Aggregate Ethernet (AE) Interface
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > Interfaces > PoE
- Network > Interfaces > Cellular
- Network > Interfaces > Fail Open
- Network > VLANs
- Network > Virtual Wires
-
- Network > Routing > Logical Routers > General
- Network > Routing > Logical Routers > Static
- Network > Routing > Logical Routers > OSPF
- Network > Routing > Logical Routers > OSPFv3
- Network > Routing > Logical Routers > RIPv2
- Network > Routing > Logical Routers > BGP
- Network > Routing > Logical Routers > Multicast
-
- Network > Routing > Routing Profiles > BGP
- Network > Routing > Routing Profiles > BFD
- Network > Routing > Routing Profiles > OSPF
- Network > Routing > Routing Profiles > OSPFv3
- Network > Routing > Routing Profiles > RIPv2
- Network > Routing > Routing Profiles > Filters
- Network > Routing > Routing Profiles > Multicast
- Network > Proxy
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
- Network > Network Profiles > MACsec Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > ACE
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > IoT Security > DHCP Server Log Ingestion
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > SCP
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
- Device > Policy Recommendation > IoT or SaaS > Import Policy Rule
-
- Device > User Identification > Connection Security
- Device > User Identification > Terminal Server Agents
- Device > User Identification > Group Mapping Settings
- Device > User Identification> Trusted Source Address
- Device > User Identification > Authentication Portal Settings
- Device > User Identification > Cloud Identity Engine
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Firewall Clusters
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
Aggregate Ethernet (AE) Interface
- Network > Interfaces > Ethernet
To configure an Aggregate
Ethernet (AE) Interface, first Add an Aggregate
Ethernet (AE) Interface Group. Then click the name of the interface
you will assign to that group. Among the interfaces that you assign
to any particular group, the hardware media can differ (for example,
you can mix fiber optic and copper), but the bandwidth and interface
type (such as Layer 3) must be the same. Furthermore, the interface
type must be the same as that defined for the AE interface group,
though you will change the type to Aggregate Ethernet when
you configure each interface. Specify the following information
for each interface that you assign to the group.
If you enabled Link Aggregation Control
Protocol (LACP) for the AE interface group, select the same Link
Speed and Link Duplex for every
interface in that group. For non-matching values, the commit operation
displays a warning and PAN-OS defaults to the higher speed and full
duplex.
Aggregate Interface Settings | Configured In | Description |
---|---|---|
Interface Name | Aggregate Ethernet Interface | The interface name is predefined and you
cannot change it. Enter a number after ae in the Interface Name. |
Comment | (Optional) Enter a description
for the interface. | |
Interface Type | Select Aggregate Ethernet. | |
Aggregate Group | Assign the interface to an aggregate group. | |
Link Speed | Aggregate Ethernet InterfaceAdvancedLink Settings | Select the interface speed in Mbps, or select auto to
have the firewall automatically determine the speed. |
Link Duplex | Select whether the interface transmission
mode is full-duplex (full), half-duplex (half),
or negotiated automatically (auto). | |
Link State | Select whether the interface status is enabled (up),
disabled (down), or determined automatically (auto). | |
PoE Rsvd Pwr | Aggregate Ethernet InterfaceAdvancedPoE Settings (Supported firewalls only) | Select the amount of allocated power in
Watts if PoE is enabled. |
PoE Enable | Select to enable PoE on this interface.
When using Panorama, non-PoE
interfaces display the option to enable or disable PoE. To avoid a
commit failure, ensure that PoE Enable
remains selected on these non-PoE interfaces. | |
LACP Port Priority | The firewall only uses this field if you
enabled Link Aggregation Control Protocol (LACP) for the aggregate
group. If the number of interfaces you assign to the group exceeds
the number of active interfaces (the Max
Ports field), the firewall uses the LACP port priorities
of the interfaces to determine which are in standby mode. The lower
the numeric value, the higher the priority (range is 1-65,535; default
is 32,768). | |
Virtual Router | Aggregate Ethernet InterfaceConfig | Select the virtual router to which you assign
the Aggregate Ethernet interface. |
Security Zone | Select the security zone to which you assign
the Aggregate Ethernet interface. | |
Enable SD-WAN | Aggregate Ethernet InterfaceIPv4 | Select to enable SD-WAN functionality for
the interface. |
Enable Bonjour Reflector | Aggregate Ethernet InterfaceIPv4 | (PA-220, PA-800, and PA-3200 series
only) When you enable this option, the firewall forwards Bonjour multicast
advertisements and queries received on and forwarded to this interface
to all other L3 and AE interfaces and subinterfaces where you enable
this option. This helps ensure user access and device discoverability
in network environments that use segmentation to route traffic for
security or administrative purposes. You can enable this option
on up to 16 interfaces. |
Enable IPv6 on the interface | Aggregate Ethernet InterfaceIPv6 | Select to enable IPv6 on this interface. |
Interface ID | Enter the 64-bit extended unique identifier
(EUI-64) in hexadecimal format (for example, 00:26:08:FF:FE:DE:4E:29). If
you leave this field blank, the firewall uses the EUI-64 generated
from the MAC address of the physical interface. If you Use
interface ID as host portion when adding an address,
the firewall uses the interface ID as the host portion of that address. | |
Address | Aggregate Ethernet InterfaceIPv6Address Assignment, Type = Static | Add an IPv6 address and prefix length (for
example, 2001:400:f00::1/64). Alternatively, select an existing
IPv6 address object or create a new IPv6 address object. |
Enable address on interface | Select to enable the IPv6 address on the
interface. | |
Use interface ID as host portion | Select to use the Interface ID as
the host portion of the IPv6 address. | |
Anycast | Select to include routing through the nearest
node. | |
Send Router Advertisement | Aggregate Ethernet InterfaceIPv6Address Assignment, Type = Static | Select to enable router advertisement (RA)
for this IP address. (You must also enable the global Enable Router
Advertisement option on the interface.) For details
on RA, see Enable Router Advertisement in this table. The following
fields apply only if you Enable Router Advertisement:
|
Accept Router Advertised Route | Aggregate Ethernet InterfaceIPv6Address Assignment, Type = DHCPv6 Client | Select to allow the DHCPv6 Client to accept
the RA from the DHCP server. |
Default Route Metric | Enter a default route metric for the route
from the interface to the ISP; range is 1 to 65,535; default is
10. | |
Preference | Select the preference of the DHCPv6 Client
interface (low, medium,
or high) so that, in the event you have two
interfaces (each connected to a different ISP for redundancy), you
can assign the interface to one ISP a higher preference than the
interface to the other ISP. The ISP connected to the preferred interface
will be the ISP that provides the delegated prefix to send to a
host-facing interface. If the interfaces have the same preference,
both ISPs provide a delegated prefix and the host decides which
prefix to use. | |
Enable IPv6 Address | Aggregate Ethernet InterfaceIPv6Address Assignment, Type = DHCPv6 ClientDHCPv6 Options | Enable the IPv6 Address received for this
DHCPv6 Client. |
Non-Temporary Address | Request a Non-Temporary Address for the
firewall to assign to this DHCPv6 Client interface that faces the
delegating router and ISP. Select for a longer lifespan than a Temporary Address. Whether you request a Non-Temporary Address
or Temporary Address for the interface is based on your discretion
and the capability of the DHCPv6 server; some servers can provide
only a temporary address. The best practice is to select both Non-Temporary
Address and Temporary Address, in which case the firewall will prefer
the Non-Temporary Address. | |
Temporary Address | Request a Temporary Address for the firewall
to assign to this DHCPv6 Client interface that faces the delegating
router and ISP. Select Temporary Address for a greater level of security
because the address is intended to be used for a short period of
time. | |
Rapid Commit | Select to use the DHCP process of Solicit
and Reply messages, rather than the process of Solicit, Advertise, Request,
and Reply messages. | |
Enable Prefix Delegation | Aggregate Ethernet InterfaceIPv6Address Assignment, Type = DHCPv6 ClientPrefix Delegation | Enable Prefix Delegation to allow the firewall
to support prefix delegation functionality. This means that the
interface accepts a prefix from the upstream DHCPv6 server and places the
prefix into the Prefix Pool you select, from which the firewall delegates
a prefix to a host via SLAAC. The ability to enable or disable prefix
delegation for an interface allows the firewall to support multiple
ISPs (one ISP per interface). Enabling prefix delegation on this
interface controls which ISP provides the prefix. The delegated
prefix received from the DHCP server cannot be used on the interface
that requested it. |
DHCP Prefix Length Hint | Select to enable the firewall to send a
preferred DHCPv6 prefix length to the DHCPv6 server. | |
DHCP Prefix Length (bits) | Enter the preferred DHCPv6 prefix length
in the range from 48 to 64 bits, which is sent as the hint to the
DHCPv6 server. Requesting a prefix length of 48, for example,
leaves 16 bits remaining for subnets (64-48), which indicates you
require many subdivisions of that prefix to delegate. On the other
hand requesting a prefix length of 63 leaves 1 bit for delegating
only two subnets. Of the 128 bits, there are still 64 more bits
for host address. | |
Prefix Pool Name | Enter a name for the prefix pool where the
firewall stores the received prefix. The name must be unique and
contain a maximum of 63 alphanumeric characters, hyphens, periods, and
underscores. Use a prefix pool name that
reflects the ISP for easy recognition. | |
Name | Aggregate Ethernet InterfaceIPv6Address Assignment, Type = Inherited | Add a pool by entering
a pool Name. The name can be a maximum of 63 alphanumeric characters,
hyphens, periods, and underscores. |
Address Type | Select one:
| |
Enable on Interface | (GUA) Enable the address on the interface. | |
Prefix Pool | (GUA) Select the Prefix Pool from
which to get the GUA. | |
Assignment Type | Aggregate Ethernet InterfaceIPv6Address Assignment, Type = Inherited | (GUA) Select the assignment type:
|
Enable Address on Interface | (ULA) Enable the address on the interface. | |
Address | (ULA) Enter an address. | |
Use interface ID as host portion | (ULA) Select to use the interface
ID as the host portion of the IPv6 address. | |
Anycast | (ULA) Select to make the IPv6 address
an Anycast address, which means multiple locations can advertise the
same prefix, and IPv6 sends the Anycast traffic to the node it considers
the nearest, based on routing protocol costs and other factors. | |
Send Router Advertisement | Select to send router advertisements (RAs)
from the interface to the LAN hosts. | |
On-Link | Select if systems that have addresses within
the prefix are reachable without a router. | |
Autonomous | Select if systems can independently create
an IPv6 address by combining the advertised prefix with an Interface ID. | |
Enable Duplication Address Detection | Aggregate Ethernet InterfaceIPv6Address Resolution | Select to enable duplicate address detection
(DAD), which then allows you to specify the number of DAD Attempts. |
DAD Attempts | Specify the number of DAD attempts within
the neighbor solicitation interval (NS Interval) before
the attempt to identify neighbors fails (range is 1 to 10; default
is 1). | |
Reachable Time | Specify the length of time, in seconds,
that a neighbor remains reachable after a successful query and response
(range is 1 to 36,000; default is 30). | |
NS Interval (sec) | Specify the length of time, in seconds,
before a DAD attempt failure is indicated (range is 1 to 3,600;
default is 1). | |
Enable NDP Monitoring | Select to enable Neighbor Discovery Protocol
monitoring. When enabled, you can select the NDP ( | |
Enable Router Advertisement | Aggregated Ethernet InterfaceIPv6Router Advertisement | Select to provide Neighbor Discovery on
IPv6 interfaces and configure the other fields in this section.
IPv6 DNS clients that receive the router advertisement (RA) messages
use this information. RA enables the firewall to act as a
default gateway for IPv6 hosts that are not statically configured
and to provide the host with an IPv6 prefix for address configuration.
You can use a separate DHCPv6 server in conjunction with this feature
to provide DNS and other settings to clients. This is a global
setting for the interface. If you want to set RA options for individual
IP addresses, Add and configure an IPv6 address
in the IP address table. If you set RA options for any IP address, you
must Enable Router Advertisement for the
interface. |
Min Interval (sec) | Specify the minimum interval, in seconds,
between RAs that the firewall will send (range is 3 to 1,350; default
is 200). The firewall will send RAs at random intervals between
the minimum and maximum values you configure. | |
Max Interval (sec) | Specify the maximum interval, in seconds,
between RAs that the firewall will send (range is 4 to 1,800; default
is 600). The firewall will send RAs at random intervals between
the minimum and maximum values you configure. | |
Hop Limit | Specify the hop limit to apply to clients
for outgoing packets (range is 1 to 255; default is 64). Enter 0 for
no hop limit. | |
Link MTU | Specify the link maximum transmission unit
(MTU) to apply to clients. Select unspecified for
no link MTU (range is 1,280 to 9,192; default is unspecified). | |
Reachable Time (ms) | Specify the reachable time, in milliseconds,
that the client will use to assume a neighbor is reachable after
receiving a reachability confirmation message. Select unspecified for
no reachable time value (range is 0 to 3,600,000; default is unspecified). | |
Retrans Time (ms) | Specify the retransmission timer that determines
how long the client will wait, in milliseconds, before retransmitting neighbor
solicitation messages. Select unspecified for
no retransmission time (range is 0 to 4,294,967,295; default is
unspecified). | |
Router Lifetime (sec) | Specify how long, in seconds, the client
will use the firewall as the default gateway (range is 0 to 9,000;
default is 1,800). Zero specifies that the firewall is not the default gateway.
When the lifetime expires, the client removes the firewall entry
from its Default Router List and uses another router as the default
gateway. | |
Router Preference | If the network segment has multiple IPv6
routers, the client uses this field to select a preferred router.
Select whether the RA advertises the firewall router as having a High, Medium (default),
or Low priority relative to other routers on
the segment. | |
Managed Configuration | Select to indicate to the client that addresses
are available via DHCPv6. | |
Other Configuration | Select to indicate to the client that other
address information (such as DNS-related settings) is available
via DHCPv6. | |
Consistency Check | Aggregated Ethernet InterfaceIPv6Router Advertisement (cont) | Select if you want the firewall to verify
that RAs sent from other routers are advertising consistent information
on the link. The firewall logs any inconsistencies in a system log;
the type is ipv6nd. |
Include DNS information in Router Advertisement | Aggregate Ethernet InterfaceIPv6DNS Support, Type = Static | Select for the firewall to send DNS information
in NDP router advertisement (RA) messages from this IPv6 Aggregated Ethernet
interface. The other DNS Support fields in this table are visible
only after you select this option. (The DNS Support tab
is available after you Enable Router Advertisement on
the Router Advertisement tab.) |
Server | Add one or more recursive
DNS (RDNS) server addresses for the firewall to send in NDP router advertisements
from this IPv6 Aggregated Ethernet interface. RDNS servers send
a series of DNS lookup requests to root DNS servers and authoritative
DNS servers to ultimately provide an IP address to the DNS client. You
can configure a maximum of eight RDNS Servers that the firewall
sends—in the order listed from top to bottom—in an NDP router advertisement
to the recipient, which then uses those addresses in the same order.
Select a server and Move Up or Move Down to
change the order of the servers or Delete a
server when you no longer need it. | |
Lifetime | Enter the maximum number of seconds after
the IPv6 DNS client receives the router advertisement that it can
use the RDNS Servers to resolve domain names (range is the value
of Max
Interval (sec) to twice the Max Interval; default is 1,200). | |
Domain Search List | Add and configure
one or more domain names (suffixes) for the DNS search list (DNSSL).
The maximum suffix length is 255 bytes. A DNS search list
is a list of domain suffixes that a DNS client router appends (one
at a time) to an unqualified domain name before it enters the name
into a DNS query, thereby using a fully qualified domain name in
the DNS query. For example, if a DNS client tries to submit a DNS
query for the name “quality” without a suffix, the router appends
a period and the first DNS suffix from the DNS search list to the
name and transmits the DNS query. If the first DNS suffix on the
list is “company.com”, the resulting DNS query from the router is
for the fully qualified domain name “quality.company.com”. If
the DNS query fails, the router appends the second DNS suffix from
the list to the unqualified name and transmits a new DNS query.
The router tries DNS suffixes until a DNS lookup is successful (ignores
the remaining suffixes) or until the router has tried all of suffixes
on the list. Configure the firewall with the suffixes you
want to provide to the DNS client router in a Neighbor Discovery
DNSSL option; the DNS client receiving the DNSSL option uses the suffixes
in its unqualified DNS queries. You can configure a maximum
of eight domain names (suffixes) for a DNS search list that the
firewall sends—in order listed from top to bottom—in an NDP router
advertisement to the recipient, which uses them in the same order.
Select a suffix and Move Up or Move Down to
change the order of the suffixes or Delete a
suffix from the list when you no longer need it. | |
Lifetime | Aggregate Ethernet InterfaceIPv6DNS Support, Type = Static | Enter the maximum number of seconds after
the IPv6 DNS client receives the router advertisement that it can
use a domain name (suffix) on the DNS search list (range is the
value of Max
Interval (sec) to twice the Max Interval; default is 1,200). |
DNS Recursive Name Server | Aggregate Ethernet InterfaceIPv6DNS Support, Type = DHCPv6 Client
or Inherited | Enable and select:
If you choose Manual, Add a
recursive DNS (RDNS) Server address for the
firewall to send in NDP router advertisements from this IPv6 VLAN
interface. RDNS servers send a series of DNS lookup requests to
root DNS servers and authoritative DNS servers to ultimately provide
an IP address to the DNS client. You can configure a maximum
of eight RDNS servers that the firewall sends— in the order listed
from top to bottom—in an NDP router advertisement to the recipient,
which then uses them in the same order. Select a server and Move Up or Move
Down to change the order of the servers or Delete a
server from the list when you no longer need it. Enter a Lifetime (in
seconds) which is the maximum length of time the client can use
the specific RDNS server to resolve domain names. Range is 4 to 3,600;
default is 1,200. |
Domain Search List | Aggregate Ethernet InterfaceIPv6DNS Support, Type = DHCPv6 Client
or Inherited | Enable and select:
If you choose Manual, Add and
configure one or more Domain names (suffixes)
for the DNS search list (DNSSL). The maximum suffix length is 255 bytes. A
DNS search list is a list of domain suffixes that a DNS client router
appends (one at a time) to an unqualified domain name before it
enters the name into a DNS query, thereby using a fully qualified
domain name in the DNS query. For example, if a DNS client tries
to submit a DNS query for the name “quality” without a suffix, the
router appends a period and the first DNS suffix from the DNS search
list to the name and then transmits the DNS query. If the first
DNS suffix on the list is “company.com”, the resulting DNS query
from the router is for the fully qualified domain name “quality.company.com”. If
the DNS query fails, the router appends the second DNS suffix from
the list to the unqualified name and transmits a new DNS query.
The router tries DNS suffixes until a DNS lookup is successful (ignores
the remaining suffixes) or until the router has tried all of suffixes
on the list. Configure the firewall with the suffixes that
you want to provide to the DNS client router in a Neighbor Discovery
DNSSL option; the DNS client receiving the DNSSL option uses the suffixes
in its unqualified DNS queries. You can configure a maximum
of eight domain names (suffixes) for a DNS search list that the
firewall sends—in order listed from top to bottom—in an NDP router
advertisement to the recipient, which uses those addresses in the
same order. Select a suffix and Move Up or Move
Down to change the order or Delete a
suffix from the list when you no longer need it. Enter a Lifetime in
seconds, which is the maximum length of time the client can use
the specific Domain Search List. Range is 4 to 3,600; default is 1,200. |