This feature (276013), available in NAT and Transparent mode, replaces the Port Pair feature available in FortiOS 5.2 in Transparent mode only. When two physical interfaces are setup as a Virtual Wire Pair, they will have no IP addressing and are treated similar to a transparent mode VDOM. All packets accepted by one of the interfaces in a virtual wire pair can only exit the FortiGate through the other interface in the virtual wire pair and only if allowed by a virtual wire pair firewall policy. Packets arriving on other interfaces cannot be routed to the interfaces in a virtual wire pair. A FortiGate can have multiple virtual wire pairs.
You cannot add VLANs to virtual wire pairs. However, you can enable wildcard VLANs for a virtual wire pair. This means that all VLAN-tagged traffic can pass through the virtual wire pair if allowed by virtual wire pair firewall policies.
Adding a virtual wire pair
To add a virtual wire pair, go to Network > Interfaces and select Create New > Virtual Wire Pair. Select the interfaces to add to the virtual wire pair to, optionally enable Wildcard VLAN and select OK.
The virtual wire pair appears on the Interface list.
Use the following command to add a virtual wire pair from the CLI that enables the wildcard VLAN feature:
config system virtual-wire-pair
set member port3 port4
set wildcard-vlan enable
|Assigning an interface to be part of a virtual wire pairing will remove the "role" value from the interface.|
Adding a virtual wire pair firewall policy
You can add IPv4 and IPv6 virtual wire pair firewall policies. To add an IPv4 virtual wire pair firewall policy go to Policy & Objects > IPv4 Virtual Wire Pair Policy. Select the virtual wire pair that you want to add a policy for and select Create New. Start by configuring the direction of traffic though the policy and configure other policy settings like any firewall policy.
|If you have a USB-wan interface, it will not be included in the interface list when building a wired pair.|