Nope, told it was not supported by Palo Alto and that it is a feature request. From my understanding, bunch of people have voted for it. Feature request #1844 --- Avaya IP Phones and VPN with PAN Have your SE vote for it everyone!!
... View more
And yes.. correct.. the reason for deploying many UserID agents (i.e locally installed at each remote site with domain controller) is to reduce the network/ bandwidth utilisation. Whilst in theory the concept of having 2 central agents monitoring 100 domain controllers seems like a good solution.. unfortunately it doesnt account for common windows applications / active directory issues whereby sometimes users or computer accounts will begin authenticating 1000s of times (seemingly unnescarily) in the matter of a few seconds due to either poorly written applications or general issues with the windows operating system itself.. These excessive amount of successful authentication events which then have to be dragged across the network by the centrally located UserID agent can have a negative impact on the network if there is limited avaialble bandwidth on the WAN links. Also PaloAltos UserID agent limitation that it can only monitor a maximum of 100 domain controllers each is a bit of a pain.. Given that we have over 130 domain controllers it would require a minimum of 4 UserID agents centrally installed to monitor all domain controllers (with redundancy). So either dedicating 4 new servers to this purpose or deploying to 4 existing random servers seems messy when compared to been able to package up and just push out the agent to all existing domain controllers with a identical config file for each.
... View more