Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=authentication-STAS-unauthenticated-traffic

Unauthenticated traffic

When the firewall detects unauthenticated traffic from an IP address, STAS assigns the IP address in learning mode and sends a request to the collector for user information. While in learning mode, the firewall drops the traffic generated by the IP address.

The default learning mode duration is 120 seconds.

When the collector doesn't respond while in learning mode, STAS assigns the IP address into unauthenticated status for one hour. It will try to log on again after one hour by going into learning mode. While in unauthenticated status, the firewall applies rules for unauthenticated traffic.

Hosts outside the domain aren't controlled by STAS and are considered unauthenticated by the firewall. Therefore, if the network contains any hosts outside the domain, create clientless users for these IP addresses. Doing so allows the firewall to treat the traffic from these IPs according to the associated clientless policies rather than dropping it.