In this example, you will create a virtual wire pair (consisting of port3 and port4) to make it easier to protect a web server that is behind a FortiGate operating as an Internal Segmentation Firewall (ISFW). Users on the internal network will access the web server through the ISFW over the virtual wire pair.A virtual wire pair consists of two interfaces that have no IP addresses and all traffic received by one interface in the pair can only be forwarded out the other; as controlled by firewall policies. Since the interfaces do not have IP addresses, you can insert a virtual wire pair into a network without having to make any changes to the network.
In FortiOS 5.4, virtual wire pair replaces the feature port pairing from earlier firmware versions. Unlike port pairing, virtual wire pair can be used for a FortiGate in NAT/Route mode, as well as Transparent mode.
Find this recipe for other FortiOS versions
5.2 | 5.4
1. Adding a virtual wire pair
|
Interfaces used in a virtual wire pair cannot be used to access the ISFW FortiGate. Before creating a virtual wire pair, make sure you have a different port (in the example, port1) configured to allow admin access using your preferred protocol.
|
|
Go to Network > Interfaces and select Create New > Virtual Wire Pair.
Add port3 and port4 add to the virtual wire pair.
|
|
2. Adding virtual wire pair firewall policies
|
Go to Policy & Objects > IPv4 Virtual Wire Pair Policy and create a policy will allow users on the internal network to connect to the server. Give the policy an appropriate name (in the example, Network-server-access).
Select the direction that traffic is allowed to flow (from port3 to port4).
Configure the other firewall options as needed. In the example, AntiVirus is enabled to protect the server.
|
|
Create a second virtual wire pair policy allowing traffic from port4 to exit out of port3. This policy allows the server to connect to the Internet, in order to download updates.
|
|
3. Results
|
To test both virtual wire pair policies, connect to the web server from a PC on the internal network, and also connect to the Internet from the web server.
|
Go to FortiView > Policies to see traffic flowing through both policies. |
|
If the interfaces you wish to use are part of a switch, such as the default lan/internal interface, you will need to remove them before they can be added to the virtual wire pair.
The post Creating a virtual wire pair appeared first on Fortinet Cookbook.