Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jschenk
New Contributor II

Virtual wire pair before wan interface blocks firewall traffic, proxy traffic works fine

I have a working fortigate v7.2.2 with:
wan1 = Internet

interface 5 = proxy clients

interface 6 = connection from lan on port 6 to internet wan1  through an allow all policy

Everything works great.

 

Now I created a virtual wire pair (port 3&4) and I put an "allow all policy" on it and enabled IPS with a default_pass_all policy.
I use this wire pair as a connection between the isp modem and the wan 1 interface.
so the flow is now isp -> lan3 ...... lan4>wan1
with this wire pair inserted before the wan1 connection, the web proxy still works, but there is no traffic from the lan connected to interface 6 to the internet.

So it looks like the virtual wire pair is blocking something, I tried both the VLAN Wildcard option on and off, but both gave the same result. I even removed the IPS inspection on the wire pair, but no luck.

What am I missing? Why does the insertion of the virtual wire pair before wan1 inhibit traffic from the lan connected to interface 6. I had expected the virtual wire pair to be fully transparent, but apparently it isn't.

3 REPLIES 3
gfleming
Staff
Staff

Per the documentation, traffic from other interfaces cannot be routed to the interfaces in a virtual wire pair.

 

May I ask why you want to use a virtual wire pair here? You can accomplish the same functionality by putting the IPS profile on your FW policies.

Cheers,
Graham
jschenk
New Contributor II

I have an IPS policy enabled on the firewall policy, however in that case portscans etc on my wan1 internet interface are not detected.
With the virtual wire pair I do get a notification of these kind op attacks.

gfleming

OK I see your reasoning. Unfortunately based on the documentation I don't think what you want to do is possible. This is not an intended use-case for virtual wire pair.

 

With that said, your FortiGate's WAN interface should be extremely locked down anyway—what is the concern about port scans on its IP Address?

Cheers,
Graham
Top Kudoed Authors