Hi Rosie. I have no direct solution for you. I am not a DBA or programmer of XML or anything of that ilk to be able to solve this but I can provide what we did at my company and it works fairly well. We moved from Juniper ScreenOS based firewalls which allow ARP table polling via SNMP to Palo Alto firewalls which do not. We decided to redeploy the Junipers in every VLAN/Subinterface/Zone and scripted a simple Expect script to login to the Juniper via SSH and poll every IP in the subnets every 30 minutes and set ARP age to 90 minutes. Adding the Juniper to UDT this provides us with all the ARP table info we need for the switchports. While less than ideal it's a way around a device that can't do SNMP Arp table. You could probably get some very cheap older cisco router and interface it on all your VLANs. Pick any simple device that provides this info via SNMP and you could make it work. I can provide the Expect script for anyone that needs it.
Rosie, dusk2dusk had a great idea; I can only offer a small modification to it since we don't know what firewall's you're using.
I've operated several different brands of firewalls, and so far have been able to write firewall rules to allow the traffic you're seeking.
If you're also the firewall admin, or if you can work with that team, see if rules can be written to allow what you need.
That single pane of glass may actually be a pain, but I think that if you can share the brand or model of firewall that's being your Nemesis, chances are good someone in this forum can help figure out the answer.
Rosie, when you decide to test I would also be interested in your results.