This article describes an issue that may be encountered when configuring a Virtual Wire Pair on a Fortigate firewall whereby tagged VLAN traffic (dot1Q) is not allowed to pass.

If tagged VLAN traffic is to pass through a virtual wire pair, an option must be enabled for this to occur; otherwise, this traffic is dropped (and cannot be seen in a sniffer).

The required option is as follows:

config system virtual-wire-pair

    edit <name_of_virtual_wire_pair>

        set wildcard-vlan enable

This can be further filtered to permit only the VLANs that should pass through the wire pair:

For example, to only permit VLANs 100 & 200:

set vlan-filter <100,200>

Or, to allow ALL VLANs, set the range to the full permissible range of VLANs (0 to 4094) as follows:

set vlan-filter <0-4094>

Virtual wire pairs.

Note:
wildcard-vlan and vlan-filter must be configured even when using VLAN interfaces in the VWP to allow tagged traffic through the VWP.

Related article:

Technical Tip: Virtual wire pairs