You have to add device admin user id ignore list: It is expeced behavior from Palo Alto see below " The User-ID Agent (software or hardware) captures the logon user that is used to authenticate to the remote desktop window. Shown below is an explanation of the process in an example scenario: User1 is logged onto the 10.10.10.10. During authentication, a security log is generated on the Domain Controller. The UI agent picks up the logs and the firewall creates the mapping of user1 ---> 10.10.10.10 User user1 creates an RDP session to the 10.10.20.20 The user authenticates with the user user_admin During authentication, a logon event is created for the user user_admin coming from the 10.10.10.10 IP address, This event creates the mapping of user_admin ----> 10.10.10.10, Since the firewall can hold only one mapping for one IP address, the user changes the mapping for the 10.10.10.10. When the user disconnects from the remote session of 10.10.20.20, since the log-off events are not relayed to the User-IDprocess, the mapping user_admin ----> 10.10.10.10 stays valid on the firewall so if there is a policy that is using the user1 as a reference, that policy will be missed. " https://live.paloaltonetworks.com/t5/Management-Articles/What-Login-Credentials-Does-Palo-Alto-Networks-User-ID-Agent-See/ta-p/58860
... View more