When the firewall detects non-authenticated traffic from an IP address, STAS puts the address in learning mode and sends a request to the collector for user information. While in learning mode, the firewall drops the traffic generated by the address.
When there is no response from the collector while in learning mode, STAS puts the address into unauthenticated status for one hour. It will try to log on again after one hour by going into learning mode. While in unauthenticated status, the firewall applies rules for unauthenticated traffic.
Hosts not in the domain are not controlled by STAS and are considered unauthenticated by the firewall. Therefore, if the network contains any host which is not a part of the domain, create clientless users for these IP addresses. Doing so allows the firewall to treat the traffic from these IPs according to the associated clientless policies rather than dropping the traffic.