fortigate防火墙virtual wire pair 虚拟线对

本文介绍了如何创建虚拟线对（由端口3和端口4组成），以便更轻松地保护作为内部分段防火墙（ISFW）运行的FortiGate后面的Web服务器。

A virtual wire pair consists of two interfaces that have no IP addresses and all traffic received by one interface in the pair can only be forwarded out the other; as controlled by firewall policies.
虚拟线对由两个没有IP地址的接口组成，其中一个接口接收到的所有流量只能从另一个接口转发出去;受防火墙策略控制。
Since the interfaces do not have IP addresses, insert a virtual wire pair into a network without having to make any changes to the network.
由于接口没有IP地址，因此可以将虚拟线对插入网络，而无需对网络进行任何更改。

Virtual wire pair replaces the feature port pairing from earlier firmware versions.
虚拟线对取代了早期固件版本中的功能端口配对。
Unlike port pairing, virtual wire pair can be used for a FortiGate in NAT/Route mode, as well as transparent mode.
与端口配对不同，虚拟线对可以用于NAT/路由模式下的FortiGate，也可以用于透明模式。

1. Adding a virtual wire pair.
   1)添加虚拟线对。

Interfaces used in a virtual wire pair cannot be used for admin access to the ISFW FortiGate.
虚拟线对中使用的接口不能用于对ISFW FortiGate的管理访问。
Before creating a virtual wire pair, make sure to have a different port (in the example, port1) configured to allow admin access using the preferred protocol.
在创建虚拟线对之前，请确保将不同的端口（在本例中为port 1）配置为允许管理员使用首选协议进行访问。

Go to Network -> Interfaces, select ‘Create New’ -> Virtual Wire Pair.
转到网络->接口，选择“新建”->虚拟线对。

Add port3 and port4 add to the virtual wire pair.
将端口3和端口4添加到虚拟线对。
If the interfaces to use are part of a switch, such as the default LAN/internal interface, remove them before it can be added to the virtual wire pair.
如果要使用的接口是交换机的一部分（如默认LAN/内部接口），请在将其添加到虚拟线对之前将其删除。

2) Adding virtual wire pair firewall policies.
2)添加虚拟线对防火墙策略。

Go to Policy & Objects -> IPv4 Virtual Wire Pair Policy and create a policy will allow users on the internal network to connect to the server.
转到策略对象-> IPv4虚拟线对策略，然后创建一个允许内部网络上的用户连接到服务器的策略。
Give the policy an appropriate name (in the example, Network-server-access).
为策略指定一个适当的名称（在示例中为Network-server-access）。

Select the direction that traffic is allowed to flow (from port3 to port4).
选择允许流量流动的方向（从端口3到端口4）。
Configure the other firewall options as needed. In the example, antivirus is enabled to protect the server.
根据需要配置其他防火墙选项。在示例中，启用防病毒以保护服务器。

Create a second virtual wire pair policy allowing traffic from port4 to exit out of port3.
创建第二个虚拟线对策略，允许来自端口4的流量从端口3退出。
This policy allows the server to connect to the Internet, in order to download updates.
此策略允许服务器连接到Internet以下载更新。

Result.
结果.

To test both virtual wire pair policies, connect to the web server from a PC on the internal network, and also connect to the Internet from the web server.
要测试两个虚拟线对策略，请从内部网络上的PC连接到Web服务器，并从Web服务器连接到Internet。
Go to FortiView -> Policies to see traffic flowing through both policies.
转到FortiView ->策略以查看流经这两个策略的流量。