My fortigate clusters do both natting and session based firewalls. I configure them via a pull request into git which is approved by a second person and applies the config automatically.

I assume that Palo Alto have similar APIs.

My routers don't do anything at layer 4, the fortigates advertise default routes via BGP into the core switches, which route everything.

Now of course you need to make sure that your traffic going out of one firewall comes back via the same firewall, that's trivial to handle though, and is required for session based firewalling.

Plesae don't tell me that "ipv6 is better" because you are still logging into network devices and making changes like its 1999?