Understanding Virtual Wire

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Understanding Virtual Wire

L3 Networker

I am trying to wrap my head around virtual wire from a practical perspective.  To me it sounds like an access list apllied between 2 interfaces (e.g  Internet & Users).  That sounds like a typical concept with firewalls but since security rules would already be called upon to permit or deny traffic between each zone can someone help me understand how & when would a virtual wire be helpful, starting with the most typical & basic applications of the feature?  Thank you.


Accepted Solutions

"you can enforce policies & log from zone to zone or intrazone right out of the box"


Not without setting up L3  (IP's , Subnet, gateways, Virtual Routers), and then ensuiring all your servres, clients and services are pointing at those IP's on the new firewall.


It's technicaly an L2 "bridge" (quite an old term traditioanly now in network land).  Think of the two v-wire ports as just two ports next to each other on a plain on switch. Nothing fancy...... But the switch can read every packet and stop it being forwarded.




View solution in original post


Cyber Elite
Cyber Elite


Most basic application of a virtual-wire would be during an evaluation period before you actually deployed the firewall. Some equipment doesn't handle Tap interfaces all that well depending on the amount of traffic that you are passing, so to avoid this you'll simply use v-wire instead to get the logs. 

Generally if you were deploying with a v-wire and you were actually going to use it in production you would likely setup the same security zone, but you would modify the intrazone default rule to deny. Therefore regardless of the zone you would still be able to build out the proper security policies to control the traffic. 

L7 Applicator

Virtual wire is nothing like just an access list. This is still a full session table firewall with the NGFW app detection and features for policies fully available.


You can have two different zone names on the two joined interfaces like trust and untrust or you can have them in the same zone with intra zone policies.  I have always seen it deployed with two zones.


Virtual wire requires not participation in layer 2 or 3 protocols so it is very unobtrusive to existing network topologies.  Thus I have mainly seen it deployed to isolate small numbers of devices or a physical section of the network topology without having to change any of the ip schemes at all.


Some Common scenarios:

Hospital equipment or PCI devices connected to the same VLAN as other devices in the area but needing to be more aggressively protected.  PCI for regulatory reasons, hospital devices because they run very old unpatched operating systems due to testing regulations.


DMZ areas where the desire is to have actual public addresses physically on server interfaces in applications like VOIP servers.  The vwire inserts on the line into the DMZ switch invisibily and allows rules and sessions without any NAT in play.


Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center



You cut your ethernet cable in half.

reterminate the ends.

plug one into one side of the v-wire.

plug other into other side of the v-wire.


Everything that worked before still works with no configuraton change ( no subnets, routing, ips, gateways, need to change on clients, servers etc...)


Where couldyou use it?


Imagine you have a good old MPLS WAN (what protects you from issues on you remote branch?)

{HQ LAN} <> {MPLS Router} <> {WAN} <> {MPLS Routers} <> {BRANCH CLIENTS}


Stick in a V-Wire Firewall with no other configuration and everything still works.

{HQ LAN} <> {V-WIRE FW} <> {MPLS Router} <> {WAN} <> {MPLS Routers} <> {BRANCH CLIENTS}


Then apply rules and policies and logging.







Thanks for the helpful feed back guys but I am still confused though because you can enforce policies & log from zone to zone or intrazone right out of the box.  The only value I see (atleast right now because I'm new to PA) is that it sounds alot like Proxy ARP and sounds like you can pass a Public IP address from a modem/circuit through the PA & back to another device that has a Public address configured on its interface & enforce policies   e.g  servers, 3rd party vendor equipment, etc...

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!