Incomplete ARP Entries on Subinterface
Receiving incomplete ARP entries on a newly created Layer3 subinterface configured for specific VLAN tags. The traffic on the untagged physical interface works fine.
The switchport that the Palo Alto Networks firewall is connected to may not be configured as a trunk link, or the specified VLAN tags may not be allowed across the link.
Verify the port on the upstream device is configured for VLAN tagging and that the upstream device is allowing the specified VLAN tags across the link. Make sure the subinterface on the firewall has the corresponding VLAN tag specified appropriately.