Which three external authentication services can the firewall use to authenticate admins into the Palo Alto Networks NGFW without creating administrator account on the local firewall? (Choose three.)
Which three external authentication services can the firewall use to authenticate admins into the Palo Alto Networks NGFW without creating administrator account on the local firewall? (Choose three.)
The Palo Alto Networks NGFW can use external authentication services to authenticate administrators without creating local administrator accounts on the firewall. TACACS+ can be used for centralized authentication and authorization. SAML is employed for single sign-on (SSO) capabilities that allow users to authenticate once and gain access to multiple systems. RADIUS provides centralized Authentication, Authorization, and Accounting (AAA) management for users who connect and use network services. While LDAP and Kerberos can be used for different types of authentication, they are not specifically mentioned in the context of authenticating admins directly into the Palo Alto Networks NGFW without local admin accounts.
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-authentication#:~:text=The%20administrative%20accounts%20are%20defined%20on%20an%20external%20SAML%2C%20TACACS%2B%2C%20or%20RADIUS%20server.%20The%20server%20performs%20both%20authentication%20and%20authorization.
See bottom of page: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-authentication#:~:text=The%20administrative%20accounts%20are%20defined,attributes%20on%20the%20SAML%20server.
ACD seems like the 3, LDAP would require local accounts.
LDAP is not an authentication method. It's only a user-id agent.
not correct
Although I see options A C D but I wonder why not kerberos
A, C, D correct
ACD Is correct
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-authentication
Not sure