So the users that are at the remote location, do they authenticate to a DC on the firewall site? If so, then is the firewall picking up these logon events from this local DC? Does this traffic then appear to be coming into the firewall from the local DC side or from the Untrust private MPLS side? I think the key is to understand that packet flow and what is expected - what ISP/ interfaces do you expect to receive and transmit on. As long as you have the correct mapping and are seeing traffic traverse the firewall (like a u Turn of some sort) the entries should be in the firewall log traffic logs. ----DC----Trust----|PAN FW|/// ISP 2----------------Internet | MPLS ISP1 SO far if the remote users are coming in from ISP 1 and being routed to the DC on the trust side, is there a route saying that traffic must then exit out ISP 2? If so, perhaps the routing and zone security policies need some addressing.
... View more