Description | This article contains answers to frequently asked questions related to virtual wire pairs. For more information about virtual wire pairs, see the documentation. |
Scope | FortiGate. |
Solution |
In a virtual wire pair, ARP will be forwarded without a specific policy.
ARP will be allowed without the need for a policy. For example:
show system virtual-wire-pair config system virtual-wire-pair edit "virtualWP" set member "port2" "port3" next end
dia sniffer packet any "host 10.1.1.8" 4 0 l
How it is possible to identify the traffic flowing through a virtual wired pair: Use a flow filter to monitor the packets passing through a virtual wired pair. The logs shown below will appear in the flow filter if the traffic is denied:
id=65308 trace_id=1 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 10.1.1.8:6116->10.1.1.5:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=6116, seq=1."
How it is possible to check a virtual-wire-pair policy from the CLI: The virtual-wire-pair policy can only be created under the firewall policy. The interface will not show under the Select Entries options. Make sure to remove all the references of the interfaces.
Adding a VLAN or IPsec interfaces to a virtual wire pair: Only physical interfaces and VLAN can be added. It is also possible to add 802.3ad Aggregate interfaces into a Virtual Wire Pair.
How it is possible to fix an issue where the virtual-wire-pair field is greyed out and cannot be edited:
Check if there is a policy created for a virtual-wire pair. Go to Policy & Objects -> Firewall Virtual Wire Pair Policy:
Fixing a scenario where only one-way communication is happening in the virtual wire pair. Ensure two-way communication is selected in the virtual wire pair policy:
Forwarding the traffic from one virtual wire pair to another virtual wire pair. This is not possible. A virtual wire pair consists of two interfaces that do not have IP addressing and are treated like a transparent mode VDOM. All traffic received by one interface in the virtual wire pair can only be forwarded to the other interface.
Adding more than two interfaces to a virtual wire pair. This is not possible. Virtual wire pairs can only be created between two interfaces.
Why virtual wire pairs are used:
When a virtual wire pair is in use, FortiGate will not perform a Reverse path check, will not use the Routing table to select the egress interface, and will not maintain the ARP entries of source or destination IP addresses.
FortiGate performs an inspection of traffic passing through a virtual wire pair. FortiGate will maintain the session for the traffic and inspect the packets.
Applying NAT in a virtual wire pair. This is possible, but it is necessary to call the Dynamic IP pool. The 'Use Outgoing Interface Address' option is not available because virtual wire pairs do not have an IP address.
Connecting both wire pair interfaces on the same switch.
FortiGate operates as an Internal Segmentation Firewall where the protected server is directly connected to FortiGate's first wire pair port and the other wire pair port is connected to a different network segment. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.