Configure Virtual Wires

1. Create the first virtual wire interface.

   1. Select NetworkInterfacesEthernet and select an interface you have cabled (ethernet1/3 in this example).
   2. Set the Interface Type to Virtual Wire.
2. Attach the interface to a virtual wire object.

   1. While still on the same Ethernet interface, on the Config tab, select Virtual Wire and click New Virtual Wire.
   2. Enter a Name for the virtual wire.
   3. For Interface1, select the interface you just configured (ethernet1/3). (Only interfaces configured as virtual wire interfaces appear in the list.)
   4. For Tag Allowed, enter 0 to indicate untagged traffic (such as BPDUs and other Layer 2 control traffic) is allowed. The absence of a tag implies tag 0. Enter additional allowed tag integers or ranges of tags, separated by commas (default is 0; range is 0 to 4,094).
   5. Select Multicast Firewalling if you want to be able to apply security policy rules to multicast traffic going across the virtual wire. Otherwise, multicast traffic is transparently forwarded across the virtual wire.
   6. Select Link State Pass Through so the firewall can function transparently. When the firewall detects a link down state for a link of the virtual wire, it brings down the other interface in the virtual wire pair. Thus, devices on both sides of the firewall see a consistent link state, as if there were no firewall between them. If you don’t select this option, link status is not propagated across the virtual wire.
   7. Click OK to save the virtual wire object.
3. Determine the link speed of the virtual wire interface.

   1. While still on the same Ethernet interface, select Advanced and note or change the Link Speed. The port type determines the speed settings available in the list. By default, copper ports are set to auto negotiate link speed. Both virtual wire interfaces must have the same link speed.
   2. Click OK to save the Ethernet interface.
4. Configure the second virtual wire interface (ethernet1/4 in this example) by repeating the preceding steps.

   When you select the Virtual Wire object you created, the firewall automatically adds the second virtual wire interface as Interface2.
5. Create a separate security zone for each virtual wire interface.

   1. Select NetworkZones and Add a zone.
   2. Enter the Name of the zone (such as internet).
   3. For Location, select the virtual system where the zone applies.
   4. For Type, select Virtual Wire.
   5. Add the Interface that belongs to the zone.
   6. Click OK.
6. (Optional) Create security policy rules to allow Layer 3 traffic to pass through.

   To allow Layer 3 traffic across the virtual wire, Create a Security Policy Rule to allow traffic from the user zone to the internet zone, and another to allow traffic from the internet zone to the user zone, selecting the applications you want to allow, such as BGP or OSPF.
7. (Optional) Enable IPv6 firewalling.

   If you want to be able to apply security policy rules to IPv6 traffic arriving at the virtual wire interface, enable IPv6 firewalling. Otherwise, IPv6 traffic is forwarded transparently.

   1. Select DeviceSetupSession and edit Session Settings.
   2. Select Enable lPv6 Firewalling.
   3. Click OK.
8. (Supported firewalls only) If the interface corresponds to a PoE (Power over Ethernet) port on the firewall, you can optionally configure PoE.
9. Commit your changes.
10. (Optional) Configure an LLDP profile and apply it to the virtual wire interfaces (see Configure LLDP).
11. (Optional) Apply non-IP protocol control to the virtual wire zones (Configure Protocol Protection). Otherwise, all non-IP traffic is forwarded over the virtual wire.