Technical Tip: How to setup Virtual Wire Pair on NGFW policy based

1. Set up NGFW policy-based.
   
   

config system settings

    set ngfw-mode policy-based

end

2. Set up Virtual Wire Pair interface 'VW1' for port1 and port2.
   
   

   config system virtual-wire-pair
       edit "VW1"
           set member "port1" "port2"
       next
   end
   
   

    

3. Set up the firewall security policy for Virtual Wire Pair.
   
   

   config firewall security-policy

       edit 1

           set name "TEST"

           set srcintf "port1" "port2"

           set dstintf "port1" "port2"

           set srcaddr "all"

           set dstaddr "all"

           set action accept

           set schedule "always"

           set logtraffic all

       next

   end
   
   

    

4. When sending traffic from port2 to port1, it is not working as below the debug flow message.
   
   

   id=65308 trace_id=1 func=print_pkt_detail line=5857 msg="vd-root:0 received a packet(proto=1, 14.14.14.100:1->14.14.14.14:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=1, seq=125."
   id=65308 trace_id=1 func=init_ip_session_common line=6043 msg="allocate a new session-0000e8e0, tun_id=0.0.0.0"
   id=65308 trace_id=1 func=iprope_dnat_check line=5302 msg="in-[port2], out-[]"
   id=65308 trace_id=1 func=iprope_dnat_tree_check line=824 msg="len=0"
   id=65308 trace_id=1 func=iprope_dnat_check line=5314 msg="result: skb_flags-06000000, vid-0, ret-no-match, act-accept, flag-00000000"
   id=65308 trace_id=1 func=iprope_fwd_check line=794 msg="in-[port2], out-[port1], skb_flags-06000000, vid-0, app_id: 0, url_cat_id: 0"
   id=65308 trace_id=1 func=__iprope_tree_check line=535 msg="gnum-100004, use addr/intf hash, len=2"
   id=65308 trace_id=1 func=__iprope_check_one_policy line=2059 msg="checked gnum-100004 policy-1, ret-no-match, act-accept"
   id=65308 trace_id=1 func=__iprope_check_one_policy line=2059 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
   id=65308 trace_id=1 func=__iprope_user_identity_check line=1833 msg="ret-matched"
   id=65308 trace_id=1 func=__iprope_check_one_policy line=2277 msg="policy-0 is matched, act-drop"
   id=65308 trace_id=1 func=iprope_fwd_check line=831 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
   id=65308 trace_id=1 func=iprope_fwd_auth_check line=850 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
   id=65308 trace_id=1 func=br_fw_forward_handler line=570 msg="Denied by forward policy check"

    

5. Check the firewall policy.
   
   

   config firewall policy

       edit 1

           set name "Default"

           set srcintf "any"

           set dstintf "any"

           set srcaddr "all"

           set dstaddr "all"

           set srcaddr6 "all"

           set dstaddr6 "all"

           set service "ALL"

           set ssl-ssh-profile "certificate-inspection"

       next

   end

    

6. Solution.

   • set srcintf "any" and set dstintf "any" are not working for Virtual Wire Pair Port1 <==> Port2.
   • Set up the new firewall policy to make Virtual Wire Pair work.
     
     

   config firewall policy
       edit 2
           set srcintf "port1" "port2"
           set dstintf "port1" "port2"
           set srcaddr "all"
           set dstaddr "all"
           set service "ALL"
       next
   end