Starlink Failover: Fast Download Almost NO Upload Speed

Something I also forgot to add is you should check the global counters as well: How to check global counters for a specific source and destinat... - Knowledge Base - Palo Alto Netw...

I've done some further testing, and I understand the problem better now. I figured out that it's ONLY when the system is in failover mode that the issue appears. 

If I set a security policy for a test zone, to only allow outbound traffic through the Starlink WAN port, I get perfect upload and download speed.  This works:

However if a security policy is set to allow outbound traffic on both the Primary ISP and Starlink interfaces, then as soon as failover occurs, I get inbound traffic but no outbound traffic.  Moreover, as soon as failover occurs, even zones with security policies only allowing traffic on the Starlink interface, cease to upload any traffic.  This does not work upon failover:

Here is my router setup.

Is there anything you'd suggest?

I tried adjusting MTU size, no change. 

I tried a different cable, no change. 

I checked global counters, and do have one obvious error: "Packet's Dropped: No route for ip multicast"

Further research has revealed that if I connect a regular cellular LTE modem with an ethernet port (I used a Nightgear for testing) in place of the Starlink, using the same firewall interface port, and all the same settings untouched in the firewall, I get perfect upload and download speeds WHILE failed over!

So the issue with no upload while failed over on Starlink, is specific to running failed over on Starlink.  Recall that I can connect with an ethernet cable directly to the Starlink modem/router and get perfect upload speeds. 

Any ideas?

Do you see any drops are anything when checking the global counters? How to check global counters for a specific source and destinat... - Knowledge Base - Palo Alto Netw...

If not I would recommend next steps being opening up a TAC case. You're issue with adding and removing the Starlink zone from the security policy doesn't make much sense and if you are able to replicate/resolve the issue by adding and removing the zone from security rules either there are different SSL decryption rules/PFB rules/Security Profiles/Zone Protection profiles applied differently between the two zones or its possible you may be running into a bug of some kind.

In our environment at least we have various locations with Starlink as a failover and we have not noticed these issues, however our main WAN and Starlink WAN, while on different interfaces, we attach the same zone to each.

Yes I do see some drops.  See the screenshot:

Closed via RST could be a variety of things, could even just be a security policy not allowing it. Are you seeing all the traffic allowed through in the traffic/url/threat logs? Also is your Starlink WAN interface set to DHCP? And if so do you have that automatically install a default route or do you manually define the default route?

Yes that's the weird thing.  No traffic is showing up as not allowed in traffic/url/threat logs.  Besides if it were a security policy issue, why can I plug in an LTE modem/router to the very same NGFW port, changing nothing whatsoever, and have perfect upload and download speeds?

Starlink WAN interface is set to DHCP.

I allow it to automatically install a default route, I do not manually define that route.  Is that what you do?