Unauthenticated traffic
When the firewall detects non-authenticated traffic from an IP address, STAS puts the address in learning mode and requests user information from the collector. While in learning mode, the firewall drops the traffic generated by the address.
When there's no response from the collector while in learning mode, STAS puts the address into unauthenticated status for one hour. After one hour, it'll try to log on again by going into learning mode. While in unauthenticated status, the firewall applies rules for unauthenticated traffic.
Hosts not in the domain aren't controlled by STAS and are considered unauthenticated by the firewall. Therefore, if the network contains any host that isn't a part of the domain, create clientless users for these IP addresses. Doing so allows the firewall to treat the traffic from these IP addresses according to the associated clientless policies rather than dropping the traffic.