Yes I'm going to see if I can explore that next week, not easy as a few thousand people are on it! Other thing I was going to look at was the syslog collector available in v6 PANOS. We are deploying fresh on V6, so this may provide part of the answer, routing into and out of DA would need to go via the Palo, and yes it could do the v6 NAT. If the syslog works, I then don't need to to try and get a v6 enabled DC in the mix, not sure if my server team could take the headache! At the moment I'm only worried about web traffic via a simple proxy (Web filtering all done by Palo), so I will configure a v6 entry into dns for it, and get DA to route out via the Palo to the proxy. if syslogging works, probably don't need anything else to confirm the user-id. I wonder if it would compare that user-id to the groups used in AD though? I think that's the closest to an answer if DA can syslog me what I need!
... View more