Allowlist (EDLs)
The Allowlist backend makes a list of active IP address grants available via the Knocknoc server API. This allows integration with appliances or clients that can be configured to poll a URL without the need for a Knocknoc agent to be deployed. This is sometimes known as "External Dynamic List" feature within firewalls.
Devices supporting EDLs (+ many others)
- Palo Alto External Dynamic Lists (EDL)
- Fortinet External Connectors
- Juniper SRX, SonicWall
- F5 BigIP devices (IP intelligence)
- PfSense, many others
- Custom web applications, scripts, git-foo implementations, etc
Overall process
- Configure the Knocknoc Server: Set up a Passive Knoc.
- EDL Configuration: Configure the device to point the EDL to the Knocknoc distribution server.
- Security Policy Rule: Create a policy referencing the dynamic address and other relevant parameters to suit your intended firewall policy.
Knoc configuration
Create a Knoc under Firewalls/Appliances. Select Passive. Note that no Agent is required for this configuration as the Server is publishing/hosting the Allowlist.
Set an API key name, and define any IP allowlisting restrictions on the API key-use. Naturally we recommend removing the "entire Internet" rules.
Be mindful of the IP address restrictions, by default it will allow the entire v4/v6 Internet.
Copy the API key/token that is displayed, you will not be able to recover this after it has been shown.
Copy the API key and store this for future use.
You now need the unique and random URI published per-Knoc, to be added to the consuming firewall/system.
Copy/paste the URL from the relevant Knoc.
You can also see the URI for this Passive Allowlist/EDL by clicking on the Knoc:
You can test the EDL including authentication using Curl as below:
curl https://demo.knocknoc.io/api/v1/allowlists/XXX -u apikey:secrettoken
Pros
- Any device that can poll for a list of IP addresses can integrate with Knocknoc, a good solution for unidirectional network environments or assets deep in an organisation.
- Does not require a Knocknoc agent to be installed.
- Provides an additional option for custom integrations.
Cons
- Polling is typically time-based not event based, this may see a user waiting for access after logging in - depending on the poll interval supported by the infrastructure or appliance.
See below on how these can be incorporated in to major vendors via external lists:
- Fortigate (Fortinet): Fortinet Knocknoc how-to or the Vendor documentation
- PAN OS (Palo Alto): Palo Knocknoc how-to or the Vendor 1, Vendor 2.
- PfSense: Vendor docs
- Sonicwall: Vendor docs
- Checkpoint: Vendor docs
Other platforms are supported, however talk to us about our native/API integrations as these offer many benefits over the time-based polling approach.