User-ID timeout values that are set, on a per user basis, by API XML are ignored by the Windows User-ID Agent. This causes IP-user mappings to remain visible in the User-ID Agent after the set timeout is reached. However, the Palo Alto Networks firewall configured to retrieve the IP-user mapping from the agent will correctly adhere to the set timeout values.
The following is an example entry of a User-ID timeout setting for the user, test\test1:
The Windows User-ID Agent does not proactively time out entries. This is the expected behavior. The agent keeps track of each entry's timestamp and timeout value. When the agent receives a get-all or query-ip request, it will then look at the entry. At that point, it will delete the entry if the timeout has been exceeded.