Skip to main content

Allowlist

The Allowlist backend makes a list of active IP address grants available via the Knocknoc server API. This allows integration with appliances or clients that can be configured to poll a URL without the need for a Knocknoc agent.

Pros
  • Does not require a Knocknoc agent.
  • Provides an additional option for custom integrations.
Cons
  • Knocknoc cannot know if/when grants are applied on the target system, therefore less feedback is providedagent to users.
    • be
  • We rely on appliances/clients to poll for allowlist updates, so they are potentially slower.
  • Since Knocknoc only publishes the active allowlist, the client must implement revocation/deny.
deployed.

Common Use Cases
  • Fortinet External Connectors
  • F5 BigIP devices (IP intelligence)
  • Custom web applications
Usage
  1. Log into your Knocknoc admin UI at /admin
  2. Click on API keys and add a key with scope allowlists.read
  3. Click on backends and add a backend of type "Allowlist"
  4. Click on ACLs and add an ACL and select your new allowlist backend
  5. Copy the provided URL. This is where your allowlist grants will be published. The URL is in format https://example.knoc.cloud/api/v1/allowlists/<aclId>/<token>.<format>
  6. When fetching the URL, use http basic authentication with:
    1. username: apikey (or any string value)
    2. password: the API key secret

The Allowlist backend is available in Knocknoc v6.0.0.

 

Pros
  • Any device that can poll for a list of IP addresses can integrate with Knocknoc, a good solution for unidirectional network environments or assets deep in an organisation.
  • Does not require a Knocknoc agent to be installed.
  • Provides an additional option for custom integrations.
Cons
  • Knocknoc cannot know if/when grants are applied on the target system, therefore less feedback is provided to users.
  • Polling is typically time-based not event based, this may see a user waiting for access after logging in - depending on the poll interval supported by the infrastructure or appliance.
  • Since Knocknoc only publishes the active allowlist, the client must implement revocation/deny.
Back to top