Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jschenk
New Contributor II

Virtual wire pair before wan interface blocks firewall traffic, proxy traffic works fine

I have a working fortigate v7.2.2 with:
wan1 = Internet

interface 5 = proxy clients

interface 6 = connection from lan on port 6 to internet wan1  through an allow all policy

Everything works great.

 

Now I created a virtual wire pair (port 3&4) and I put an "allow all policy" on it and enabled IPS with a default_pass_all policy.
I use this wire pair as a connection between the isp modem and the wan 1 interface.
so the flow is now isp -> lan3 ...... lan4>wan1
with this wire pair inserted before the wan1 connection, the web proxy still works, but there is no traffic from the lan connected to interface 6 to the internet.

So it looks like the virtual wire pair is blocking something, I tried both the VLAN Wildcard option on and off, but both gave the same result. I even removed the IPS inspection on the wire pair, but no luck.

What am I missing? Why does the insertion of the virtual wire pair before wan1 inhibit traffic from the lan connected to interface 6. I had expected the virtual wire pair to be fully transparent, but apparently it isn't.

3 REPLIES 3
gfleming
Staff
Staff

Per the documentation, traffic from other interfaces cannot be routed to the interfaces in a virtual wire pair.

 

May I ask why you want to use a virtual wire pair here? You can accomplish the same functionality by putting the IPS profile on your FW policies.

Cheers,
Graham
jschenk
New Contributor II

I have an IPS policy enabled on the firewall policy, however in that case portscans etc on my wan1 internet interface are not detected.
With the virtual wire pair I do get a notification of these kind op attacks.

gfleming

OK I see your reasoning. Unfortunately based on the documentation I don't think what you want to do is possible. This is not an intended use-case for virtual wire pair.

 

With that said, your FortiGate's WAN interface should be extremely locked down anyway—what is the concern about port scans on its IP Address?

Cheers,
Graham