Questions about using Duo deploy

Hi everyone

I have encountered some doubts about the way Duo runs authentication (I integrate with FTD). Duo has three methods Authentication Proxy, Duo Network Gateway, Duo Access Gateway, and I also know that Authentication Proxy uses RADIUS or LDAP for authentication. Duo does the second verification.
Duo Network Gateway means to install Duo’s connection tool on the host, you can use Duo Network Gateway use ssh connect to internal network
Duo Access Gateway can be verified through AD or online or Google G Suite accounts online verification service

I want to know what kind of environment these three types should be built in? All three are very similar. I can’t distinguish the pros and cons of each method. I hope I can mention it, thank all

Duo Authentication Proxy supports LDAP and RADIUS authentication.

Duo Access Gateway supports SAML 2.0 only.

So which one you choose depends on your use case. If you are looking to add 2FA to FTD VPN logins, then we recommend RADIUS with the Duo Authentication Proxy.

I saw that the new FTD 6.7 release supports SAML for VPN, so Duo Access Gateway or Duo Single Sign-on are also valid options. We do not yet have step-by-step instructions for FTD with SAML, but you could configure this using a Duo generic SAML application.

Duo Network Gateway is a like a reverse proxy for publishing internal web applications or SSH servers externally with 2FA added. It is not a good solution for adding 2FA to FTD RA VPN. It would be used instead of the RA VPN to provide SSH/HTTPS access to internal services without a VPN tunnel.