If you're setting up a VPN between AWS and a Palo Alto fireall appliance, you'll find conflicting information about whether you need to set up Proxy IDs on the PA.

The documentation says you don't need Proxy IDs.

But if, on the AWS side, you define your AWS-local subnets, then you must put those as Proxy IDs in your PA.

In your PA's system log you'll see errors like:

IKE protocol notification message received: PAYLOAD-MALFORMED (16).
IKE protocol notification message sent: ATTRIBUTES-NOT-SUPPORTED (13).
IKE protocol notification message received: INVALID-ID-INFORMATION (18).
IKE phase-2 negotiation is failed as initiator, quick mode. Failed SA: (your public IP here)[500]-(aws-IP)[500] message id:0x0566F689.
IKE phase-2 negotiation is failed as initiator, quick mode. Failed SA: (your public IP here)[500]-(aws-IP)[500] message id:0x2666A985.
IKE phase-2 negotiation is failed as initiator, quick mode. Failed SA: (your public IP here)[500]-(aws-IP)[500] message id:0x6F571AE1.

For instance, if your local network is 10.1.1.0/24 and your AWS subnet is 172.31.10.0/24, you must set your Proxy IDs to: