at 2018, update from reaper
So I come out this setup. Yes, it is stupid but it work !
Basically, ethernet1/3 setup as Layer 3 with PPPoE
Select interface as Layer 3, virtual router and security zone
Go to IPV4 tab, check PPPoE then configure as request
Create VLAN profile , security zone I left it blank and interface type as L2
subinterface configure as TAG (VLAN ID), as Malaysia ISP unifi is using VLAN ID 500, at VLAN must select the previous create VLAN profile at ethernet1/4
p/s by missing VLAN profile at ethernet1/4 and ethernet1/5.500 the packet unable unable reach to modem (laptop as my testing environment)
My laptop receive PPPoE discovery broadcast packet with VLAN ID 500 tagged
Although is stupid setup but it work, LOL
alternative setup if with extra switch with VLAN feature
Summary, well Palo Alto is very common implementation via L3 sub-interface PPPoE, okay !