In a virtual wire deployment, you install a firewall
transparently on a network segment by binding two firewall ports
(interfaces) together. The virtual wire logically connects the two
interfaces; hence, the virtual wire is internal to the firewall.
Use a virtual wire deployment only when you want to seamlessly
integrate a firewall into a topology and the two connected interfaces
on the firewall need not do any switching or routing. For these
two interfaces, the firewall is considered a
bump in the wire
A virtual wire deployment simplifies firewall installation and
configuration because you can insert the firewall into an existing
topology without assigning MAC or IP addresses to the interfaces,
redesigning the network, or reconfiguring surrounding network devices.
The virtual wire supports blocking or allowing traffic based on virtual
LAN (VLAN) tags, in addition to supporting security policy rules,
App-ID, Content-ID, User-ID, decryption, LLDP, active/passive and
active/active HA, QoS, zone protection (with some exceptions), DoS
protection, and NAT.
Each virtual wire interface is directly connected to a Layer
2 or Layer 3 networking device or host. The virtual wire interfaces
have no Layer 2 or Layer 3 addresses. When one of the virtual wire
interfaces receives a frame or packet, it ignores any Layer 2 or
Layer 3 addresses for switching or routing purposes, but applies
your security or NAT policy rules before passing an allowed frame
or packet over the virtual wire to the second interface and on to
the network device connected to it.
You wouldn’t use a virtual wire deployment for interfaces that
need to support switching, VPN tunnels, or routing because they
require a Layer 2 or Layer 3 address. A virtual wire interface doesn’t
use an interface management profile, which controls services such
as HTTP and ping and therefore requires the interface have an IP
By default, a virtual wire interface forwards all non-IP traffic
All firewalls shipped from the factory have two Ethernet ports
(ports 1 and 2) preconfigured as virtual wire interfaces, and these
interfaces allow all untagged traffic.
If you don’t intend to use the preconfigured virtual wire,
you must delete that configuration to prevent it from interfering
with other settings you configure on the firewall. See Set Up Network Access for External Services.