Palo Alto Networks Aggregate Ethernet (AE) Interfaces: A Deep Dive

Introduction to Aggregate Ethernet (AE) Interfaces in PAN-OS

Aggregate Ethernet (AE) interfaces, a crucial feature in Palo Alto Networks PAN-OS, provide a mechanism to bundle multiple physical Ethernet interfaces into a single logical interface. This aggregation, often referred to as link aggregation group (LAG) or port channeling, offers significant benefits in terms of increased bandwidth, link redundancy, and simplified network management. Palo Alto Networks firewalls implement AE interfaces based on the IEEE 802.1AX standard, which includes the Link Aggregation Control Protocol (LACP) for dynamic link management.

By combining the capacity of several physical links, AE interfaces can support higher traffic loads than a single interface. Moreover, if one physical link within the aggregate group fails, traffic is automatically redistributed over the remaining active links, ensuring network continuity and resilience. This capability is paramount for business-critical applications and maintaining high availability.

Benefits and Use Cases of AE Interfaces in Palo Alto Networks Deployments

• Increased Bandwidth: The primary benefit is the summation of bandwidth from all active member links. For example, bundling four 1Gbps interfaces creates a logical 4Gbps link (though actual throughput depends on the hashing algorithm and traffic patterns).
• Link Redundancy and High Availability: If a physical link or port within the AE group fails, traffic is automatically and rapidly re-routed over the remaining operational links. This is critical for maintaining uptime for services traversing the firewall.
• Simplified Network Management: Instead of managing multiple individual interfaces with separate IP addresses, security policies, and routing configurations, administrators manage a single logical AE interface. This streamlines configuration and reduces complexity.
• Load Distribution: Traffic is distributed across the member links based on a configurable hashing algorithm. This helps in utilizing the available bandwidth more efficiently.

Common Palo Alto Networks Use Cases:

• Firewall-to-Switch Connectivity: High-bandwidth, resilient connections between Palo Alto Networks firewalls and core or distribution layer switches.
• Firewall-to-Firewall (High Availability Links): Using AE interfaces for HA1 (control plane), HA2 (data plane session synchronization), and HA3 (packet forwarding in A/A) links to provide redundancy for the HA connections themselves.
• Connecting to Critical Servers/Services: Providing robust, high-throughput connectivity to important internal servers or network segments.
• Data Center Interconnects: Where high bandwidth and resiliency are required for traffic between data centers or segments.

Core Concepts and Requirements for AE Interfaces on PAN-OS

Successfully deploying AE interfaces on Palo Alto Networks firewalls requires understanding several key concepts and adhering to specific requirements.

• Interface Compatibility: All physical interfaces designated as members of a single AE group must operate at the same speed (e.g., all 1Gbps or all 10Gbps) and duplex settings (typically Full Duplex). Mixing speeds or duplex settings within an AE group is not supported and will prevent the group from forming.
• AE Group and Member Interfaces:
  • An AE group can have a maximum of eight active member interfaces.
  • The number of AE groups (e.g., ae1, ae2, ae3...) supported depends on the specific Palo Alto Networks firewall hardware platform. Higher-end models generally support more AE groups.
  • Physical interfaces are assigned to an AE group. Once assigned, the physical interface's configuration is superseded by the logical AE interface's configuration for aspects like IP addressing, zones, and security policies.
• LACP (Link Aggregation Control Protocol - IEEE 802.1AX):
  • LACP is the protocol responsible for automatically bundling links, negotiating parameters, and managing link failures within an AE group.
  • It exchanges LACPDU (LACP Data Units) packets between the firewall and the peer device (e.g., a switch) to maintain the aggregated link.
  • If LACP is disabled on the AE interface configuration in PAN-OS, it operates in a "static" or "on" mode, meaning it assumes the peer is also configured for static aggregation without LACP negotiation. This is generally less flexible and not recommended unless the peer device does not support LACP.
• System ID and Port Priority (LACP):
  • System ID: A unique identifier for each device participating in LACP. It's formed by combining a System Priority value (configurable, default 32768 in PAN-OS) and the device's MAC address. The device with the lower System ID (better priority) typically makes decisions about link activity.
  • Port Priority: Each member port within an AE group has a Port Priority (configurable, default 32768 in PAN-OS). Along with the port number, this helps determine which ports are active if more than 8 links are configured or in tie-breaking scenarios.
• LACP Modes:

  Mode	Description	PAN-OS Behavior
  Active	The interface actively tries to negotiate and form an LACP bundle by sending LACPDUs.	Initiates LACP negotiation. To form an LACP bundle, the peer must be in Active or Passive mode.
  Passive	The interface waits to receive LACPDUs from the peer before responding and attempting to form a bundle. Default mode in PAN-OS if LACP is enabled.	Responds to LACP negotiation. If both sides are Passive, an LACP bundle will not form.
  Static (LACP Disabled)	No LACP negotiation occurs. The links are statically bundled.	PAN-OS refers to this as "LACP Enabled: No". This requires the peer device to also be configured for static aggregation. It offers no dynamic failure detection or negotiation provided by LACP.

  CRITICAL (Palo Alto Networks): For LACP to function correctly, at least one side of the link aggregation (either the Palo Alto Networks firewall or the connected peer device) must be configured in Active mode. Configuring both sides as Passive will result in the AE interface not coming up.
• LACP Transmission Rates:

  Rate	LACPDU Interval	Failure Detection	PAN-OS Behavior
  Slow	Every 30 seconds.	Slower (up to 90 seconds).	Default rate in PAN-OS. Less LACP overhead.
  Fast	Every 1 second.	Faster (up to 3 seconds).	Recommended for critical links requiring rapid failover. Increases LACP overhead slightly.

• Hashing Algorithm (Load Balancing):

  PAN-OS distributes outbound traffic across active member links of an AE group using a hashing algorithm. The choice of algorithm can impact traffic distribution efficiency. Common PAN-OS options include:

  • IP Modulo: Uses source and destination IP addresses. Default on many platforms.
  • IP Hash: Similar to IP Modulo, uses IP addresses.
  • MAC Hash: Uses source and destination MAC addresses. Useful for non-IP traffic.
  • Symmetric Hash: Aims to ensure that traffic for a given session uses the same link in both directions (if ingress and egress paths are symmetric). This uses source IP, destination IP, source port, destination port, and protocol.
  • Others may be available depending on the PAN-OS version and platform.

  The hashing algorithm is configured on the logical AE interface itself. The optimal choice depends on the traffic patterns in the network.

Configuring Aggregate Ethernet Interfaces in PAN-OS

Configuration involves defining the logical AE interface and then assigning physical interfaces as members.

Using the PAN-OS Web Interface (GUI)

1. Create the Logical AE Interface:
   • Navigate to Network > Interfaces > Aggregate Ethernet .
   • Click Add at the bottom of the page.
   • Interface Name: A numerical suffix is automatically assigned (e.g., ae1, ae2). You cannot change this directly, but you can add a comment.
   • Interface Type: Select the desired operational mode for the AE interface (Layer 2, Layer 3, Virtual Wire, HA). This choice dictates available subsequent configuration options.
   • Config Tab (General Settings):
     • Assign a Comment for easy identification.
     • If Layer 3: Configure IPv4 and/or IPv6 addresses, and assign the interface to a Virtual Router .
     • If Layer 2: Configure VLANs if it's a trunk, or assign an access VLAN.
     • Assign the interface to a Security Zone .
   • Advanced Tab:
     • Configure Link Speed and Link Duplex if necessary, though typically left at 'auto' to inherit from physical members. All members *must* match.
     • Set MTU (Maximum Transmission Unit) if a non-default value is required.
     • Assign an Interface Management Profile to control services accessible via this interface.
   • LACP Tab:
     • Enable LACP: Check this box to use LACP. Default is unchecked (Static mode).
     • Mode: Select Active or Passive . Default is Passive.
       Gotcha! (Palo Alto Networks): Leaving LACP mode as Passive on the firewall when the peer is also Passive will prevent the LACP bundle from forming. Ensure at least one side is Active. Many administrators prefer setting the firewall to Active.
     • Transmission Rate: Select Fast (1 sec) or Slow (30 sec). Default is Slow.
     • System Priority: Default is 32768. Lower values have higher priority. Usually left at default unless specific LACP master/slave behavior is required.
     • Max Ports: Default is 8. This is the IEEE standard maximum.
     • Hashing Algorithm: Select the desired load balancing algorithm. Default varies by platform but is often IP-based.
     • Enable LACP Pre-Negotiation (for A/P HA): Check this if the AE interface is used in an HA Active/Passive setup and you want the passive firewall's AE links to pre-negotiate LACP to be ready for failover.
   • Click OK .
2. Assign Physical Interfaces to the AE Group:
   • Navigate to Network > Interfaces > Ethernet .
   • Select a physical interface that will be a member of the AE group.
   • Interface Type: Change this from its current type (e.g., Layer3) to Aggregate Group .
   • Aggregate Group: From the dropdown, select the AE interface you created (e.g., ae1).
   • Ensure the physical interface's Link Speed and Link Duplex are compatible with other members and the intended AE group settings. These should be explicitly set or auto-negotiate correctly.
   • Click OK .
   • Repeat for all physical interfaces that will be part of this AE group (up to 8).
3. Commit Changes: Click Commit in the top-right corner of the PAN-OS interface and then Commit again in the dialog box to apply the configuration.

Using the PAN-OS Command Line Interface (CLI)

Configuration via CLI requires entering configuration mode.

admin@PA-FW> configure
Entering configuration mode
[edit]
admin@PA-FW#
    

1. Create the Logical AE Interface (Example for Layer 3 AE):

   # set network interface aggregate-ethernet ae1 comment "Uplink to Core Switch"
   # set network interface aggregate-ethernet ae1 layer3 interface-management-profile Allow-Mgmt
   # set network interface aggregate-ethernet ae1 layer3 ip 192.168.100.1/24
   # set network interface aggregate-ethernet ae1 zone L3-Trust
   # set network virtual-router default interface ae1
               

2. Configure LACP on the AE Interface:

   # set network interface aggregate-ethernet ae1 lacp enable yes
   # set network interface aggregate-ethernet ae1 lacp mode active
   # set network interface aggregate-ethernet ae1 lacp transmission-rate fast
   # set network interface aggregate-ethernet ae1 lacp sys-priority 32768
   # set network interface aggregate-ethernet ae1 lacp group-hash ip-modulo
               

3. Assign Physical Interfaces to the AE Group:

   # set network interface ethernet ethernet1/1 link-status-force up link-speed 1000m link-duplex full
   # set network interface ethernet ethernet1/1 aggregate-group ae1
   # set network interface ethernet ethernet1/2 link-status-force up link-speed 1000m link-duplex full
   # set network interface ethernet ethernet1/2 aggregate-group ae1
               

   Gotcha! (Palo Alto Networks): When assigning physical interfaces to an AE group via CLI, ensure their speed and duplex are explicitly set or will correctly auto-negotiate to match. Mismatches are a common cause of AE group failures.
4. Commit Changes:

   # commit
               

Supported AE Interface Types in PAN-OS

The logical AE interface (e.g., ae1) can be configured as one of several interface types, determining its behavior and use:

• Layer 2 AE Interface:
  • Operates as a switched interface. Can carry multiple VLANs (trunk) or a single VLAN (access).
  • Subinterfaces can be created (e.g., ae1.10, ae1.20) for each VLAN.
  • Used for connecting to L2 switches or extending L2 domains through the firewall.
  • Security policies are applied based on zones and L2 information.
• Layer 3 AE Interface:
  • Operates as a routed interface with an IP address.
  • Can have IPv4 and/or IPv6 addresses. Subinterfaces can also be created for L3 VLAN termination.
  • Participates in dynamic routing protocols (OSPF, BGP, RIP) if configured.
  • Assigned to a Virtual Router and a Security Zone.
  • Commonly used for uplinks to routers or L3 switches.
• Virtual Wire AE Interface:
  • Bundles multiple physical links into a single logical Virtual Wire path.
  • Provides transparent, bump-in-the-wire deployment with increased bandwidth and redundancy.
  • No IP addressing or routing involved on the V-Wire interface itself.
  • Policies are applied to the Virtual Wire object.
• HA (High Availability) AE Interface:
  • The AE interface itself is dedicated to HA functions.
  • Can be used for HA1 (Control Link), HA2 (Data Link), or HA3 (Packet Forwarding Link in A/A clusters on some platforms).
  • Aggregating HA links enhances the resiliency of the HA cluster itself, protecting against single link failures on HA connections.

LACP Operation Details

Understanding LACP's mechanics is key to configuring and troubleshooting AE interfaces.

LACP negotiation process where a Palo Alto Networks firewall in Active LACP mode initiates communication with a switch in Passive LACP mode. Both exchange LACPDUs to agree on link aggregation parameters before bundling the links.

LACPDU Exchange:

LACP peers exchange LACPDUs containing information such as:

• Actor Information: System ID, System Priority, Key, Port ID, Port Priority, and State of the sending device (Actor).
• Partner Information: The Actor's understanding of the remote device's (Partner's) LACP parameters.
• State Flags:
  • LACP Activity: Active or Passive.
  • LACP Timeout: Short (Fast rate) or Long (Slow rate).
  • Aggregation: Whether the link can be aggregated.
  • Synchronization: Whether the link is in sync and ready for use.
  • Collecting: Whether the device is collecting incoming frames on this link.
  • Distributing: Whether the device is distributing outgoing frames on this link.
  • Defaulted: Using default partner info if no LACPDUs received.
  • Expired: Timer has expired if no LACPDUs received.

For a link to be part of the active bundle, both ends must agree on the parameters and have their 'Synchronization', 'Collecting', and 'Distributing' flags set.

AE Interfaces in Palo Alto Networks High Availability (HA) Deployments

AE interfaces play a vital role in enhancing the robustness of HA configurations.

• Resilient Data Plane Links: In both Active/Passive and Active/Active HA modes, data plane interfaces can be configured as AE interfaces. This ensures that the failure of a single physical link connected to an active firewall does not trigger an HA failover, as traffic can continue flowing over the remaining members of the AE group.
• Redundant HA Control and Data Links:
  • HA1 (Control Link): Can be an AE interface. This provides redundancy for heartbeats, HA state synchronization, and configuration synchronization.
  • HA2 (Data Link - A/P): Can be an AE interface. This provides redundancy for session state synchronization.
  • HA3 (Packet Forwarding Link - A/A): On platforms supporting HA3 for Active/Active, this link used for forwarding session-owner traffic can also be an AE interface.
  CRITICAL (Palo Alto Networks): Using AE interfaces for HA1 and HA2 links significantly improves the overall stability and reliability of the HA cluster by preventing single points of failure on these critical connections.
• LACP Pre-Negotiation for Active/Passive HA:

  When LACP Pre-Negotiation is enabled on an AE interface (specifically on the LACP tab of the AE interface configuration), the passive firewall in an A/P HA pair will attempt to establish LACP with its peer switch even while in a passive state. This allows the links to be "ready" and part of an LACP bundle, so that upon an HA failover, traffic can resume more quickly as LACP negotiation doesn't have to start from scratch. This is highly recommended for AE interfaces carrying production traffic in A/P HA.

• Path Monitoring: For Layer 3 AE interfaces used in HA, path monitoring can be configured to monitor reachability to upstream devices. If all paths monitored through the AE interface fail, it can trigger an HA failover.

Palo Alto Networks Active/Passive HA pair using AE interfaces for data traffic (ae1) and dedicated HA links (ae10 for HA1, ae11 for HA2). LACP Pre-Negotiation on ae1 allows Firewall B's links to be active with the switch, speeding up failover.

Monitoring and Verification in PAN-OS

Regularly monitoring the status of AE interfaces is crucial for network health.

Using the PAN-OS Web Interface (GUI)

• Interface Status:
  • Navigate to Network > Interfaces > Aggregate Ethernet . The list shows each AE interface, its configured type, IP address (if L3), zone, and operational status (Up/Down - indicated by green/red icons).
  • Clicking on an AE interface name will show its detailed configuration and status, including member interfaces and their LACP state.
• Physical Member Status:
  • Navigate to Network > Interfaces > Ethernet . Find the physical interfaces assigned to an AE group. Their "Interface Type" will show "Aggregate Group", and they should also show an operational "Up" status.
• System Logs:
  • Navigate to Monitor > Logs > System . Filter by `( subtype eq lacp )` to see LACP-related events, such as links joining or leaving an aggregate, or LACP negotiation issues.
• Traffic Logs & ACC:
  • Monitor traffic through the AE interface via Monitor > Logs > Traffic and the Application Command Center (ACC) . Traffic is logged against the logical AE interface (e.g., ae1), not the individual physical members.

Using the PAN-OS Command Line Interface (CLI)

CLI commands provide detailed real-time status and are invaluable for troubleshooting.

• Show LACP Status for an AE interface:

  admin@PA-FW> show lacp aggregate-ethernet ae1
  
  LACP PDUs:      Sent: 12345           Received: 12300
  LAG Name: ae1
  LAG ID: 1
  Mode: Active
  Rate: Fast
  Local:
    System Priority: 32768
    System ID: 00:1b:17:00:00:01
    Key: 100
  Remote:
    System Priority: 32768
    System ID: 00:50:56:00:00:02
    Key: 200
  Aggregated Port List
    Port: ethernet1/1 Id: 1 Priority: 32768 Key: 100 State: Activity Timeout Aggregation Synchronization Collecting Distributing
      Remote: Port: 10 Id: 10 Priority: 32768 Key: 200 State: Activity Timeout Aggregation Synchronization Collecting Distributing
    Port: ethernet1/2 Id: 2 Priority: 32768 Key: 100 State: Activity Timeout Aggregation Synchronization Collecting Distributing
      Remote: Port: 11 Id: 11 Priority: 32768 Key: 200 State: Activity Timeout Aggregation Synchronization Collecting Distributing
              

  Key things to check: Mode, Rate, Local and Remote System IDs/Priorities, and the State of each member port (should ideally include 'Synchronization', 'Collecting', 'Distributing').

• Show Interface Details for an AE interface:

  admin@PA-FW> show interface ae1
  
  --------------------------------------------------------------------------------
  Name: ae1, ID: 53
  Operation mode: layer3
  Interface state: up
  IP address: 192.168.100.1/24
  MAC address: 00:1b:17:ab:cd:ef
  [...]
  LACP info:
    Port State: Up
    Member(s): ethernet1/1(Up), ethernet1/2(Up)
  --------------------------------------------------------------------------------
              

• Show Interface Details for a Physical Member:

  admin@PA-FW> show interface ethernet1/1
  
  --------------------------------------------------------------------------------
  Name: ethernet1/1, ID: 1
  Operation mode: aggr-member (ae1)
  Interface state: up
  IP address: not applicable
  MAC address: 00:1b:17:01:02:03
  Speed/duplex: 1000/full
  [...]
  LACP info:
    Port State: Up and Active (Synchronization Collecting Distributing)
  --------------------------------------------------------------------------------
              

• Show Interface Counters:

  admin@PA-FW> show counter interface ae1
  admin@PA-FW> show counter interface ethernet1/1
              

• Debug LACP (Use with caution, can be verbose):

  admin@PA-FW> debug lacp set level debug ae ae1
  admin@PA-FW> debug lacp dump ae ae1
  admin@PA-FW> less mp-log lacp.log
              

  Remember to turn off debugging: `debug lacp set level info ae ae1` or `debug software restart process lacp` (more disruptive).

Interpreting LACP States:

The 'State' field in `show lacp aggregate-ethernet ` output for each member port indicates its LACP status. Key flags include:

• Activity: Indicates LACP Active mode.
• Timeout: Short (Fast rate) or Long (Slow rate).
• Aggregation: Port is capable of aggregation.
• Synchronization: Port is in sync with the partner and considered part of the aggregation. This is crucial.
• Collecting: Port is accepting incoming traffic.
• Distributing: Port is sending outgoing traffic. A port must be Collecting and Distributing to pass traffic.
• Defaulted: Using default partner info (no LACPDUs received from partner recently).
• Expired: LACP timer expired (partner is likely down or not sending LACPDUs).

A healthy, active LACP member port should show: Activity (if active mode), Timeout, Aggregation, Synchronization, Collecting, Distributing.

Troubleshooting Common AE/LACP Issues on Palo Alto Networks Firewalls

A decision tree for troubleshooting common Aggregate Ethernet and LACP issues on Palo Alto Networks firewalls, starting from physical layer checks to LACP configuration and logs.

• LACP Group Not Forming / Interface Down:
  • Physical Layer: Check cabling. Ensure ports are administratively up on both sides.
  • Speed/Duplex Mismatch: All member interfaces on the firewall and the corresponding interfaces on the switch must have matching speed and duplex settings. Auto-negotiation can sometimes fail; explicitly set speed/duplex if suspected.
  • LACP Mode Mismatch:
    • If both firewall and switch are LACP Passive, the bundle will not form. At least one side must be Active.
    • If one side is LACP (Active/Passive) and the other is Static "On" (LACP disabled), it will not form correctly.
  • Incorrect Member Assignment: Ensure the correct physical interfaces are assigned to the AE group on the firewall and the port-channel group on the switch.
  • Exceeding Max Members: Palo Alto Networks supports up to 8 active members per AE group. The switch might have different limits or configuration for active vs. standby links.
  • System ID / Port Priority Conflicts (Advanced): Unlikely with defaults, but misconfiguration of system/port priorities can lead to unexpected link selection.
  • VLAN Mismatches: For Layer 2 AE interfaces, ensure native VLAN and allowed VLANs match between the firewall AE (and its subinterfaces) and the switch port-channel.
  • MTU Mismatch: Ensure MTU settings are consistent between the firewall's AE interface and the switch's port-channel interface.
• Links Flapping (Going Up and Down):
  • Often a sign of an unstable physical link (bad cable, failing SFP, interference).
  • Can also be due to LACP configuration issues causing repeated renegotiation (e.g., mismatched timers if not using standard Fast/Slow).
  • Check system logs on both firewall and switch for clues.
• Uneven Traffic Distribution:
  • Related to the LACP hashing algorithm. If traffic is predominantly between a few source/destination IP pairs, some algorithms might consistently hash that traffic to the same link.
  • Analyze traffic patterns. Consider changing the hashing algorithm on the PAN-OS firewall (Network > Interfaces > Aggregate Ethernet > [aeX] > LACP tab > Hashing Algorithm). Test different algorithms like 'Symmetric Hash' if appropriate for the traffic.
  • The switch also has a hashing algorithm; ideally, they should be compatible or understood in conjunction.
• Slow Failover:
  • If LACP Transmission Rate is set to "Slow" (default), failover can take up to 90 seconds.
  • Change to "Fast" for quicker failover (around 3 seconds). This needs to be configured on both the firewall and the switch for optimal results.
  • For A/P HA, ensure LACP Pre-Negotiation is enabled for data AE interfaces.

Palo Alto Networks Best Practices for AE Configuration

• Use LACP: Whenever possible, enable LACP (Active/Passive) rather than using static AE groups. LACP provides dynamic link management and failure detection.
• Set Firewall LACP Mode to Active: It's generally recommended to set the Palo Alto Networks firewall's LACP mode to Active and the peer switch to Passive or Active . This ensures the firewall initiates negotiation.
• Use LACP Fast Transmission Rate: For links carrying critical traffic where fast failover is desired (e.g., data plane links, HA links), configure the LACP Transmission Rate to Fast on both the firewall and the peer device.
• Consistent Configuration: Ensure LACP parameters (mode, rate, system ID considerations if non-default) and physical layer settings (speed, duplex, MTU) are consistently configured on both the firewall and the connected peer switch.
• Enable LACP Pre-Negotiation for A/P HA: For AE interfaces carrying production traffic in an Active/Passive HA setup, enable "LACP Pre-Negotiation" on the firewall to allow the passive unit's links to be operationally ready.
• Document Configuration: Clearly document which physical interfaces belong to which AE group, the purpose of the AE group, and the configuration on the peer device.
• Regular Monitoring: Periodically check the status of AE interfaces and their member links using GUI and CLI commands. Monitor system logs for LACP events.
• Plan for Capacity: While an AE group can have up to 8 members, consider the platform's limit on the total number of AE groups.
• Understand Hashing: Choose an appropriate LACP hashing algorithm based on your traffic patterns to optimize load distribution. The default is often sufficient, but testing may be required for specific scenarios.
• Physical Diversity: If possible, connect member links of an AE group to different line cards or ASICs on the switch to provide resilience against hardware failures on the switch side.

AE Interfaces and VM-Series Firewalls

Traditional Aggregate Ethernet (AE) interfaces, which involve direct physical port bundling using LACP as configured within PAN-OS, are primarily a feature of Palo Alto Networks hardware firewalls (PA-Series).

VM-Series firewalls generally do not support AE interface configuration directly within PAN-OS in the same way as hardware firewalls. The reason is that VM-Series firewalls operate with virtual NICs (vNICs) provided by the hypervisor environment (e.g., VMware ESXi, AWS, Azure, GCP, KVM).

Link aggregation or NIC teaming for VM-Series firewalls is typically handled at the hypervisor level or by the underlying physical network infrastructure :

• Hypervisor NIC Teaming/Bonding: Most hypervisors allow multiple physical NICs on the host server to be bonded or teamed. This team can then be presented as a single logical uplink to a virtual switch (vSwitch). The VM-Series firewall's vNICs connect to this vSwitch. From the VM-Series' perspective, it sees a single, potentially higher-bandwidth and resilient, virtual link provided by the hypervisor. The LACP negotiation, if used, happens between the hypervisor's physical NIC team and the physical switch.
• Cloud Provider Link Aggregation: In public cloud environments, services like AWS Direct Connect Link Aggregation Groups (LAGs) or Azure ExpressRoute port pairs provide resiliency and bandwidth at the cloud connection level, before traffic reaches the VM-Series.

While you might assign multiple vNICs to a VM-Series firewall for different purposes (e.g., management, data plane external, data plane internal), these are treated as distinct interfaces within PAN-OS unless the hypervisor is performing aggregation below the VM.