Aggregate Ethernet (AE) Interface Group
Table of Contents
Expand all | Collapse all
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > GTP Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Decryption > Forwarding Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Device Block List
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Scheduled Config Export
End-of-Life (EoL)
Aggregate Ethernet (AE) Interface Group
- Network > Interfaces > Ethernet
An AE interface group uses IEEE 802.1AX link aggregation to combine
multiple Ethernet interfaces into a single virtual interface that
connects the firewall to another network device or another firewall.
An AE interface group increases the bandwidth between peers by load
balancing traffic across the combined interfaces. It also provides
redundancy; when one interface fails, the remaining interfaces continue
to support traffic.
Before configuring an AE interface group, you must configure
its interfaces. Among the interfaces assigned to any particular
aggregate group, the hardware media can differ (for example, you
can mix fiber optic and copper), but the bandwidth (1Gbps, 10Gbps,
40Gbps, or 100GBps) and interface type (HA3, virtual wire, Layer
2, or Layer 3) must be the same. You can add up to eight AE interface
groups per firewall and each group can have up to eight interfaces.
All Palo Alto Networks firewalls except the VM-Series models
support AE interface groups.
You can aggregate the HA3 (packet
forwarding) interfaces in a high availability (HA) active/active
configuration but only on the following firewall models:
- PA-220
- PA-800 Series
- PA-3200 Series
- PA-5200 Series
To configure an AE interface group, Add Aggregate
Group, configure the settings described in the following
table, and then assign interfaces to the group (see Aggregate
Ethernet (AE) Interface).
Aggregate Interface Group Settings | Configured In | Description |
|---|---|---|
Interface Name | Aggregate Ethernet Interface | The read-only Interface Name is
set to ae. In the adjacent field, enter a
numeric suffix (1 to 8) to identify the AE interface group. |
Comment | Enter an optional description for the interface. | |
Interface Type | Select the interface type, which controls
the remaining configuration requirements and options:
| |
Netflow Profile | If you want to export unidirectional IP
traffic that traverses an ingress interface to a NetFlow server,
select the server profile or click Netflow Profile to
define a new profile (see Device
> Server Profiles > NetFlow). Select None to remove
the current NetFlow server assignment from the AE interface group. | |
Enable LACP | Aggregate Ethernet InterfaceLACP | Select if you want to enable Link Aggregation
Control Protocol (LACP) for the AE interface group. LACP is disabled
by default. If you enable LACP, interface failure detection
is automatic at the physical and data link layers regardless of whether
the firewall and its LACP peer are directly connected. (Without
LACP, interface failure detection is automatic only at the physical
layer between directly connected peers). LACP also enables automatic
failover to standby interfaces if you configure hot spares (see Max Ports). |
Mode | Select the LACP mode of the firewall. Between
any two LACP peers, it is recommended that one is active and the
other is passive. LACP cannot function if both peers are passive.
| |
Transmission Rate | Select the rate at which the firewall exchanges
queries and responses with peer devices:
| |
Fast Failover | Select if, when an interface goes down,
you want the firewall to fail over to an operational interface within
one second. Otherwise, failover occurs at the standard IEEE 802.1AX-defined
speed (at least three seconds). | |
System Priority | Aggregate Ethernet InterfaceLACP (cont) | The number that determines whether the firewall
or its peer overrides the other with respect to port priorities
(see the Max Ports field description below). The
lower the number, the higher the priority (range is 1-65,535; default
is 32,768). |
Max Ports | The number of interfaces (1-8) that can
be active at any given time in an LACP aggregate group. The value
cannot exceed the number of interfaces you assign to the group.
If the number of assigned interfaces exceeds the number of active interfaces,
the firewall uses the LACP port priorities of the interfaces to
determine which are in standby mode. You set the LACP port priorities
when configuring individual interfaces for the group (see Aggregate
Ethernet (AE) Interface). | |
Enable in HA Passive State | For firewalls deployed in a high availability
(HA) active/passive configuration, select to allow the passive firewall to
pre-negotiate LACP with its active peer before a failover occurs.
Pre-negotiation speeds up failover because the passive firewall
does not have to negotiate LACP before becoming active. | |
Same System MAC Address for Active-Passive HA | This applies only to firewalls deployed
in a high availability (HA) active/passive configuration;
firewalls in an active/active configuration require
unique MAC addresses. HA firewall peers have the same system
priority value. However, in an active/passive deployment, the system
ID for each can be the same or different, depending on whether you assign
the same MAC address. When the LACP
peers (also in HA mode) are virtualized (appearing to the network
as a single device), using the same system MAC address for the firewalls minimizes
latency during failover. When the LACP peers are not virtualized,
using the unique MAC address of each firewall minimizes failover
latency. LACP uses the MAC address to derive a system
ID for each LACP peer. If the firewall pair and peer pair have identical system
priority values, LACP uses the system ID values to determine which
overrides the other with respect to port priorities. If both firewalls
have the same MAC address, both will have the same system ID, which
will be higher or lower than the system ID of the LACP peers. If
the HA firewalls have unique MAC addresses, it is possible for one
to have a higher system ID than the LACP peers while the other has
a lower system ID. In the latter case, when failover occurs on the firewalls,
port prioritization switches between the LACP peers and the firewall
that becomes active. | |
MAC Address | If you enabled Use Same System
MAC Address, select a system-generated MAC address, or
enter your own, for both firewalls in the active/passive high availability
(HA) pair. You must verify the address is globally unique. |