Virtual Wire Interfaces
Virtual wires bind two interfaces within a firewall, allowing you to easily install a firewall into a topology that requires no switching or routing by those interfaces. You can apply security policy rules, NAT, QoS, and other policies to virtual wire interfaces,
In a virtual wire deployment, you install a firewall transparently on a network segment by binding two firewall ports (interfaces) together. The virtual wire logically connects the two interfaces; hence, the virtual wire is internal to the firewall.
Use a virtual wire deployment only when you want to seamlessly integrate a firewall into a topology and the two connected interfaces on the firewall need not do any switching or routing. For these two interfaces, the firewall is considered a bump in the wire.
A virtual wire deployment simplifies firewall installation and configuration because you can insert the firewall into an existing topology without assigning MAC or IP addresses to the interfaces, redesigning the network, or reconfiguring surrounding network devices. The virtual wire supports blocking or allowing traffic based on virtual LAN (VLAN) tags, in addition to supporting security policy rules, App-ID, Content-ID, User-ID, decryption, LLDP, active/passive and active/active HA, QoS, zone protection (with some exceptions), non-IP protocol protection, DoS protection, packet buffer protection, tunnel content inspection, and NAT.
Each virtual wire interface is directly connected to a Layer 2 or Layer 3 networking device or host. The virtual wire interfaces have no Layer 2 or Layer 3 addresses. When one of the virtual wire interfaces receives a frame or packet, it ignores any Layer 2 or Layer 3 addresses for switching or routing purposes, but applies your security or NAT policy rules before passing an allowed frame or packet over the virtual wire to the second interface and on to the network device connected to it.
You wouldn’t use a virtual wire deployment for interfaces that need to support switching, VPN tunnels, or routing because they require a Layer 2 or Layer 3 address. A virtual wire interface doesn’t use an interface management profile, which controls services such as HTTP and ping and therefore requires the interface have an IP address.
All firewalls shipped from the factory have two Ethernet ports (ports 1 and 2) preconfigured as virtual wire interfaces, and these interfaces allow all untagged traffic.
If you’re using security group tags (SGTs) in a Cisco Trustsec network, it’s a best practice to deploy inline firewalls in either Layer 2 or virtual wire mode. Firewalls in Layer 2 or virtual wire mode can inspect and provide threat prevention for the tagged traffic.
If you don’t intend to use the preconfigured virtual wire, you must delete that configuration to prevent it from interfering with other settings you configure on the firewall. See Set Up Network Access for External Services.
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
Port Speeds of Virtual Wire Interfaces
Configure a virtual wire using two ports that operate at the same speed, whether they are both copper, both fiber optic, or one copper and ...
Configure Interfaces A Palo Alto Networks next-generation firewall can operate in multiple deployments at once because the deployments occur at the interface level. For example, ...
Configure Virtual Wires
Configuring a virtual wire includes configuring two Ethernet ports that use the same link speed as virtual wire interfaces, enabling link state pass through, and ...
Virtual System Functionality with Other Features
Virtual System Functionality with Other Features Many firewall features and functionality are capable of being configured, viewed, logged, or reported per virtual system. Therefore, virtual ...
Layer 2 and Layer 3 Packets over a Virtual Wire
Virtual wire interfaces don’t participate in switching or routing; you can control Layer 2 tagged and untagged traffic; you can control Layer 3 traffic using ...
Configure Interfaces and Zones
Configure Interfaces and Zones After you identify how you want to segment your network and the zones you will need to create to achieve the ...
Virtual Wire Interface
Virtual Wire Interface Network > Interfaces > Ethernet A virtual wire logically binds two Ethernet interfaces together, allowing for all traffic to pass between the ...
Network > Virtual Wires
Network > Virtual Wires Select Network Virtual Wires to define virtual wires after you have specified two virtual wire interfaces on the firewall ( Network ...
Aggregated Interfaces for a Virtual Wire
A virtual wire supports aggregate interface groups; if LACP is configured on devices connected to the firewall, the virtual wire passes LACP packets transparently. ...