Sir , first of all thank you for your reply.
"" authenticate admins into the Palo Alto Networks NGFW without defining a corresponding admin account on the local firewall""
sir , what would local mean , i am confused because of External services Local and external Services External.
The administrative accounts you define locally on the firewall serve as references to the accounts defined on an external Multi-Factor Authentication, SAML, Kerberos, TACACS+, RADIUS, or LDAP server. The external server performs authentication. You use the firewall to manage role assignments but access domains are not supported. For details, see Configure Local or External Authentication for Firewall Administrators.
The administrative accounts are defined on an external SAML, TACACS+, or RADIUS server. The server performs both authentication and authorization. For authorization, you define Vendor-Specific Attributes (VSAs) on the TACACS+ or RADIUS server, or SAML attributes on the SAML server. PAN-OS maps the attributes to administrator roles, access domains, user groups, and virtual systems that you define on the firewall. For details, see:
Configure SAML Authentication
Configure TACACS+ Authentication
Configure RADIUS Authentication