Step 3: Allow Panorama to use group mappings in security policies by configuring one or more next-generation on-premises or VM-series firewalls as a Master Device.
If you don't configure a Master Device with a Prisma Access User-ID deployment, use long-form distributed name (DN) entries instead.
https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama- admin/configure-user-based-policies-with-prisma-access/configure-user-id-in-prisma-access.html

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClV0CAK

It is a UDP connection on port 443. This would trigger unknown-udp. Incomplete is used in TCP connections only.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC

As it specifically states in the question that security rules will be applied, VWire is the only method that allows this without making any IP address changes.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/configure- interfaces/virtual-wire-interfaces

The remote device is a non-Palo Alto Networks firewall: When configuring a site-to-site VPN tunnel between a Palo Alto Networks firewall and a non-Palo Alto device, Proxy IDs may be required to define which IP ranges should be used for traffic between the two endpoints. Proxy IDs are used in scenarios where the non-Palo Alto firewall does not automatically detect and manage the traffic selectors, so the administrator must manually specify the traffic selectors using Proxy IDs.
Firewalls which support policy-based VPNs: In policy-based VPNs, the firewall uses specific policies to define the traffic selectors, and these must be explicitly defined in both devices for the VPN to be correctly established. Proxy IDs are used to define these traffic selectors, indicating which IP addresses and subnets should be encrypted over the VPN.