This is exactly the same technique used by intrusion detection system, but instead of IPS this is applied to Palo Alto firewall. This technique is also known as bump wire where a pair of physical interfaces is paired as a single “wire”, to the switch and router that is connected virtual wire firewall there is no existence of any firewall to the router and switch point of view only a single “wire” is connected between them.
Other brands firewall I have used have routed and transparent mode, virtual wire firewall is similar to transparent mode. Palo Alto Networks firewall when in virtual wire mode can transport vlan tags like a trunk link, there is a “default-wire” which also pairs a pair of ethernet interfaces but is transporting untagged vlan traffic.
admin@PA-5050> configure Entering configuration mode admin@PA-5050# edit network interface [edit network interface] admin@PA-5050# set ethernet ethernet1/1 virtual-wire [edit network interface] admin@PA-5050# set ethernet ethernet1/2 virtual-wire [edit network interface] admin@PA-5050#
This is to define the virtual-wire pair. The default PA-5050 already has configured eth1/1 and eth1/2 as virtual-wire pair.
[edit network interface] admin@PA-5050# top  admin@PA-5050# set zone trust network virtual-wire ethernet1/2  admin@PA-5050# set zone untrust network virtual-wire ethernet1/1 admin@PA-5050# commit ....75%99%.....100% Configuration committed successfully  admin@PA-5050#
Virtual wire characteristics
Virtual-wire firewall does not need IP address, it is simply a wire that is like connecting to the edge router and local switch, the security zones however are defined on the physical interfaces of the virtual wire pair, this is the main difference in deployment of bump wire on IPS and Palo Alto firewall. IPS bump wire does not need to define zone, it is simply used as an inline to the traffic flow for traffic analysis against IPS signature.
Virtual-wire pair does not need to define IP addresses at all, and hence it cannot support Layer 3 features such as routing and NAT. However in PanOS 4.1 NAT is supported via virtual-wire which I felt is strange… it does not have source IP address to translate to isn’t it?
Virtual-wire pair does not do switching, it is acting like it is a wire and put in the direction of the traffic flow to do deep packet inspection and instill firewall policy.