There are two settings for source port allocation under Palo Alto Networks TS agent
System Source Port Allocation Range: Displays the port range for system processes that are not associated with individual users. Format is low-high (default 1025-5000).
Source Port Allocation Range: This range of ports will be allocated to the user sessions. This setting controls the source port allocation for processes belonging to remote users (default 20000-39999).
If a port allocation request comes from system services that cannot be identified as a particular user process, the TS agent lets the system allocate the source port from the system port range, excluding system reserved source ports.
Issue
If the user establishes a console connection to the server where the TS is installed or does an administrative login via RDP connection (with a " /admin" switch), that user will be always unknown.
What is happening/explanation
The /admin switch bypasses the Terminal Server software and just hits the built-in RDP functionality that comes with every install of server.
The switch will cause the RDP session to bypass the Terminal Services which are used to run administrative tasks on the TS and thus utilizes "System Source Port Allocation Range"
The Terminal Server maps the ip-address to the source port from the "Source Port Allocation Range" hence the domain user who logs in administratively will always remain unknown.