A virtual wire interface will allow Layer 2 and Layer
3 packets from connected devices to pass transparently as long as
the policies applied to the zone or interface allow the traffic.
The virtual wire interfaces themselves don’t participate in routing or
For example, the firewall doesn’t decrement the TTL in a traceroute
packet going over the virtual link because the link is transparent
and doesn’t count as a hop. Packets such as Operations, Administration
and Maintenance (OAM) protocol data units (PDUs), for example, don’t
terminate at the firewall. Thus, the virtual wire allows the firewall
to maintain a transparent presence acting as a pass-through link, while
still providing security, NAT, and QoS services.
In order for bridge protocol data units (BPDUs) and other Layer
2 control packets (which are typically untagged) to pass through
a virtual wire, the interfaces must be attached to a virtual wire
object that allows untagged traffic, and that is the default. If
the virtual wire object
is empty, the virtual wire allows untagged traffic. (Security policy
rules don’t apply to Layer 2 packets.)
In order for routing (Layer 3) control packets to pass through
a virtual wire, you must apply a security policy rule that allows
the traffic to pass through. For example, apply a security policy
rule that allows an application such as BGP or OSPF.
If you want to be able to apply security policy rules to a zone
for IPv6 traffic arriving at a virtual wire interface on the firewall,
enable IPv6 firewalling. Otherwise, IPv6 traffic is forwarded transparently
across the wire.
If you enable multicast firewalling for a virtual wire object
and apply it to a virtual wire interface, the firewall inspects
multicast traffic and forwards it or not, based on security policy
rules. If you don’t enable multicast firewalling, the firewall simply forwards
multicast traffic transparently.
Fragmentation on a virtual wire occurs the same way as in other
interface deployment modes.