Site to site vpn tunnel from SonicWall to Palo Alto will not establish or will only partially establish due to mismatched VPN types. A packet capture done at the SonicWall on the Palo-Alto's public IP will often will often show dropped packets due to "Octeon Decryption Failed Selector check" or similar. These drops may also be seen in the SonicWall logs
Palo Alto's default VPN type is route based. If the SonicWall is set up in site to site mode (policy based) the tunnels wont establish properly.
Set the Palo Alto up in Proxy-ID mode. Palo Alto Network firewalls do not support policy-based VPNs. The policy-based VPNs have specific security rules/policies or access-lists (source addresses, destination addresses and ports) configured for permitting the interesting traffic through IPSec tunnels. These rules are referenced during the quick mode/IPSec phase 2, and are exchanged in the 1st or the 2nd messages as the proxy-ids. If the Palo Alto Firewall is not configured with the proxy-id settings, the ikemgr daemon sets the proxy-id with the default values of source ip: 0.0.0.0/0, destination ip: 0.0.0.0/0 and application:any, and these are exchanged with the peer during the 1st or the 2nd message of the quick mode. A successful phase 2 negotiation requires not only that the security proposals match, but also the proxy-ids on either peer, be a mirror image of each other.
So it is mandatory to configure the proxy-IDs whenever you establish a tunnel between the Palo Alto Network firewall and the firewalls configured for policy-based VPNs.