The interface name is predefined and you cannot change it. Enter a number after ae in the Interface Name.

Assign the interface to an aggregate group.

Select the interface speed in Mbps, or select auto to have the firewall automatically determine the speed.

Select the amount of allocated power in Watts if PoE is enabled.

The firewall only uses this field if you enabled Link Aggregation Control Protocol (LACP) for the aggregate group. If the number of interfaces you assign to the group exceeds the number of active interfaces (the Max Ports field), the firewall uses the LACP port priorities of the interfaces to determine which are in standby mode. The lower the numeric value, the higher the priority (range is 1-65,535; default is 32,768).

Select the virtual router to which you assign the Aggregate Ethernet interface.

Select to enable SD-WAN functionality for the interface.

(PA-220, PA-800, and PA-3200 series only) When you enable this option, the firewall forwards Bonjour multicast advertisements and queries received on and forwarded to this interface to all other L3 and AE interfaces and subinterfaces where you enable this option. This helps ensure user access and device discoverability in network environments that use segmentation to route traffic for security or administrative purposes. You can enable this option on up to 16 interfaces.

Select to enable IPv6 on this interface.

Add an IPv6 address and prefix length (for example, 2001:400:f00::1/64). Alternatively, select an existing IPv6 address object or create a new IPv6 address object.

Select to enable router advertisement (RA) for this IP address. (You must also enable the global Enable Router Advertisement option on the interface.) For details on RA, see Enable Router Advertisement in this table. The following fields apply only if you Enable Router Advertisement:

Select to allow the DHCPv6 Client to accept the RA from the DHCP server.

Enable the IPv6 Address received for this DHCPv6 Client.

Enable Prefix Delegation to allow the firewall to support prefix delegation functionality. This means that the interface accepts a prefix from the upstream DHCPv6 server and places the prefix into the Prefix Pool you select, from which the firewall delegates a prefix to a host via SLAAC. The ability to enable or disable prefix delegation for an interface allows the firewall to support multiple ISPs (one ISP per interface). Enabling prefix delegation on this interface controls which ISP provides the prefix. The delegated prefix received from the DHCP server cannot be used on the interface that requested it.

Add a pool by entering a pool Name. The name can be a maximum of 63 alphanumeric characters, hyphens, periods, and underscores.

(GUA) Select the assignment type:

Select to send router advertisements (RAs) from the interface to the LAN hosts.

Select if systems that have addresses within the prefix are reachable without a router.

Select if systems can independently create an IPv6 address by combining the advertised prefix with an Interface ID.

Select to enable duplicate address detection (DAD), which then allows you to specify the number of DAD Attempts.

Select to provide Neighbor Discovery on IPv6 interfaces and configure the other fields in this section. IPv6 DNS clients that receive the router advertisement (RA) messages use this information.

RA enables the firewall to act as a default gateway for IPv6 hosts that are not statically configured and to provide the host with an IPv6 prefix for address configuration. You can use a separate DHCPv6 server in conjunction with this feature to provide DNS and other settings to clients.

This is a global setting for the interface. If you want to set RA options for individual IP addresses, Add and configure an IPv6 address in the IP address table. If you set RA options for any IP address, you must Enable Router Advertisement for the interface.

Select if you want the firewall to verify that RAs sent from other routers are advertising consistent information on the link. The firewall logs any inconsistencies in a system log; the type is ipv6nd.

Select for the firewall to send DNS information in NDP router advertisement (RA) messages from this IPv6 Aggregated Ethernet interface. The other DNS Support fields in this table are visible only after you select this option. (The DNS Support tab is available after you Enable Router Advertisement on the Router Advertisement tab.)

Add one or more recursive DNS (RDNS) server addresses for the firewall to send in NDP router advertisements from this IPv6 Aggregated Ethernet interface. RDNS servers send a series of DNS lookup requests to root DNS servers and authoritative DNS servers to ultimately provide an IP address to the DNS client.

You can configure a maximum of eight RDNS Servers that the firewall sends—in the order listed from top to bottom—in an NDP router advertisement to the recipient, which then uses those addresses in the same order. Select a server and Move Up or Move Down to change the order of the servers or Delete a server when you no longer need it.

Enter the maximum number of seconds after the IPv6 DNS client receives the router advertisement that it can use the RDNS Servers to resolve domain names (range is the value of Max Interval (sec) to twice the Max Interval; default is 1,200).

Add and configure one or more domain names (suffixes) for the DNS search list (DNSSL). The maximum suffix length is 255 bytes.

A DNS search list is a list of domain suffixes that a DNS client router appends (one at a time) to an unqualified domain name before it enters the name into a DNS query, thereby using a fully qualified domain name in the DNS query. For example, if a DNS client tries to submit a DNS query for the name “quality” without a suffix, the router appends a period and the first DNS suffix from the DNS search list to the name and transmits the DNS query. If the first DNS suffix on the list is “company.com”, the resulting DNS query from the router is for the fully qualified domain name “quality.company.com”.

If the DNS query fails, the router appends the second DNS suffix from the list to the unqualified name and transmits a new DNS query. The router tries DNS suffixes until a DNS lookup is successful (ignores the remaining suffixes) or until the router has tried all of suffixes on the list.

Configure the firewall with the suffixes you want to provide to the DNS client router in a Neighbor Discovery DNSSL option; the DNS client receiving the DNSSL option uses the suffixes in its unqualified DNS queries.

You can configure a maximum of eight domain names (suffixes) for a DNS search list that the firewall sends—in order listed from top to bottom—in an NDP router advertisement to the recipient, which uses them in the same order. Select a suffix and Move Up or Move Down to change the order of the suffixes or Delete a suffix from the list when you no longer need it.

Enter the maximum number of seconds after the IPv6 DNS client receives the router advertisement that it can use a domain name (suffix) on the DNS search list (range is the value of Max Interval (sec) to twice the Max Interval; default is 1,200).

Enable and select:

If you choose Manual, Add a recursive DNS (RDNS) Server address for the firewall to send in NDP router advertisements from this IPv6 VLAN interface. RDNS servers send a series of DNS lookup requests to root DNS servers and authoritative DNS servers to ultimately provide an IP address to the DNS client.

You can configure a maximum of eight RDNS servers that the firewall sends— in the order listed from top to bottom—in an NDP router advertisement to the recipient, which then uses them in the same order. Select a server and Move Up or Move Down to change the order of the servers or Delete a server from the list when you no longer need it.

Enter a Lifetime (in seconds) which is the maximum length of time the client can use the specific RDNS server to resolve domain names. Range is 4 to 3,600; default is 1,200.