>
    Strata Copilot
    Virtual Wire Interfaces
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Configure Interfaces
    4. Virtual Wire Interfaces
    Download PDF
    Next-Generation Firewall

    Virtual Wire Interfaces

    Table of Contents

    Virtual Wire Interfaces

    Virtual wires bind two interfaces within a firewall, enabling you to easily install a firewall into a topology that requires no switching or routing by those interfaces.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by PAN-OS or Panorama)
    In a virtual wire deployment, you install a firewall transparently on a network segment by binding two firewall ports (interfaces) together. The virtual wire logically connects the two interfaces; hence, the virtual wire is internal to the firewall.
    Use a virtual wire deployment only when you want to seamlessly integrate a firewall into a topology and the two connected interfaces on the firewall don't need to do any switching or routing. For these two interfaces, the firewall is considered a bump in the wire.
    A virtual wire deployment simplifies firewall installation and configuration because you can insert the firewall into an existing topology without assigning MAC or IP addresses to the interfaces, redesigning the network, or reconfiguring surrounding network devices. The virtual wire supports blocking or allowing traffic based on virtual LAN (VLAN) tags, in addition to supporting security policy rules, App-ID, Content-ID, User-ID, decryption, LLDP, active/passive and active/active HA, QoS, zone protection (with some exceptions), non-IP protocol protection, DoS protection, packet buffer protection, tunnel content inspection, and NAT.
    Each virtual wire interface is directly connected to a Layer 2 or Layer 3 networking device or host. The virtual wire interfaces have no Layer 2 or Layer 3 addresses. When one of the virtual wire interfaces receives a frame or packet, it ignores any Layer 2 or Layer 3 addresses for switching or routing purposes, but applies your security or NAT policy rules before passing an allowed frame or packet over the virtual wire to the second interface and on to the network device connected to it.
    You wouldn’t use a virtual wire deployment for interfaces that need to support switching, VPN tunnels, or routing because they require a Layer 2 or Layer 3 address. A virtual wire interface doesn’t use an Interface Management profile, which controls services such as HTTP and ping and therefore requires the interface have an IP address.
    All firewalls shipped from the factory have two Ethernet ports (ports 1 and 2) preconfigured as virtual wire interfaces, and these interfaces allow all untagged traffic.
    If you’re using Security Group Tags (SGTs) in a Cisco TrustSec network, it’s a best practice to deploy inline firewalls in either Layer 2 or virtual wire mode. Firewalls in Layer 2 or virtual wire mode can inspect and provide threat prevention for the tagged traffic.
    If you don’t intend to use the preconfigured virtual wire, you must delete that configuration to prevent it from interfering with other settings you configure on the firewall. See Set Up Network Access for External Services.

    Port Speeds of Virtual Wire Interfaces

    Different firewall models provide various numbers of copper and fiber optic ports, which operate at different speeds. A virtual wire can bind two Ethernet ports of the same type (both copper or both fiber optic), or bind a copper port with a fiber optic port. By default, the Link Speed of copper ports on the firewall is set to auto, which means the firewall automatically negotiates their speed and transmission mode (Link Duplex). When you configure virtual wires, you can also select a specific Link Speed and Link Duplex but the values for these settings must be the same for both ports in any single virtual wire. Configure a virtual wire using two ports that operate at the same speed, whether they are both copper, both fiber optic, or one copper and one fiber optic.

    LLDP over a Virtual Wire

    Virtual wire interfaces can use LLDP to discover neighboring devices and their capabilities, and LLDP allows neighboring devices to detect the presence of the firewall in the network. LLDP makes troubleshooting easier especially on a virtual wire, where the firewall would typically go undetected by a ping or traceroute passing through the virtual wire. LLDP provides a way for other devices to detect the firewall in the network. Without LLDP, it's practically impossible for network management systems to detect the presence of a firewall through the virtual link.

    Aggregated Interfaces for a Virtual Wire

    You can Configure an Aggregate Interface Group of virtual wire interfaces, but virtual wires don’t use LACP. If you configure LACP on devices that connect the firewall to other networks, the virtual wire will pass LACP packets transparently without performing LACP functions.
    On a virtual wire, the firewall can pass Cisco LACP traffic only when the links are not aggregated on the firewall. On a virtual wire, if the links are aggregated, then the firewall could forward the packets to the wrong port in Aggregated Ethernet, which will cause LACP not to function between peers.
    For aggregate interface groups to function properly, ensure all links belonging to the same LACP group on the same side of the virtual wire are assigned to the same zone.

    Virtual Wire Support of High Availability

    If you configure the firewall to perform path monitoring for High Availability using a virtual wire path group, the firewall attempts to resolve ARP for the configured destination IP address by sending ARP packets out both of the virtual wire interfaces. The destination IP address that you're monitoring must be on the same subnetwork as one of the devices surrounding the virtual wire.
    Virtual wire interfaces support both active/passive and active/active HA. For an active/active HA deployment with a virtual wire, the scanned packets must be returned to the receiving firewall to preserve the forwarding path. Therefore, if a firewall receives a packet that belongs to the session that the peer HA firewall owns, it sends the packet across the HA3 link to the peer.
    You can configure the passive firewall in an HA pair to enable peer devices on either side of the firewall to prenegotiate LLDP and LACP over a virtual wire before an HA failover occurs. Such a configuration for LACP and LLDP Pre-Negotiation for Active/Passive HA speeds up HA failovers.

    Zone Protection for a Virtual Wire Interface

    You can apply zone protection to a virtual wire interface, but because virtual wire interfaces don’t perform routing, you can’t apply Packet Based Attack Protection to packets coming with a spoofed IP address, nor can you suppress ICMP TTL Expired error packets or ICMP Frag Needed packets.
    By default, a virtual wire interface forwards all non-IP traffic it receives. However, you can apply a Zone Protection profile with Protocol Protection to block or allow certain non-IP protocol packets between security zones on a virtual wire.

    VLAN-Tagged Traffic

    Virtual wire interfaces by default allow all untagged traffic. You can, however, use a virtual wire to connect two interfaces and configure either interface to block or allow traffic based on the virtual LAN (VLAN) tags. VLAN tag 0 indicates untagged traffic.
    You can also create multiple subinterfaces, add them into different zones, and then classify traffic according to a VLAN tag or a combination of a VLAN tag with IP classifiers (address, range, or subnet) to apply granular policy control for specific VLAN tags or for VLAN tags from a specific source IP address, range, or subnet.

    © 2025 Palo Alto Networks, Inc. All rights reserved.