Palo Alto - UserID - Should you use External Agent or integrated agent?

The USER ID are sync from Active Directory to allow us to create rules and policies referencing Active Directory Objects on the PAN Appliance.

Before it was recommended to use the integrated, then seemed like it moved to the external userid agent, but still have the integrated agent.

Instead of WMI, should move to WinRM HTTP/HTTPS and kerberos, so what is the best method?

Our options include continuing to integrated agent and use WinRM HTTP/HTTPS with kerberos or install UserID Agents, 2 of them, 1 in primary and 1 in DR datacenters monitoring all the domain controllers?

what are your thoughts? I have been reading through all the guides, is there a best practice on this? (Question proposed by Gogol13)

They are are currently running PAN OS 9.1.X.

Solution:

Roughly how many users? How big is the environment? Is there a single domain since you are using integrated? Will maintaining a couple of "utility" servers to run the user-id agents a significant impact for your org?

For relatively large environments always used the Software User-ID agent. Only used the integrated agent with a few very small deployments.

The PAN integrated agent puts more load on the Domain Controllers, it is because the Integrated agent WMI calls forced the Domain Controller is query the event logs and send the list of the (I think it is 5) event IDs required. This makes the DC do extra work!

The software based agent can query the event logs itself! (solution by Rad10Kaos)

Load on the Domain Controllers is a big issue:

Correct about the load on the DC. One of my clients moved from agents to integrated as the agent process would sometimes stop and it was another thing to keep patched.

However, when they then increased domain controller logging verbosity a year later, domain controller went from about 15% to 90%.

They liked the integrated approach so they just put more CPU and RAM on the domain controllers to 'fix'b the problem.

It was a relatively small deployment. (solution by TXRX_reboot)

We've only ever used the external agent (since v7.0.x) and we are currently on 9.1.x. We have redundant agents at each dc monitoring the domain controllers & exchange servers. We've had minor issues here and there (mostly related to major version upgrades) but overall it works very well!