Configure Virtual Wires
Configuring a virtual wire includes configuring two Ethernet ports that use the same link speed as virtual wire interfaces, enabling link state pass through, and adding each interface to a security zone. You can optionally create a security policy rule to allow Layer 3 traffic, and enable multicast firewalling, IPv6 firewalling, LLDP, and non-IP protocol protection (for PAN-OS 8.0 and later releases).
The following task shows how to configure two Virtual Wire Interfaces (Ethernet 1/3 and Ethernet 1/4 in this example) to create a virtual wire. The two interfaces must have the same
Link Speedand transmission mode (
Link Duplex). For example, a full-duplex 1000Mbps copper port matches a full-duplex 1Gbps fiber optic port.
- Create the first virtual wire interface.
- Selectand select an interface you have cabled (NetworkInterfacesEthernetethernet1/3in this example).
- Set theInterface TypetoVirtual Wire.
- Attach the interface to a virtual wire object.
- While still on the same Ethernet interface, on theConfigtab, selectVirtual Wireand clickNew Virtual Wire.
- Enter aNamefor the virtual wire.
- ForInterface1, select the interface you just configured (ethernet1/3). (Only interfaces configured as virtual wire interfaces appear in the drop-down.)
- ForTag Allowed, enter0to indicate untagged traffic (such as BPDUs and other Layer 2 control traffic) is allowed. The absence of a tag implies tag 0. Enter additional allowed tag integers or ranges of tags, separated by commas (default is 0; range is 0 to 4,094).
- SelectMulticast Firewallingif you want to be able to apply security policy rules to multicast traffic going across the virtual wire. Otherwise, multicast traffic is transparently forwarded across the virtual wire.
- SelectLink State Pass Throughso the firewall can function transparently. When the firewall detects a link down state for a link of the virtual wire, it brings down the other interface in the virtual wire pair. Thus, devices on both sides of the firewall see a consistent link state, as if there were no firewall between them. If you don’t select this option, link status is not propagated across the virtual wire.
- ClickOKto save the virtual wire object.
- Determine the link speed of the virtual wire interface.
- While still on the same Ethernet interface, selectAdvancedand note or change theLink Speed. The port type determines the speed settings available in the drop-down. By default, copper ports are set toautonegotiate link speed. Both virtual wire interfaces must have the same link speed.
- ClickOKto save the Ethernet interface.
- Configure the second virtual wire interface (ethernet1/4in this example) by repeating the preceding steps.When you select theVirtual Wireobject you created, the firewall automatically adds the second virtual wire interface asInterface2.
- Create a separate security zone for each virtual wire interface.
- SelectandNetworkZonesAdda zone.
- Enter theNameof the zone (such asinternet).
- ForLocation, select the virtual system where the zone applies.
- ForType, selectVirtual Wire.
- AddtheInterfacethat belongs to the zone.
- (Optional) Create security policy rules to allow Layer 3 traffic to pass through.To allow Layer 3 traffic across the virtual wire, Create a Security Policy Rule to allow traffic from the user zone to the internet zone, and another to allow traffic from the internet zone to the user zone, selecting the applications you want to allow, such as BGP or OSPF.
- (Optional) Enable IPv6 firewalling.If you want to be able to apply security policy rules to IPv6 traffic arriving at the virtual wire interface, enable IPv6 firewalling. Otherwise, IPv6 traffic is forwarded transparently.
- Selectand edit Session Settings.DeviceSetupSession
- SelectEnable lPv6 Firewalling.
- Commityour changes.
- (Optional) Configure an LLDP profile and apply it to the virtual wire interfaces (see Configure LLDP).
- (Optional) Apply non-IP protocol control to the virtual wire zones (see Configure Protocol Protection). Otherwise, all non-IP traffic is forwarded over the virtual wire.