Hello jskang, The Timeout value is officially defined as " Timeout after which the IP/User Mappings are cleared." in this document: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/user-id-log-fields With that in mind, what should be happening is that your users authenticate to GP or any other source (AD, captive-portal, etc.) and authenticate at that time and this user-id log entry shows a Timeout value. However, due to the logs attempting to show everything related to user-id, you'll also see any refresh times or secondary authentication attempts, etc. but these will NOT have their own Timeout value, only refresh the original Timeout for the actual mapping. In the case of active-directory mappings, you'll also see the original mapping and then a few times where the Source Name shows up as "probing", and this also has a Timeout of 0, but that's because it also is refreshing the original mapping and doesn't have a timeout of its own Basically what you're seeing is the user-id log mapping every bit of information it gets because that's its job, not because that was a genuine mapping at that time. It likely was assisting the original mapping, but how could you troubleshoot the refreshes/probings if you don't see them on the user-id log?
... View more