FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nithincs
Staff
Staff
Article Id 245285
Description This article contains answers to frequently asked questions related to virtual wire pairs. For more information about virtual wire pairs, see the documentation.
Scope FortiGate.
Solution

In a virtual wire pair, ARP will be forwarded without a specific policy.

 

ARP will be allowed without the need for a policy. For example:

 

show system virtual-wire-pair

config system virtual-wire-pair

edit "virtualWP"

set member "port2" "port3"

next

end

 

dia sniffer packet any "host 10.1.1.8" 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[host 10.1.1.8]
2023-02-09 04:10:13.071607 port2 in arp who-has 10.1.1.5 (ff:ff:ff:ff:ff:ff) tell 10.1.1.8
2023-02-09 04:10:13.071621 port3 out arp who-has 10.1.1.5 (ff:ff:ff:ff:ff:ff) tell 10.1.1.8
2023-02-09 04:10:13.073460 port3 in arp reply 10.1.1.5 is-at 50:00:00:02:00:00
2023-02-09 04:10:13.073464 port2 out arp reply 10.1.1.5 is-at 50:00:00:02:00:00

 

How it is possible to identify the traffic flowing through a virtual wired pair:

Use a flow filter to monitor the packets passing through a virtual wired pair. The logs shown below will appear in the flow filter if the traffic is denied:

 

id=65308 trace_id=1 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 10.1.1.8:6116->10.1.1.5:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=6116, seq=1."
id=65308 trace_id=1 func=init_ip_session_common line=6076 msg="allocate a new session-000001f0, tun_id=0.0.0.0"
id=65308 trace_id=1 func=br_fw_forward_handler line=568 msg="Denied by forward policy check"

 

How it is possible to check a virtual-wire-pair policy from the CLI:

The virtual-wire-pair policy can only be created under the firewall policy. The interface will not show under the Select Entries options. Make sure to remove all the references of the interfaces.

 

Adding a VLAN or IPsec interfaces to a virtual wire pair:

Only physical interfaces and VLAN can be added.  It is also possible to add 802.3ad Aggregate interfaces into a Virtual Wire Pair.

 

How it is possible to fix an issue where the virtual-wire-pair field is greyed out and cannot be edited:

 

Check if there is a policy created for a virtual-wire pair. Go to Policy & Objects -> Firewall Virtual Wire Pair Policy:

 

nithincs_0-1675954887608.png

 

Fixing a scenario where only one-way communication is happening in the virtual wire pair.

Ensure two-way communication is selected in the virtual wire pair policy:

 

nithincs_1-1675954970217.png

 

Forwarding the traffic from one virtual wire pair to another virtual wire pair.

This is not possible. A virtual wire pair consists of two interfaces that do not have IP addressing and are treated like a transparent mode VDOM. All traffic received by one interface in the virtual wire pair can only be forwarded to the other interface.

 

Adding more than two interfaces to a virtual wire pair.

This is not possible. Virtual wire pairs can only be created between two interfaces.

 

Why virtual wire pairs are used:

 

When a virtual wire pair is in use, FortiGate will not perform a Reverse path check, will not use the Routing table to select the egress interface, and will not maintain the ARP entries of source or destination IP addresses.


Virtual wire pairs are useful for a typical topology where MAC addresses do not behave normally. For example, port pairing can be used in a Direct Server Return (DSR) topology where the response MAC address pair may not match the request's MAC address pair.
If there is a matching policy, all of the ingress traffic will egress through another member of the virtual wire pair.

 

FortiGate performs an inspection of traffic passing through a virtual wire pair.

FortiGate will maintain the session for the traffic and inspect the packets.

 

Applying NAT in a virtual wire pair.

This is possible, but it is necessary to call the Dynamic IP pool. The 'Use Outgoing Interface Address' option is not available because virtual wire pairs do not have an IP address.

 

Connecting both wire pair interfaces on the same switch.

 

WirePair.png
As per documentation, virtual wire pair ports should not be connected on the same switch because of the behavior of this function. This may cause L2 loops and other strange traffic behaviors.

FortiGate operates as an Internal Segmentation Firewall where the protected server is directly connected to FortiGate's first wire pair port and the other wire pair port is connected to a different network segment.