Configure Virtual Wires

Configuring a virtual wire includes configuring two Ethernet ports that use the same link speed as virtual wire interfaces, enabling link state pass through, and adding each interface to a security zone. You can optionally create a security policy rule to allow Layer 3 traffic, and enable multicast firewalling, IPv6 firewalling, LLDP, and non-IP protocol protection (for PAN-OS 8.0 and later releases).
The following task shows how to configure two Virtual Wire Interfaces (Ethernet 1/3 and Ethernet 1/4 in this example) to create a virtual wire. The two interfaces must have the same
Link Speed
and transmission mode (
Link Duplex
). For example, a full-duplex 1000Mbps copper port matches a full-duplex 1Gbps fiber optic port.
  1. Create the first virtual wire interface.
    1. Select
      and select an interface you have cabled (
      in this example).
    2. Set the
      Interface Type
      Virtual Wire
  2. Attach the interface to a virtual wire object.
    1. While still on the same Ethernet interface, on the
      tab, select
      Virtual Wire
      and click
      New Virtual Wire
    2. Enter a
      for the virtual wire.
    3. For
      , select the interface you just configured (
      ). (Only interfaces configured as virtual wire interfaces appear in the list.)
    4. For
      Tag Allowed
      , enter
      to indicate untagged traffic (such as BPDUs and other Layer 2 control traffic) is allowed. The absence of a tag implies tag 0. Enter additional allowed tag integers or ranges of tags, separated by commas (default is 0; range is 0 to 4,094).
    5. Select
      Multicast Firewalling
      if you want to be able to apply security policy rules to multicast traffic going across the virtual wire. Otherwise, multicast traffic is transparently forwarded across the virtual wire.
    6. Select
      Link State Pass Through
      so the firewall can function transparently. When the firewall detects a link down state for a link of the virtual wire, it brings down the other interface in the virtual wire pair. Thus, devices on both sides of the firewall see a consistent link state, as if there were no firewall between them. If you don’t select this option, link status is not propagated across the virtual wire.
    7. Click
      to save the virtual wire object.
  3. Determine the link speed of the virtual wire interface.
    1. While still on the same Ethernet interface, select
      and note or change the
      Link Speed
      . The port type determines the speed settings available in the list. By default, copper ports are set to
      negotiate link speed. Both virtual wire interfaces must have the same link speed.
    2. Click
      to save the Ethernet interface.
  4. Configure the second virtual wire interface (
    in this example) by repeating the preceding steps.
    When you select the
    Virtual Wire
    object you created, the firewall automatically adds the second virtual wire interface as
  5. Create a separate security zone for each virtual wire interface.
    1. Select
      a zone.
    2. Enter the
      of the zone (such as
    3. For
      , select the virtual system where the zone applies.
    4. For
      , select
      Virtual Wire
    5. Add
      that belongs to the zone.
    6. Click
  6. (
    ) Create security policy rules to allow Layer 3 traffic to pass through.
    To allow Layer 3 traffic across the virtual wire, Create a Security Policy Rule to allow traffic from the user zone to the internet zone, and another to allow traffic from the internet zone to the user zone, selecting the applications you want to allow, such as BGP or OSPF.
  7. (
    ) Enable IPv6 firewalling.
    If you want to be able to apply security policy rules to IPv6 traffic arriving at the virtual wire interface, enable IPv6 firewalling. Otherwise, IPv6 traffic is forwarded transparently.
    1. Select
      and edit Session Settings.
    2. Select
      Enable lPv6 Firewalling
    3. Click
  8. (
    Supported firewalls only
    ) If the interface corresponds to a PoE (Power over Ethernet) port on the firewall, you can optionally configure PoE.
  9. Commit
    your changes.
  10. (
    ) Configure an LLDP profile and apply it to the virtual wire interfaces (see Configure LLDP).
  11. (
    ) Apply non-IP protocol control to the virtual wire zones (Configure Protocol Protection). Otherwise, all non-IP traffic is forwarded over the virtual wire.

Recommended For You