Focus

Next-Generation Firewall

Layer 2 and Layer 3 Packets over a Virtual Wire

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1 (EoL)
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Virtual Wire Interfaces

Virtual Wire Subinterfaces

Layer 2 and Layer 3 Packets over a Virtual Wire

Virtual wire interfaces don’t participate in switching or routing; you can control Layer 2 tagged and untagged traffic; you can control Layer 3 traffic using security policy rules, IPv6 firewalling and multicast firewalling.

Where Can I Use This?	What Do I Need?
NGFW (Managed by PAN-OS or Panorama)

A virtual wire interface will allow Layer 2 and Layer 3 packets from connected devices to pass transparently as long as the policies applied to the zone or interface allow the traffic. The virtual wire interfaces themselves don’t participate in routing or switching.

For example, the firewall doesn’t decrement the TTL in a traceroute packet going over the virtual link because the link is transparent and doesn’t count as a hop. Packets such as Operations, Administration and Maintenance (OAM) protocol data units (PDUs), for example, don’t terminate at the firewall. Thus, the virtual wire allows the firewall to maintain a transparent presence acting as a pass-through link, while still providing security, NAT, and QoS services.

In order for bridge protocol data units (BPDUs) and other Layer 2 control packets (which are typically untagged) to pass through a virtual wire, the interfaces must be attached to a virtual wire object that allows untagged traffic, and that is the default. If the virtual wire object Tag Allowed field is empty, the virtual wire allows untagged traffic. (Security policy rules don’t apply to Layer 2 packets.)

In order for routing (Layer 3) control packets to pass through a virtual wire, you must apply a security policy rule that allows the traffic to pass through. For example, apply a security policy rule that allows an application such as BGP or OSPF.

Non-IP encapsulated traffic, such as PPPoE session frames (EtherType 0x8864), passes through a virtual wire transparently without session creation or security policy enforcement. The firewall does not process this traffic through the Layer 3 session processing pipeline, even though packet captures on the firewall may decode and display the inner IPv4 or IPv6 payload within those frames.

If you want to be able to apply security policy rules to a zone for IPv6 traffic arriving at a virtual wire interface on the firewall, enable IPv6 firewalling. Otherwise, IPv6 traffic is forwarded transparently across the wire.

If you enable multicast firewalling for a virtual wire object and apply it to a virtual wire interface, the firewall inspects multicast traffic and forwards it or not, based on security policy rules. If you don’t enable multicast firewalling, the firewall simply forwards multicast traffic transparently.

Fragmentation on a virtual wire occurs the same as in other interface deployment modes.

Virtual Wire Interfaces

Virtual Wire Subinterfaces

Next-Generation Firewall Docs

Layer 2 and Layer 3 Packets over a Virtual Wire

Next-Generation Firewall Docs

Layer 2 and Layer 3 Packets over a Virtual Wire

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner