i keep wishing paloalto let you assign zone based on attributes like the routing protocol the route for that traffic came from
but in absence of that i just made a shitload of tunnel interfaces and now there's far too many bgp peers
and now there's far too much load-bearing export policy
which would be fine if we had transit-specific vsys
but we don't have transit-specific vsys
because nobody should be batshit enough to use paloalto as a router
except us