Aggregate Ethernet (AE) Interface Group
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > Interfaces > PoE
- Network > Interfaces > Cellular
- Network > Interfaces > Fail Open
- Network > VLANs
- Network > Virtual Wires
-
- Network > Routing > Logical Routers > General
- Network > Routing > Logical Routers > Static
- Network > Routing > Logical Routers > OSPF
- Network > Routing > Logical Routers > OSPFv3
- Network > Routing > Logical Routers > RIPv2
- Network > Routing > Logical Routers > BGP
- Network > Routing > Logical Routers > Multicast
-
- Network > Routing > Routing Profiles > BGP
- Network > Routing > Routing Profiles > BFD
- Network > Routing > Routing Profiles > OSPF
- Network > Routing > Routing Profiles > OSPFv3
- Network > Routing > Routing Profiles > RIPv2
- Network > Routing > Routing Profiles > Filters
- Network > Routing > Routing Profiles > Multicast
- Network > Proxy
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
- Network > Network Profiles > MACsec Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > ACE
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > IoT Security > DHCP Server Log Ingestion
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > SCP
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
- Device > Policy Recommendation > IoT or SaaS > Import Policy Rule
-
- Device > User Identification > Connection Security
- Device > User Identification > Terminal Server Agents
- Device > User Identification > Group Mapping Settings
- Device > User Identification> Trusted Source Address
- Device > User Identification > Authentication Portal Settings
- Device > User Identification > Cloud Identity Engine
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Firewall Clusters
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
Aggregate Ethernet (AE) Interface Group
- Network > Interfaces > Ethernet > Add Aggregate Group
An Aggregate Ethernet (AE) interface group uses IEEE 802.1AX
link aggregation to combine multiple Ethernet interfaces in to a
single virtual interface that connects the firewall to another network
device or another firewall. An AE interface group increases the
bandwidth between peers by load balancing traffic across the combined
interfaces. It also provides redundancy; when one interface fails,
the remaining interfaces continue to support traffic. SD-WAN supports
AE interface groups of Layer 3 interfaces.
Before configuring an AE interface group, you must configure
its interfaces. Among the interfaces assigned to any particular
aggregate group, the hardware media can differ (for example, you
can mix fiber optic and copper), but the bandwidth (1Gbps, 10Gbps,
40Gbps, or 100Gbps) and interface type (HA3, virtual wire, Layer
2, or Layer 3) must be the same.
The number of AE interface groups you can add depends on the
firewall model. The Product Selection tool indicates
the Maximum aggregate interfaces that
each firewall model supports. Each AE interface group can have up
to eight interfaces.
On PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls,
QoS is supported on only the first eight AE interface groups.
All Palo Alto Networks firewalls, including the VM-Series on VMware ESXi and KVM, support AE
interface groups. VM-Series firewalls deployed in other private or public clouds do
not support AE interface groups.
You can aggregate the HA3 (packet
forwarding) interfaces in a high availability (HA) active/active configuration
but only on the following firewall models:
- PA-220
- PA-800 Series
- PA-3200 Series
- PA-5200 Series
To configure an AE interface group, Add Aggregate
Group, configure the settings described in the following
table, and then assign interfaces to the group (see Aggregate
Ethernet (AE) Interface).
Aggregate Interface Group Settings | Configured In | Description |
---|---|---|
Interface Name | Aggregate Ethernet Interface | The read-only Interface Name is
set to ae. In the adjacent field, enter a
numeric suffix to identify the AE interface group. The range of
the numeric suffix depends on how many AE groups the firewall model
supports. See the Maximum aggregate interfaces supported
per firewall model in the Product Selection tool. |
Comment | (Optional) Enter a description
for the interface. | |
Interface Type | Select the interface type, which controls
the remaining configuration requirements and options:
| |
Netflow Profile | If you want to export unidirectional IP
traffic that traverses an ingress interface to a NetFlow server,
select the server profile or NetFlow Profile to define
a new profile (see Device
> Server Profiles > NetFlow). Select None to remove
the current NetFlow server assignment from the AE interface group. | |
Enable LACP | Aggregate Ethernet InterfaceLACP | Select if you want to enable Link Aggregation
Control Protocol (LACP) for the AE interface group. LACP is disabled
by default. If you enable LACP, interface failure detection
is automatic at the physical and data link layers regardless of whether
the firewall and its LACP peer are directly connected. (Without
LACP, interface failure detection is automatic only at the physical
layer between directly connected peers.) LACP also enables automatic
failover to standby interfaces if you configure hot spares (see Max Ports). |
Mode | Select the LACP mode of the firewall. Between
any two LACP peers, we recommend that you configure one as active and
the other as passive. LACP cannot function if both peers are passive.
| |
Transmission Rate | Select the rate at which the firewall exchanges
queries and responses with peer devices:
| |
Fast Failover | Select if, when an interface goes down,
you want the firewall to fail over to an operational interface within
one second. Otherwise, failover occurs at the standard IEEE 802.1AX-defined
speed (at least three seconds). | |
System Priority | Aggregate Ethernet InterfaceLACP (cont) | The number that determines whether the firewall
or its peer overrides the other with respect to port priorities
(see Max Ports below). The lower
the number, the higher the priority (range is 1 to 65,535; default
is 32,768). |
Max Interfaces | The number of interfaces (1 to 8) that can
be active at any given time in an LACP aggregate group. This value
cannot exceed the number of interfaces you assign to the group.
If the number of assigned interfaces exceeds the number of active interfaces,
the firewall uses the LACP port priorities of the interfaces to
determine which are in standby mode. You set the LACP port priorities
when configuring individual interfaces for the group (see Aggregate
Ethernet (AE) Interface). | |
Enable in HA Passive State | For firewalls deployed in an HA active/passive configuration,
select to allow the passive firewall to pre-negotiate LACP with
its active peer before a failover occurs. Pre-negotiation speeds
up failover because the passive firewall does not have to negotiate
LACP before becoming active. | |
Same System MAC Address for Active-Passive HA | Aggregate Ethernet InterfaceLACP (cont) | This applies only to firewalls deployed
in an HA active/passive configuration;
firewalls in an active/active configuration require
unique MAC addresses. HA firewall peers have the same system
priority value. However, in an active/passive deployment, the system
ID for each can be the same or different depending on whether you assign
the same MAC address. When the LACP
peers (also in HA mode) are virtualized (appearing to the network
as a single device), using the same system MAC address for the firewalls minimizes
latency during failover. When the LACP peers are not virtualized,
using the unique MAC address of each firewall minimizes failover
latency. LACP uses the MAC address to derive a system
ID for each LACP peer. If the firewall pair and peer pair have identical system
priority values, LACP uses the system ID values to determine which
overrides the other with respect to port priorities. If both firewalls
have the same MAC address, both will have the same system ID, which
will be higher or lower than the system ID of the LACP peers. If
the HA firewalls have unique MAC addresses, it is possible for one
to have a higher system ID than the LACP peers while the other has
a lower system ID. In the latter case, when failover occurs on the firewalls,
port prioritization switches between the LACP peers and the firewall
that becomes active. |
MAC Address | Aggregate Ethernet InterfaceLACP (cont) | If you Use Same System MAC Address,
select a system-generated MAC address or enter your own MAC address
for both firewalls in the active/passive HA pair. You must verify
that the address is globally unique. |
SD-WAN Interface Profile | Aggregate Ethernet InterfaceSD-WAN | Select an SD-WAN interface Profile to apply
to the AE interface group or create a new profile. |
Management Profile | Aggregate Ethernet InterfaceAdvancedOther Info | Select a Management profile that defines
the protocols (for example, SSH, Telnet, and HTTP) you can use to
manage the firewall over this interface. Select None to
remove the current profile assignment from the interface. |
MTU | Enter the maximum transmission unit (MTU)
in bytes for packets sent on this interface (range is 576 to 9,192;
default is 1,500). If machines on either side of the firewall perform
Path MTU Discovery (PMTUD) and the interface receives a packet exceeding
the MTU, the firewall returns an ICMP fragmentation needed message
to the source indicating the packet is too large. | |
Adjust TCP MSS | Select to adjust the maximum segment size
(MSS) to accommodate bytes for any headers within the interface
MTU byte size. The MTU byte size minus the MSS Adjustment Size equals
the MSS byte size, which varies by IP protocol:
Use these settings to address
the case where a tunnel through the network
requires a smaller MSS. If a packet has more bytes than the MSS
without fragmentation, this setting enables the adjustment. Encapsulation
adds length to headers so it helps to configure the MSS adjustment
size to allow bytes for such things as an MPLS header or tunneled
traffic that has a VLAN tag. | |
Untagged Subinterface | Select this option if the corresponding
subinterfaces for this interface aren’t tagged. | |
IP Address MAC Address | Aggregate Ethernet InterfaceAdvancedARP Entries | To add one or more static Address Resolution
Protocol (ARP) entries, Add an IP address
and its associated hardware [media access control (MAC)] address. To
delete an entry, select the entry and click Delete.
Static ARP entries reduce ARP processing. |
IPv6 Address MAC Address | Aggregate Ethernet InterfaceAdvancedND Entries | To provide neighbor information for Neighbor
Discovery Protocol (NDP), Add the IPv6 address and
MAC address of the neighbor. |
Enable NDP Proxy | Aggregate Ethernet InterfaceAdvancedNDP Proxy | Enable Neighbor Discovery Protocol (NDP)
proxy for the interface. The firewall will respond to ND packets
requesting MAC addresses for IPv6 addresses in this list. In the
ND response, the firewall sends its own MAC address for the interface
so that the firewall will receive the packets meant for the addresses
in the list. It is recommended that you enable NDP proxy if
you are using Network Prefix Translation IPv6 (NPTv6). If
you selected Enable NDP Proxy, you can filter
numerous Address entries by entering a filter and
clicking Apply Filter (gray arrow). |
Address | Add one or more IPv6 addresses,
IP ranges, IPv6 subnets, or address objects for which the firewall
will act as NDP proxy. Ideally, one of these addresses is the same
address as that of the source translation in NPTv6. The order of
addresses does not matter. If the address is a subnetwork,
the firewall will send an ND response for all addresses in the subnet,
so we recommend you also add the IPv6 neighbors of the firewall
and then click Negate to instruct the firewall
not to respond to these IP addresses. | |
Negate | Negate an address
to prevent NDP proxy for that address. You can negate a subset of
the specified IP address range or IP subnet. | |
Enable LLDP | Aggregate Ethernet InterfaceAdvancedLLDP | Enable Link Layer Discovery Protocol (LLDP)
for the interface. LLDP functions at the link layer to discover neighboring
devices and their capabilities by sending and receiving LLDP data
units to and from neighbors. |
LLDP Profile | Select an LLDP Profile or create a new LLDP Profile.
The profile is the way in which you configure the LLDP mode, enable
syslog and SNMP notifications, and configure the optional Type-Length-Values
(TLVs) you want transmitted to LLDP peers. | |
Settings | Aggregate Ethernet InterfaceAdvancedDDNS | Select Settings to
make the DDNS fields available to configure. |
Enable | Enable DDNS on the interface. You must initially
enable DDNS to configure it. (If your DDNS configuration is unfinished, you
can save it without enabling it so that you don’t lose your partial
configuration.) | |
Update Interval (days) | Enter the interval (in days) between updates
that the firewall sends to the DDNS server to update IP addresses mapped
to FQDNs (range is 1 to 30; default is 1). The firewall
also updates DDNS upon receiving a new IP address for the interface
from the DHCP server. | |
Certificate Profile | Create a Certificate Profile to
verify the DDNS service. The DDNS service presents the firewall
with a certificate signed by the certificate authority (CA). | |
Hostname | Enter a hostname for the interface, which
is registered with the DDNS Server (for example, host123.domain123.com, or
host123). The firewall does not validate the hostname except to
confirm that the syntax uses valid characters allowed by DNS for
a domain name. | |
Vendor | Aggregate Ethernet InterfaceAdvancedDDNS | Select the DDNS vendor (and version) that
provides DDNS service to this interface:
If you select an
older version of a DDNS service that the firewall indicates will
be phased out by a certain date, move to the newer version. The Name and Value fields
that follow the vendor name are vendor-specific. The read-only fields
notify you of parameters that the firewall uses to connect to the
DDNS service. Configure the other fields, such as a password that
the DDNS service provides to you and a timeout that the firewall uses
if it doesn’t receive a response from the DDNS server. |
IPv4 Tab | Add the IPv4 addresses configured on the
interface and then select them. You can select only as many IPv4
addresses as the DDNS provider allows. All selected IP addresses
are registered with the DDNS provider (Vendor). | |
IPv6 Tab | Add the IPv6 addresses configured on the
interface and then select them. You can select only as many IPv6
addresses as the DDNS provider allows. All selected IP addresses
are registered with the DDNS provider (Vendor). | |
Show Runtime Info | Displays the DDNS registration: DDNS provider,
resolved FQDN, and the mapped IP address(es) with an asterisk (*) indicating
the primary IP address. Each DDNS provider has its own return codes
to indicate the status of the hostname update, and a return date,
for troubleshooting purposes. |