The firewall and Panorama can use external servers to
control administrative access to the web interface and end user
access to services or applications through Captive Portal and GlobalProtect.
In this context, any authentication service that is not local to
the firewall or Panorama is considered external, regardless of whether
the service is internal (such as Kerberos) or external (such as
a SAML identity provider) relative to your network. The server types
that the firewall and Panorama can integrate with include
Multi-Factor
Authentication (MFA),
SAML,
Kerberos,
TACACS+,
RADIUS, and
LDAP.
Although you can also use the
Local
Authentication services that the firewall and Panorama support,
usually external services are preferable because they provide: