Configure Virtual Wires
Configuring a virtual wire includes configuring two Ethernet ports that use the same link speed as virtual wire interfaces, enabling link state pass through, and adding each interface to a security zone. You can optionally create a security policy rule to allow Layer 3 traffic, and enable multicast firewalling, IPv6 firewalling, LLDP, and non-IP protocol protection (for PAN-OS 8.0 and later releases).
The following task shows how to configure two Virtual Wire Interfaces (Ethernet 1/3 and Ethernet 1/4 in this example) to create a virtual wire. The two interfaces must have the same Link Speed and transmission mode (Link Duplex). For example, a full-duplex 1000Mbps copper port matches a full-duplex 1Gbps fiber optic port.
- Create the first virtual wire interface.
- Select NetworkInterfacesEthernet and select an interface you have cabled (ethernet1/3 in this example).
- Set the Interface Type to Virtual Wire.
- Attach the interface to a virtual wire object.
- While still on the same Ethernet interface, on the Config tab, select Virtual Wire and click New Virtual Wire.
- Enter a Name for the virtual wire.
- For Interface1, select the interface you just configured (ethernet1/3). (Only interfaces configured as virtual wire interfaces appear in the drop-down.)
- For Tag Allowed, enter 0 to indicate untagged traffic (such as BPDUs and other Layer 2 control traffic) is allowed. The absence of a tag implies tag 0. Enter additional allowed tag integers or ranges of tags, separated by commas (default is 0; range is 0 to 4,094).
- Select Multicast Firewalling if you want to be able to apply security policy rules to multicast traffic going across the virtual wire. Otherwise, multicast traffic is transparently forwarded across the virtual wire.
- Select Link State Pass Through so the firewall can function transparently. When the firewall detects a link down state for a link of the virtual wire, it brings down the other interface in the virtual wire pair. Thus, devices on both sides of the firewall see a consistent link state, as if there were no firewall between them. If you don’t select this option, link status is not propagated across the virtual wire.
- Click OK to save the virtual wire object.
- Determine the link speed of the virtual wire interface.
- While still on the same Ethernet interface, select Advanced and note or change the Link Speed. The port type determines the speed settings available in the drop-down. By default, copper ports are set to auto negotiate link speed. Both virtual wire interfaces must have the same link speed.
- Click OK to save the Ethernet interface.
- Configure the second virtual wire interface (ethernet1/4 in
this example) by repeating the preceding steps.When you select the Virtual Wire object you created, the firewall automatically adds the second virtual wire interface as Interface2.
- Create a separate security zone for each virtual wire
- Select NetworkZones and Add a zone.
- Enter the Name of the zone (such as internet).
- For Location, select the virtual system where the zone applies.
- For Type, select Virtual Wire.
- Add the Interface that belongs to the zone.
- Click OK.
- (Optional) Create security policy rules to allow
Layer 3 traffic to pass through.To allow Layer 3 traffic across the virtual wire, Create a Security Policy Rule to allow traffic from the user zone to the internet zone, and another to allow traffic from the internet zone to the user zone, selecting the applications you want to allow, such as BGP or OSPF.
- (Optional) Enable IPv6 firewalling.If you want to be able to apply security policy rules to IPv6 traffic arriving at the virtual wire interface, enable IPv6 firewalling. Otherwise, IPv6 traffic is forwarded transparently.
- Select DeviceSetupSession and edit Session Settings.
- Select Enable lPv6 Firewalling.
- Click OK.
- Commit your changes.
- (Optional) Configure an LLDP profile and apply it to the virtual wire interfaces (see Configure LLDP).
- (Optional) Apply non-IP protocol control to the virtual wire zones (see Configure Protocol Protection). Otherwise, all non-IP traffic is forwarded over the virtual wire.
Port Speeds of Virtual Wire Interfaces
Configure a virtual wire using two ports that operate at the same speed, whether they are both copper, both fiber optic, or one copper and ...
Layer 2 and Layer 3 Packets over a Virtual Wire
Virtual wire interfaces don’t participate in switching or routing; you can control Layer 2 tagged and untagged traffic; you can control Layer 3 traffic using ...
Network > Virtual Wires
Network > Virtual Wires Select Network Virtual Wires to define virtual wires after you have specified two virtual wire interfaces on the firewall ( Network ...
Virtual Wire Interfaces
Virtual wires bind two interfaces within a firewall, allowing you to easily install a firewall into a topology that requires no switching or routing by ...
Virtual Wire Interface
Virtual Wire Interface Network > Interfaces > Ethernet A virtual wire logically binds two Ethernet interfaces together, allowing for all traffic to pass between the ...
Zone Protection for a Virtual Wire Interface
You can provide virtual wire interfaces with zone protection; a few packet-based attack protections that are based on IP addresses don’t apply to virtual wire ...
Virtual Wire Subinterfaces
You can create subinterfaces on a virtual wire and then apply different policies to different traffic zones based on VLAN tags. You can further separate ...
Virtual Wire Support of High Availability
Virtual wires support active/passive and active/active HA and path monitoring. You can speed up HA failover for an active/passive HA pair by pre-negotiating LACP and ...
Aggregated Interfaces for a Virtual Wire
A virtual wire supports aggregate interface groups; if LACP is configured on devices connected to the firewall, the virtual wire passes LACP packets transparently. ...