The TTL (time to live) for user information provided to the Palo Alto Networks firewall by the user-identification agent or pan-agent is 1 hour (3600 seconds) by default. This setting is not configurable.
The Palo Alto Networks device queries the agent for user-to-ip mapping, assigning the resulting information a TTL of 3600 seconds. The Palo Alto Networks device continues to query the agent every 5-seconds for any changes in the mapping. If there is no change to the user information, then the countdown continues. If there is a new user-to-ip mapping, the device assigns that user a new TTL.
If that TTL expires, the associated user is then categorized as "unknown" and remains in that status until one of three things happens:
The Palo Alto Network device sees traffic for that IP. At that time, the Palo Alto Network device asks the agent for mapping information for that IP.
One hour has passed, the user list has refreshed, and that IP now has a user.
A user is provided for that IP during one of the 5-second queries from the Palo Alto Networks device to the agent.
Note: The Age-out Timeout on the user identification agent has nothing to do with the TTL on the firewall. The Age-out Timeout measures how long entries in the IP-to-username cache kept by the agent are valid.
Current entries can be viewed from the main User Identification Agent Screen under IP to Username Information. It is configurable and 45 minutes is the default value.