Aggregate Interfaces

Aggregate Interfaces

Link aggregation (IEEE 802.3ad) enables you to bind two or more physical interfaces together to form an aggregated (combined) link. This new link has the bandwidth of all the links combined. If a link in the group fails, traffic is transferred automatically to the remaining interfaces with the only noticeable effect being a reduced bandwidth.

This is similar to redundant interfaces with the major difference being that a redundant interface group only uses one link at a time, where an aggregate link group uses the total bandwidth of the functioning links in the group, up to eight (or more).

Support of the IEEE standard 802.3ad for link aggregation is available on some models. An interface is available to be an aggregate interface if:

  • it is a physical interface, not a VLAN interface or subinterface
  • it is not already part of an aggregate or redundant interface
  • it is in the same VDOM as the aggregated interface. Aggregate ports cannot span multiple VDOMs.
  • it does not have an IP address and is not configured for DHCP or PPPoE l  it is not referenced in any security policy, VIP, IP Pool or multicast policy l  it is not an HA heartbeat interface
  • it is not one of the FortiGate-5000 series backplane interfaces

Some models of FortiGate units do not support aggregate interfaces. In this case, the aggregate option is not an option in the web-based manager or CLI. As well, you cannot create aggregate interfaces from the interfaces in a switch port.

To see if a port is being used or has other dependencies, use the following diagnose command:

diagnose sys checkused <interface_name>

When an interface is included in an aggregate interface, it is not listed on the System > Network > Interface page. Interfaces will still appear in the CLI, although configuration for those interfaces will not take affect. You cannot configure the interface individually and it is not available for inclusion in security policies, VIPs, IP pools, or routing.



This example creates an aggregate interface on a FortiGate-3810A using ports 4-6 with an internal IP address of, as well as the administrative access to HTTPS and SSH.


To create an aggregate interface – web-based manager

1. Go to System > Network > Interface and select Create New.

2. Enter the Name as Aggregate.

3. For the Type, select 802.3ad Aggregate.

If this option does not appear, your FortiGate unit does not support aggregate interfaces.

4. In the Available Interfaces list, select port 4, 5 and 6 and move it to the Selected Interfaces list.

5. Select the Addressing Mode of Manual.

6. Enter the IP address for the port of

7. For Administrative Access select HTTPS and SSH.

8. Select OK.


To create aggregate interface – CLI

config system interface edit Aggregate

set type aggregate

set member port4 port5 port6 set vdom root

set ip set allowaccess https ssh


This entry was posted in FortiGate, FortiOS, FortiOS 5.4 Handbook and tagged , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.