Network technologies and trends

Nov 30 2015   6:30AM GMT

How to configure Palo Alto Firewall in Virtual Wire mode?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Palo Alto Networks

Configuring Palo Alto Firewall in Virtual Wire mode is quite easy, in this post using below topology I am going to demonstrate how to configure a Palo Alto Networks Firewall in Virtual Wire or V-Wire mode.

Palo Alto in V-wire mode

You could see from the above topology , we have a laptop with an IP Address in  VLAN 20 placed in the trust zone trying to access an internet in the untrust zone.  The laptop is configured with a default gateway which happens to the IP address of our Internet Router and this is in untrust zone  and belongs to VLAN 1.

We have a Palo Alto Firewall with two interfaces connected to a Cisco Switch. One interface ,ethernet 1/2 connected to interface G1/0/2 in a Cisco  Switch , configured as a part of V-Wire with VLAN 20 and this belongs to trust zone.

Where as the Palo Alto Firewall interface ethernet 1/1 is connected to Cisco Switch interface G1/0/1 and is configured as part of V-Wire with Vlan 1 and this belongs to Untrust Zone

Now lets configure the same and see how traffic flows

Step 1 – Configure Cisco Switch for trust zone interfaces with VLAN 20

interface gigabitEthernet 1/0/2


switchport access vlan 20

spanning-tree portfast

no shut

interface gigabitEthernet 1/0/3


switchport access vlan 20

spanning-tree portfast

no shut

Step 2 – Configure Cisco Switch for Untrust Zone Interfaces with VLAN 1

interface gigabitEthernet 1/0/1


switchport access vlan 1

no shut

interface gigabitEthernet 1/0/4


switchport access vlan 1

no shut

Step 3 –  Configure Virtual Wire called Test-V-Wire by clicking

Network >Virtual Wire

You can use any name you want ,

Step 3

In our case  we will name Test-V-Wire and interfaces ethernet 1/1 and ethernet 1/2 part of Interface1 and Interface 2

Step 3-B

Step 4 – Lets configure two zones names Untrust and Trust and assign ethernet 1/1 to be part of untrust zone and ethernet 1/2 to be part of trust zone.

Step 4 -A – Configure Trust Zone

Network> Zone>Add

Step 4

Give the name Trust, select Type to be Virtual Wire and add the interface ethernet 1/2 to be part of Trust Zone as demonstrated below

Step 4-B

Step 4-C

Step 4 -B – Configure UnTrust Zone

Network> Zone>Add

Step 4-D

Step 5 – Create a Security Policy to allow access from trust zone to untrust zone ( This can be configured as per your requirements with security profiles, URL filtering etc)


Step 5

Give the name to your Security Policy ( V-Wire-Policy)

Step 5-b

Add Source Zone ( Trust)

Step 5-C

Add Destination Zone ( Untrust)

Step 5-D

Allow the access, you can also configure Application policy and Service/URL Category if needed . In our case we are allowing all kind of traffic

Step 5-E

The final Security Policy should look like this

Step 5-F

You can also monitor the traffic passing through the V-Wire, you can see from the below snapshot I am accessing Skype, pinging the default gateway (Vlan1) from my laptop (Vlan 20) and my traffic is passing from Trust zone to Untrust zone by using the Rule V-Wire-Policy which we created



This is really a great feature from Palo Alto and the Virtual Wire can implemented easily without any modifications to existing network Design.

4  Comments on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • mayankmehra11
    how the traffic of different vlan can communicate with the other vlan with intervlan routing?
    how can you ping?
    20 pointsBadges:
  • mayankmehra11
    20 pointsBadges:
  • Yasir Irfan
    Hi mayankmehra11, the firewall is deployed in transparent mode hence the routing part is not done by PA.
    Each virtual wire interface is directly connected to a Layer 2 or Layer 3 networking device or host. The virtual wire interfaces have no Layer 2 or Layer 3 addresses. When one of the virtual wire interfaces receives a frame or packet, it ignores any Layer 2 or Layer 3 addresses for switching or routing purposes, but applies your security or NAT policy rules before passing an allowed frame or packet over the virtual wire to the second interface and on to the network device connected to it.
    7,330 pointsBadges:
  • Yasir Irfan
    All routing needs to be taken care of L3 devices where these networks are created.
    7,330 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: