The previous post about Cisco VSS is to integrate with Palo Alto Firewalls.
Layer 3 link aggregation on PA firewall
Click on Network tab and select Interfaces from the menu on the left.
There is an “Add Aggregate Group” at the bottom of the page, it may seem quite unnoticeable.
After the link aggregation link is created physical interfaces are added into the aggregated group.
The command line on how to achieve the UI configuration is as below:
admin@PA-5050> configure Entering configuration mode [edit] admin@PA-5050# set network interface aggregate-ethernet ae1 layer3 interface-management-profile icmp-profile ip 192.168.50.1/30 [edit] admin@PA-5050# set network interface ethernet ethernet1/11 aggregate-group ae1 [edit] admin@PA-5050# set network interface ethernet ethernet1/12 aggregate-group ae1 [edit] admin@PA-5050# commit
Create virtual router
PA firewall has the ability to create multiple virtual router, you simply assign the real physical interface on the virtual router then configure the routing protocol you wish to use. Each real physical interface can only be assigned to one virtual router.
Click on Network tab and select Virtual Routers from the menu on the left.
Select OSPF from the menu on the left and click Add.
The other PA firewall will have similar configuration as this PA firewall hence the process will not be repeated here.
admin@PA-5050# set network virtual-router default interface [ ae1 loopback.1 ] [edit] admin@PA-5050# set network virtual-router default protocol ospf router-id 1.1.1.1 area 0.0.0.0 type normal [edit] admin@PA-5050# set network virtual-router default protocol ospf area 0.0.0.0 interface ae1 link-type p2p [edit] admin@PA-5050# set network virtual-router default protocol ospf area 0.0.0.0 interface loopback.1 link-type p2p passive yes [edit] admin@PA-5050# set network virtual-router default protocol ospf area 0.0.0.0 range 1.1.1.1/32 [edit] admin@PA-5050# set network virtual-router default protocol ospf area 0.0.0.0 range 192.168.50.1/30 [edit] admin@PA-5050# set network virtual-router default protocol ospf enable yes area 0.0.0.0 interface ae1 enable yes [edit] admin@PA-5050# set network virtual-router default protocol ospf enable yes area 0.0.0.0 interface loopback.1 enable yes [edit] admin@PA-5050# commit ....55%98%.....100% Configuration committed successfully [edit] admin@PA-5050#
OSPF adjacency verification
admin@PA-5050> show routing protocol ospf neighbor
Options: 0x80:reserved, O:Opaq-LSA capability, DC:demand circuits, EA:Ext-Attr
LSA capability,
N/P:NSSA option, MC:multicase, E:AS external LSA capability, T:TOS ca
pability
==========
virtual router: default
neighbor address: 192.168.51.1
local address binding: 0.0.0.0
type: dynamic
status: full
neighbor router ID: 2.2.2.2
area id: 0.0.0.0
neighbor priority: 1
lifetime remain: 33
messages pending: 0
LSA request pending: 0
options: 0x42: O E
hello suppressed: no
admin@PA-5050>
cyruslab 
Great writeup, thanks for sharing. I assume this is PAN-OS 5.0?
Hi John,
This is PanOS 4.1.6. Btw have you done redistribution before with PanOS? I am familiar with Cisco IOS in regards to redistribution. I find the redistribution profile difficult to understand in PanOS, and there is no tech note on how this is done correctly. The admin guide serves no help at all, in terms of wide documentations and tech notes PAN still has room for improvements. If you have idea on how to do redistribution correctly I would appreciate if you can share with me 🙂 Thanks!
Hi John,
Great write-up. Which mode of ether channel is deployed on cisco side (facing PA)?
Is it “on” (manual etherchannel)?
Thank You
Hi,
Unfortunatly I don’t see any option to use LACP over the aggregated interface. For such a setup I believe this should be included by Palo Alto as well.
LACP is supported from 6.1.X and onward on Palo Alto Next Generation Firewall.