Single Passive Identity Agent Monitoring Multiple Domain Controllers

The following diagram shows a standalone passive identity agent that monitors several AD domain controllers.

One standalone passive identity agent can be installed on the Active Directory domain and send user IP address information to the firewall manager

In the preceding diagram, the standalone passive identity agent is installed on a client attached to the AD domain (or on the domain controller itself). Users log in to any domain controller and the agent sends user and IP address information to the Cloud-delivered Firewall Management Center. As users access the network, access control and identity policies deployed to the Secure Firewall Threat Defense determine whether or not, and how, access is allowed.

You can install a passive identity agent on the AD domain controller, directory server, or on any client connected to the domain you wish to monitor.