Skip to main content

Cloudflare IP lists

Knocknoc can orchestrate Cloudflare IP lists to provide dynamic IP network allowlisting inbound to Cloudflare, should you use this to protect web or other assets. These IP lists are managed at the Account level, allowing use across the Cloudflare filtering services in a network allowlisting model.

Note that Agent 26.1+ is required (or 25.12.4-beta1)

Cloudflare configuration

Account-level IP allowlist
  1. Log in to Cloudflare 
  2. Navigate to "Manage account" -> "Configurations" (bottom left menu)
  3. Navigate to "Configurations" then "Lists"cloudflare1.jpg
  4. Under "Custom Lists", click "Create list"
  5. Provide an Identifier. This will become the "list name" field required in your Knocknoc configuration, so make a note.
  6. Add a meaningful descriptioncf2.jpg
  7. Click Create
  8. If you have manual/static entries to add, do so now. These will not be affected by Knocknoc,Knocknoc and- staticjust be sure not to name your manual entries canwith co-exist.a prefix of Knocknoc!cf3.jpg
API access token

You now need to create an API token with Edit permissions to the Account IP list. This is tied to a user, so using a permanent or service-style account is ideal.

  1. Click on your profile image (top right)

    cf4.jpg

  2. Navigate to API Tokenscf5.jpg
  3. Click "Create Token"
  4. Choose "Custom Token"cf6.jpg
  5. Provide a meaningful name
  6. Under "Permissions" choose "Account" then "Account Filter Lists" and add "Edit" permissions
    cf7.jpg
  7. A summary similar to the below will be showncf8.jpg
  8. You will now be presented with the token, copy it for your Knocknoc configuration. It will only be shown once.cf9.jpg
  9. Another summary will be shown along with the permissions. Cloudflare likes summaries, so do we.

    cf10.jpg

Cloudflare account ID
  1. Final step! You need your Cloudflare Account ID.
  2. Visit the Dashboard, click the 3 dots and copy.

    cf11.jpg

  3. You are now ready to create the Knocknoc integration.

Knoc configuration

Cloudflare "Active" orchestration
  1. Log in to Knocknoc as an Admin (/admin)
  2. Select Knoc, Create new
  3. Select Firewalls/Appliances

    Screenshot 2025-12-22 at 11.29.33.png

  4. Select "Active", then "Cloudflare"Screenshot 2025-12-22 at 10.29.29.png
  5. Provide the Account ID (copied from the Cloudflare dashboard, as above)
  6. Provide the API Key (created in Cloudflare, as above)

  7. cf12.jpgYou're not ready to test end to end!

Validating

  1. Log in to Cloudflare and view the IP address list.
  2. Log in to Knocknoc as a linked user, note the Granted status.cf14.jpg
  3. Refresh the Cloudflare IP list, the users IP address will now be in this list, along with any manual/static entries.

    cf15.jpg

  4. Note the Comment contains the logged-in users username.
  5. Logging out and refreshing will remove the users IP address (+ username) entry, leaving any static entries.

A note on user attribution

Cloudflare only supports one list entry per IP address.

Therefore, the first user (User1) to log in from a shared IP address will have their name logged against the entry in Cloudflare. Subsequent logins from the same IP address source (User2, User3, ...) will not be added nor update the User1 username entry in Cloudflare. However, should User1 logout, access will be retained until User2 and User3 logout, should they share the same IP address. See LOOTOOL for more information on this behaviour.

However importantly as Cloudflare doesn't support >1 IP entry the usernames may not accurately reflect all user login entries, and instead the Knocknoc logs/your SIEM will be required for access attribution linked to Cloudflare IP entries.


Back to top