# show system virtual-wire-pair

config system virtual-wire-pair

edit "virtualWP"

set member "port2" "port3"

# dia sniffer packet any "host 10.1.1.8" 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[host 10.1.1.8]
2023-02-09 04:10:13.071607 port2 in arp who-has 10.1.1.5 (ff:ff:ff:ff:ff:ff) tell 10.1.1.8
2023-02-09 04:10:13.071621 port3 out arp who-has 10.1.1.5 (ff:ff:ff:ff:ff:ff) tell 10.1.1.8
2023-02-09 04:10:13.073460 port3 in arp reply 10.1.1.5 is-at 50:00:00:02:00:00
2023-02-09 04:10:13.073464 port2 out arp reply 10.1.1.5 is-at 50:00:00:02:00:00

How is it possible to identify the traffic flowing through a virtual wired pair?

Use flow filter to monitor the packets passing through a virtual wired pair.

The logs shown bellow will appear in flow filter if the traffic is denied:

id=65308 trace_id=1 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 10.1.1.8:6116->10.1.1.5:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=6116, seq=1."
id=65308 trace_id=1 func=init_ip_session_common line=6076 msg="allocate a new session-000001f0, tun_id=0.0.0.0"
id=65308 trace_id=1 func=br_fw_forward_handler line=568 msg="Denied by forward policy check"

How is it possible to check virtual-wire-pair policy from the CLI?

The virtual-wire-pair policy can only be created under firewall policy.

The interface will not show under Select Entries options. Make sure to remove all the reference of the interfaces.

Is it possible to add VLAN or IPSEC interfaces to a virtual wire pair?

No, only physical interfaces can be added.

How is it possible to fix an issue where the virtual-wire-pair field is greyed out and cannot be edited?

Check if there is a policy created for a virtual-wire-pair. Go to Policy & Objects -> Firewall Virtual Wire Pair Policy:

Only one-way communication is happening in the virtual wire pair. How is it possible to fix this?

Ensure two-way communication is selected in the virtual wire pair policy:

Is it possible to forward the traffic from one virtual wire pair to another virtual wire pair?

No, a virtual wire pair consists of two interfaces that do not have IP addressing and are treated like a transparent mode VDOM. All traffic received by one interface in the virtual wire pair can only be forwarded to the other interface.

Is it possible to add more than two interfaces to a virtual wire pair?

No, virtual wire pairs can only be created between two interfaces.

Why are virtual wire pairs used?

When a virtual wire pair is in use, FortiGate will not perform a Reverse path check, will not use the Routing table to select the egress interface, and will not maintain the ARP entries of source or destination IP addresses.

Virtual wire pairs are useful for a typical topology where MAC addresses do not behave normally. For example, port pairing can be used in a Direct Server Return (DSR) topology where the response MAC address pair may not match the request's MAC address pair.
If there is a matching policy, all of the ingress traffic will egress through another member of the virtual wire pair.

Will FortiGate perform inspection of traffic passing through a virtual wire pair?

Yes, FortiGate will maintain the session for the traffic and inspect the packets.

Is it possible to apply NAT in a virtual wire pair?

Yes, but it is necessary to call the Dynamic IP pool. The 'Use Outgoing Interface Address' option is not available because virtual wire pairs do not have an IP address.