This is the true answer but a chunk of it so go to the link that I posted under this clarification: The following is an example of a scenario when a user may become "Unknown" to the Palo Alto Networks firewall: A user logs in at Time0 (T0), the User-ID Agent sees the login in the AD security log and maps the IP to the user. The entry is sent to the firewall and it also creates an entry with the same lifetime (MaxTimeout) as the UIDAgent 30 minutes later (T0 + 30), the user sends data through the firewall. User is still identified. 14 minutes later (T0 + 44), the user sends more data. The user still has an active mapping. 2 minutes later (T1 = T0 + 46), the mapping on the agent ages out, and the removal is communicated to the firewall. Mapping is deleted on the firewall. 58 minutes later (T1 + 58), the user sends more data. The cache on the firewall was expired, so it requests an IP mapping from the agent but receives "Unknown" user Note: This user will remain "Unknown" until : the user logs back into the domain a positive security audit log is picked up by the UIDAgent a wmi/netbios probe positively identifies the user Note: If WMI probing is not used, then increase the user identification timeout to 600 minutes (either on the firewall or User ID Agent) https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWjCAK
... View more
This is incorrect, if you define internal host detection and you have no internal gateway define it will just look for that address to be available and if it is then it will not attempt to connect to external gateway.
... View more