>
    Configure an Aggregate Interface Group
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Configure Interfaces
    4. Configure an Aggregate Interface Group
    Download PDF
    Next-Generation Firewall

    Configure an Aggregate Interface Group

    Table of Contents

    Configure an Aggregate Interface Group

    Where Can I Use This?What Do I Need?
    • NGFW
    One of these licenses when using Strata Cloud Manager:
    • Strata Cloud Manager Essentials
    • Strata Cloud Manager Pro
    An aggregate interface group uses IEEE 802.1AX link aggregation to combine multiple Ethernet interfaces into a single virtual interface that connects the firewall to another network device or firewall. An aggregate group increases the bandwidth between peers by load balancing traffic across the combined interfaces. It also provides redundancy; when one interface fails, the remaining interfaces continue supporting traffic.
    By default, interface failure detection is automatic only at the physical layer between directly connected peers. However, if you enable Link Aggregation Control Protocol (LACP), failure detection is automatic at the physical and data link layers regardless of whether the peers are directly connected. LACP also enables automatic failover to standby interfaces if you configured hot spares. All Palo Alto Networks® firewalls support aggregate groups. The Product Selection tool indicates the number of aggregate groups each firewall supports. Each aggregate group can have up to eight interfaces.
    PAN-OS® firewall models support a maximum of 16,000 IP addresses assigned to physical or virtual Layer 3 interfaces; this maximum includes both IPv4 and IPv6 addresses.
    QoS is supported on only the first eight aggregate groups.
    Before configuring an aggregate group, you must configure its interfaces. Among the interfaces assigned to any particular aggregate group, the hardware media can differ (for example, you can mix fiber optic and copper), but the bandwidth and interface type must be the same. The bandwidth and interface type options are:
    • Bandwidth—1Gbps, 10Gbps, 25Gbps, 40Gbps, or 100Gbps.
    • Interface type—HA3, virtual wire, Layer 2, or Layer 3.
    This procedure describes configuration steps only for the Palo Alto Networks firewall. You must also configure the aggregate group on the peer device. Refer to the documentation of that device for instructions.

    Configure an Aggregate Interface Group (PAN-OS)

    Procedure for configuring an aggregate interface group in PAN-OS and Panorama.
    1. Configure the general interface group parameters.
      1. Select NetworkInterfacesEthernet and Add Aggregate Group.
      2. In the field adjacent to the read-only Interface Name, enter a number to identify the aggregate group. The range is 1 to the maximum number of aggregate interface groups supported by the firewall.
      3. For the Interface Type, select HA, Virtual Wire, Layer2, or Layer3.
      4. Configure the remaining parameters for the Interface Type you selected.
    2. For a Layer 3 interface, if you want to configure a static IPv4 address, select IPv4 and refer to Configure Layer 3 Interfaces for configuring a static IPv4 address.
    3. For a Layer 3 interface, if you want to configure a static IPv6 address, select IPv6 and refer to Configure Layer 3 Interfaces for configuring a static IPv6 address.
    4. For a Layer 3 interface, if you want to configure the interface as a DHCP client to receive an IPv4 address, select IPv4 and refer to Configure an Interface as a DHCPv4 Client for configuring a DHCP client.
    5. For a Layer 3 interface, if you want to configure the interface as a DHCPv6 client to receive an IPv6 address (with or without prefix delegation), select IPv6 and refer to Configure an Interface as a DHCPv6 Client for configuring a DHCPv6 client.
    6. Configure the LACP settings.
      Perform this step only if you want to enable LACP for the aggregate group.
      You cannot enable LACP for virtual wire interfaces.
      1. Select the LACP tab and Enable LACP.
      2. Set the Mode for LACP status queries to Passive (the firewall just responds—the default) or Active (the firewall queries peer devices).
        As a best practice, set one LACP peer to active and the other to passive. LACP cannot function if both peers are passive. The firewall cannot detect the mode of its peer device.
      3. Set the Transmission Rate for LACP query and response exchanges to Slow (every 30 seconds—the default) or Fast (every second). Base your selection on how much LACP processing your network supports and how quickly LACP peers must detect and resolve interface failures.
      4. Select Fast Failover if you want to enable failover to a standby interface in less than one second. By default, the option is disabled and the firewall uses the IEEE 802.1ax standard for failover processing, which takes at least three seconds.
        As a best practice, use Fast Failover in deployments where you might lose critical data during the standard failover interval.
      5. Enter the Max Ports (number of interfaces) that are active (1 to 8) in the aggregate group. If the number of interfaces you assign to the group exceeds the Max Ports, the remaining interfaces will be in standby mode. The firewall uses the LACP Port Priority of each interface you assign (Step 3) to determine which interfaces are initially active and to determine the order in which standby interfaces become active upon failover. If the LACP peers have non-matching port priority values, the values of the peer with the lower System Priority number (default is 32,768; range is 1 to 65,535) will override the other peer.
      6. (Optional) For active/passive firewalls only, select Enable in HA Passive State if you want to enable LACP pre-negotiation for the passive firewall. LACP pre-negotiation enables quicker failover to the passive firewall (for details, see LACP and LLDP Pre-Negotiation for Active/Passive HA).
        If you select this option, you cannot select Same System MAC Address for Active-Passive HA; pre-negotiation requires unique interface MAC addresses on each HA firewall.
      7. (Optional) For active/passive firewalls only, select Same System MAC Address for Active-Passive HA and specify a single MAC Address for both HA firewalls. This option minimizes failover latency if the LACP peers are virtualized (appearing to the network as a single device). By default, the option is disabled: each firewall in an HA pair has a unique MAC address.
        If the LACP peers are not virtualized, use unique MAC addresses to minimize failover latency.
    7. Click OK.
    8. Assign interfaces to the aggregate group.
      Perform the following steps for each interface (1–8) that will be a member of the aggregate group.
      1. Select NetworkInterfacesEthernet and click the interface name to edit it.
      2. Set the Interface Type to Aggregate Ethernet.
      3. Select the Aggregate Group you just defined.
      4. Select the Link Speed, Link Duplex, and Link State.
        As a best practice, set the same link speed and duplex values for every interface in the group. For non-matching values, the firewall defaults to the higher speed and full duplex.
      5. (Optional) Enter an LACP Port Priority (default is 32,768; range is 1 to 65,535) if you enabled LACP for the aggregate group. If the number of interfaces you assign exceeds the Max Ports value of the group, the port priorities determine which interfaces are active or standby. The interfaces with the lower numeric values (higher priorities) will be active.
      6. Click OK.
    9. If the firewalls have an active/active configuration and you are aggregating HA3 interfaces, enable packet forwarding for the aggregate group.
      1. Select DeviceHigh AvailabilityActive/Active Config and edit the Packet Forwarding section.
      2. Select the aggregate group you configured for the HA3 Interface and click OK.
    10. (Supported firewalls only) If the interface corresponds to a PoE (Power over Ethernet) port on the firewall, you can optionally configure PoE.
    11. Commit your changes.
    12. Verify the aggregate group status.
      1. Select NetworkInterfacesEthernet.
      2. Verify that the Link State column displays a green icon for the aggregate group, indicating that all member interfaces are up. If the icon is yellow, at least one member is down but not all. If the icon is red, all members are down.
      3. If you configured LACP, verify that the Features column displays the LACP enabled icon
        for the aggregate group.
    13. (PA-7050 and PA-7080 firewalls only) If you have an aggregate interface group that has interfaces located on different line cards, it is a best practice to enable the firewall so that it can handle fragmented IP packets it receives on multiple interfaces of the AE group that are spread over multiple cards. To do so, use the following CLI operational command with the hash keyword. (The other two keywords are also shown for completeness.)
      1. Access the CLI.
      2. Use the following operational CLI command: set ae-frag redistribution-policy <self | fixed sXdpX | hash>
        • self—(default) This keyword is for legacy behavior; it does not enable the firewall to handle fragmented packets received on multiple interfaces of an AE interface group.
        • fixed s<slot-number>dp<dataplane-cpu-number>—Replace the slot-number variable and replace the data-plane-cpu-number variable with the dataplane number of the dataplane that will handle all IP fragments received by all members of all AE interfaces. The fixed keyword is intended mainly for troubleshooting purposes and shouldn’t be used in production.
        • hash—Use to enable the firewall to handle fragmented packets it receives on multiple interfaces of an AE interface group that are located on more than one line card.

    Configure an Aggregate Interface Group (SCM)

    Procedure for configuring an aggregate interface group in Strata Cloud Manager.
    1. Log in to Strata Cloud Manager.
    2. Select ManageConfigurationNGFW and Prisma AccessDevice SettingsInterfacesEthernetConfigurationNGFW and Prisma AccessDevice SettingsInterfacesEthernet and select the Configuration Scope where you want to create the aggregate interface group.
      Select a firewall from your Folders or select Snippets to configure the aggregate interface group in a snippet.
      If you select a folder or select a snippet, you create an aggregated interface group variable that must be assigned at the device level.
    3. Configure the interfaces that you want to add to the aggregate interface group.
      Among the interfaces assigned to any particular aggregate group, the hardware media can differ (for example, you can mix fiber optic and copper) but the bandwidth and interface type must be the same.
    4. Add the aggregate interface.
      • Folders and SnippetsAdd Interface and select Aggregate Group.
      • FirewallsAdd and Add Aggregation Group.
    5. Enter the Interface Name.
      By default, all aggregate interface groups are prefixed with ae.
    6. (Optional) Enter a Description.
    7. Select the Interface Type.
      The aggregate interface group type must match the Ethernet interface type (Layer 2 or Layer 3).
    8. (Firewall only) Add the Ethernet Interfaces you created in the previous step.
      You can only add Ethernet interfaces to an aggregate interface group from the firewall Configuration Scope.
    9. (Layer 3 only) Configure the aggregate interface group IP settings.
      1. Select the aggregate interface group IP Type.
      • Static IPv4 Address.
        Add the IPv4 IP addresses for the interfaces in the aggregate interface group.
      • DHCP Client activation on the aggregate interface group.
        See Configure an Interface as a DHCPv4 Client for more information on configuring the aggregate interface group as a DHCP client.
    10. (Optional) Configure the LACP settings.
      Configure this setting only if you want to enable LACP for the aggregate group.
      1. Enable LACP.
      2. Set the LACP Mode.
        • Passive (default)—The firewall just responds.
        • Active—The firewall queries peer devices.
        Set one LACP peer to active and the other to passive. LACP can’t function if both peers are passive. The firewall can’t detect the mode of its peer device.
      3. Set the Transmission Rate for LACP queries and response exchanges.
        Base your selection on how much LACP processing your network supports and how quickly LACP peers must detect and resolve interface failures.
        • Slow (default)—Every 30 seconds.
        • Fast—Every second.
      4. Enable Fast Failover to enable failover to a standby interface in less than 1 second.
        This option is disabled by default and the firewall uses the IEEE 802.1ax standard for failover processing, which takes at least 3 seconds.
        Enable Fast Failover in deployments where you might lose critical data during the standard failover interval.
      5. Specify the System Priority to determine the failover priority in the event of LACP peers that have nonmatching port priority values.
        Default is 32,768; range is 1-65,535. The value of the peer with the lower system priority number overrides the other peer.
    11. Save.
    12. Push Config to push your configuration changes.

    © 2025 Palo Alto Networks, Inc. All rights reserved.