>
    Configure Virtual Wires
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Configure Interfaces
    4. Virtual Wire Interfaces
    5. Configure Virtual Wires
    Download PDF
    Next-Generation Firewall

    Configure Virtual Wires

    Table of Contents

    Configure Virtual Wires

    Configure two Ethernet ports that use the same link speed as virtual wire interfaces, enable link state pass through, and add each interface to a security zone.
    Where Can I Use This?What Do I Need?
    • NGFW
    When of these licenses when using Strata Cloud Manager:
    • Strata Cloud Manager Essentials
    • Strata Cloud Manager Pro
    The following task shows how to configure two Virtual Wire Interfaces (Ethernet 1/3 and Ethernet 1/4 in this example) to create a virtual wire. The two interfaces must have the same Link Speed and transmission mode (Link Duplex). For example, a full-duplex 1000Mbps copper port matches a full-duplex 1Gbps fiber optic port.

    Configure Virtual Wires (PAN-OS)

    The procedure for configuring a virtual wire in PAN-OS and Panorama.
    1. Create the first virtual wire interface.
      1. Select NetworkInterfacesEthernet and select an interface you have cabled (ethernet1/3 in this example).
      2. Set the Interface Type to Virtual Wire.
    2. Attach the interface to a virtual wire object.
      1. While still on the same Ethernet interface, on the Config tab, select Virtual Wire and click New Virtual Wire.
      2. Enter a Name for the virtual wire.
      3. For Interface1, select the interface you just configured (ethernet1/3). (Only interfaces configured as virtual wire interfaces appear in the list.)
      4. For Tag Allowed, enter 0 to indicate untagged traffic (such as BPDUs and other Layer 2 control traffic) is allowed. The absence of a tag implies tag 0. Enter additional allowed tag integers or ranges of tags, separated by commas (default is 0; range is 0 to 4,094).
      5. Select Multicast Firewalling if you want to be able to apply security policy rules to multicast traffic going across the virtual wire. Otherwise, multicast traffic is transparently forwarded across the virtual wire.
      6. Select Link State Pass Through so the firewall can function transparently. When the firewall detects a link down state for a link of the virtual wire, it brings down the other interface in the virtual wire pair. Thus, devices on both sides of the firewall see a consistent link state, as if there were no firewall between them. If you don’t select this option, link status is not propagated across the virtual wire.
      7. Click OK to save the virtual wire object.
    3. Determine the link speed of the virtual wire interface.
      1. While still on the same Ethernet interface, select Advanced and note or change the Link Speed. The port type determines the speed settings available in the list. By default, copper ports are set to auto negotiate link speed. Both virtual wire interfaces must have the same link speed.
      2. Click OK to save the Ethernet interface.
    4. Configure the second virtual wire interface (ethernet1/4 in this example) by repeating the preceding steps.
      When you select the Virtual Wire object you created, the firewall automatically adds the second virtual wire interface as Interface2.
    5. Create a separate security zone for each virtual wire interface.
      1. Select NetworkZones and Add a zone.
      2. Enter the Name of the zone (such as internet).
      3. For Location, select the virtual system where the zone applies.
      4. For Type, select Virtual Wire.
      5. Add the Interface that belongs to the zone.
      6. Click OK.
    6. (Optional) Create security policy rules to allow Layer 3 traffic to pass through.
      To allow Layer 3 traffic across the virtual wire, Create a Security Policy Rule to allow traffic from the user zone to the internet zone, and another to allow traffic from the internet zone to the user zone, selecting the applications you want to allow, such as BGP or OSPF.
    7. (Optional) Enable IPv6 firewalling.
      If you want to be able to apply security policy rules to IPv6 traffic arriving at the virtual wire interface, enable IPv6 firewalling. Otherwise, IPv6 traffic is forwarded transparently.
      1. Select DeviceSetupSession and edit Session Settings.
      2. Select Enable lPv6 Firewalling.
      3. Click OK.
    8. (Supported firewalls only) If the interface corresponds to a PoE (Power over Ethernet) port on the firewall, you can optionally configure PoE.
    9. Commit your changes.
    10. (Optional) Configure an LLDP profile and apply it to the virtual wire interfaces (see Configure LLDP).
    11. (Optional) Apply non-IP protocol control to the virtual wire zones (Configure Protocol Protection). Otherwise, all non-IP traffic is forwarded over the virtual wire.

    Configure Virtual Wires (SCM)

    The procedure for configuring virtual wires in Strata Cloud Manager.
    1. Log in to Strata Cloud Manager.
    2. Create a zone for each Ethernet interface you cabled.
    3. Select ManageConfigurationNGFW and Prisma AccessDevice SettingsVirtual WireConfigurationNGFW and Prisma AccessDevice SettingsVirtual Wire and select the Configuration Scope where you want to create the virtual wire.
      Select Folders to configure the virtual wire in a folder or select Snippets to configure the virtual wire in a snippet.
      Adding a virtual wire in the firewall Configuration Scope isn’t currently supported.
    4. Add Virtual Wire.
    5. Configure the Ethernet interface members of the virtual wire.
      1. Enter a descriptive Name.
      2. Select the Member 1 Interface and Zone the interface is associated with.
      3. Select the Member 2 Interface and Zone the interface is associated with.
    6. Configure the virtual wire Advanced Settings.
      1. (Optional) Select Multicast Firewalling if you want to be able to apply Security policy rules to multicast traffic going across the virtual wire. Otherwise, multicast traffic is transparently forwarded across the virtual wire.
      2. Select Link State Pass Through if you want the firewall to function transparently. When the firewall detects a link down state for a link of the virtual wire, it brings down the other interface in the virtual wire pair. Thus, devices on both sides of the firewall see a consistent link state, as if there were no firewall between them. If you don’t select this option, link status isn’t propagated across the virtual wire.
      3. Select LLDP if you want to advertise the device attributes to neighboring devices.
      4. For Tag Allowed, enter 0 to indicate untagged traffic is allowed. The absence of a tag implies tag 0. Enter additional allowed tag integers or ranges of tags, separated by commas (default is 0; range is 0 to 4,094).
      5. Configure the Link Settings.
        1. Select the interface Link Speed.
          Auto is selected by default and allows the firewall to determine the speed.
        2. Select the interface Link Duplex transmission mode.
          Auto is selected by default to allow the firewall to negotiate the transmission mode automatically.
        3. Select the interface Link State
          Auto detect is selected by default to allow the firewall to determine the link state.
    7. Save.

    © 2025 Palo Alto Networks, Inc. All rights reserved.