About Virtual Wires
Learn more about virtual wires to binding two interfaces together.
Where Can I Use
This? | What Do I Need? |
Use a virtual wire deployment to integrate a firewall interface into a topology and the
two connected interfaces on the firewall don’t need to do any switching or routing. In a
virtual wire deployment, you install a firewall transparently on a network segment by
binding two firewall interfaces together. The virtual wire is internal to the firewall
and logically connects the two interfaces. For these two interfaces, the firewall is
considered a bump in the wire.
A virtual wire deployment simplifies firewall installation and configuration because you
can insert the firewall into an existing topology without assigning MAC or IP addresses
to the interfaces, redesigning the network, or reconfiguring surrounding network
devices. The virtual wire supports blocking or allowing traffic based on virtual LAN
(VLAN) tags, in addition to supporting Security policy rules, App-ID, Content-ID,
User-ID, decryption, LLDP, active/passive and active/active HA, QoS, zone protection
(with some exceptions), non-IP protocol protection, DoS protection, packet buffer
protection, tunnel content inspection, and NAT.
Each virtual wire interface is directly connected to a Layer 2 or Layer 3 networking
device or host. The virtual wire interfaces have no Layer 2 or Layer 3 addresses. When
one of the virtual wire interfaces receives a frame or packet, it ignores any Layer 2 or
Layer 3 addresses for switching or routing purposes, but applies your security or NAT
policy rules before passing an allowed frame or packet over the virtual wire to the
second interface and on to the network device connected to it.
Virtual Wire Support of High Availability
Virtual wire interfaces support both active/passive HA. If you configure the firewall
to perform path monitoring for firewalls in a
High Availability configuration using a virtual wire
path group, the firewall attempts to resolve the ARP for the configured destination
IP address by sending ARP packets out both of the virtual wire interfaces. The
destination IP address that you’re monitoring must be on the same subnetwork as one
of the devices surrounding the virtual wire.
You can configure the passive firewall in an HA pair to allow peer devices on either
side of the firewall to prenegotiate LLDP and LACP over a virtual wire before an HA
failover occurs.