Virtual Wire (vWire) interfaces allow Palo Alto Networks firewalls to be deployed transparently in a network, acting as a "bump in the wire" without requiring any Layer 2 or Layer 3 addressing. This setup enables the firewall to inspect and enforce policies on traffic passing through it without participating in switching or routing.
Key Characteristics
Transparent Deployment: vWire interfaces do not require IP or MAC addresses, simplifying integration into existing network topologies.
Security Policy Enforcement: Despite being transparent, vWire interfaces can enforce security policies, perform NAT, QoS, App-ID, Content-ID, and User-ID functions.
VLAN Tag Handling: vWire interfaces can be configured to allow specific VLAN tags, enabling control over tagged traffic.
Subinterfaces: You can create subinterfaces on vWire interfaces to handle different VLANs separately, allowing for granular policy enforcement per VLAN.
High Availability Support: vWire interfaces support both active/passive and active/active HA configurations.
Supported Features
App-ID, Content-ID, and User-ID: These features are supported on vWire interfaces, allowing for application identification, user identification, and content inspection.
SSL Decryption: vWire interfaces support SSL decryption, enabling inspection of encrypted traffic.
NAT (Network Address Translation): NAT is supported on vWire interfaces, allowing for IP address manipulation.
QoS (Quality of Service): QoS profiles and policies can be applied to manage bandwidth and prioritize traffic.
Zone Protection Profiles: ZPPs can be applied to vWire zones to protect against floods, reconnaissance, and other attacks. However, certain protections like IP spoofing are not applicable due to the lack of IP addresses on vWire interfaces.
LLDP (Link Layer Discovery Protocol): vWire interfaces support LLDP, enabling the firewall to advertise its presence and capabilities to directly connected devices.
Limitations
Packet Buffer Protection (PBP): PBP is not supported on vWire interfaces as it relies on session tracking and IP address information, which are not available in the transparent mode of vWire interfaces.
LACP (Link Aggregation Control Protocol): While vWire interfaces can be configured as part of an aggregate interface group, they do not participate in LACP negotiations. If LACP is configured on connected devices, the vWire will pass LACP packets transparently without performing LACP functions.
High Availability Considerations
In Active/Passive High Availability (HA) deployments, you can configure the passive firewall to allow peer devices on either side of the firewall to pre-negotiate LLDP and LACP over a vWire before an HA failover occurs. This pre-negotiation speeds up HA failovers by reducing the time required for neighboring devices to detect the firewall's presence and re-establish LACP links.