Palo Alto Networks: Virtual wire pair

Virtual Wire
This is exactly the same technique used by intrusion detection system, but instead of IPS this is applied to Palo Alto firewall. This technique is also known as bump wire where a pair of physical interfaces is paired as a single “wire”, to the switch and router that is connected virtual wire firewall there is no existence of any firewall to the router and switch point of view only a single “wire” is connected between them.

A pair of interfaces is paired together to form one single "wire", one interface is trusted and the other untrusted

A pair of interfaces is paired together to form one single “wire”, one interface is trusted and the other untrusted

Other brands firewall I have used have routed and transparent mode, virtual wire firewall is similar to transparent mode. Palo Alto Networks firewall when in virtual wire mode can transport vlan tags like a trunk link, there is a “default-wire” which also pairs a pair of ethernet interfaces but is transporting untagged vlan traffic.

Configuration

admin@PA-5050> configure
Entering configuration mode
admin@PA-5050# edit network interface
[edit network interface]
admin@PA-5050# set ethernet ethernet1/1 virtual-wire

[edit network interface]
admin@PA-5050# set ethernet ethernet1/2 virtual-wire

[edit network interface]
admin@PA-5050#

This is to define the virtual-wire pair. The default PA-5050 already has configured eth1/1 and eth1/2 as virtual-wire pair.

[edit network interface]
admin@PA-5050# top
[edit]
admin@PA-5050# set zone trust network virtual-wire ethernet1/2
[edit]
admin@PA-5050# set zone untrust network virtual-wire ethernet1/1
admin@PA-5050# commit


....75%99%.....100%
Configuration committed successfully

[edit]
admin@PA-5050#

Virtual wire characteristics
Virtual-wire firewall does not need IP address, it is simply a wire that is like connecting to the edge router and local switch, the security zones however are defined on the physical interfaces of the virtual wire pair, this is the main difference in deployment of bump wire on IPS and Palo Alto firewall. IPS bump wire does not need to define zone, it is simply used as an inline to the traffic flow for traffic analysis against IPS signature.

Virtual-wire pair does not need to define IP addresses at all, and hence it cannot support Layer 3 features such as routing and NAT. However in PanOS 4.1 NAT is supported via virtual-wire which I felt is strange… it does not have source IP address to translate to isn’t it?

Virtual-wire pair does not do switching, it is acting like it is a wire and put in the direction of the traffic flow to do deep packet inspection and instill firewall policy.

Advertisements
This entry was posted in Firewall, Security and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s