FortiOS, FortiProxy, Palo Alto, or SSL VPN

Protect your existing Fortigate or Palo investments from direct internet exposure by introducing Knocknoc.

This can be achieved in multiple ways through direct or indirect firewall orchestration , effectively adding network application whitelisting after a successful authorized user login to the network edge.

Shown below is the direct-orchestration model, where Knocknoc adds the trusted/authenticated IP address to the relevant policy on the Fortinet, exposing the VPN services to an IP address only after they have successfully authenticated.

Alternatively an agentless deployment can be established using the AllowList feature:

This can be combined in a passive-allowlist model along with an API call which updates the policies (causing a live poll), giving you the best of both worlds - low privilege API access along with a polled allowlist.

If you need to urgently reduce direct exposure of your Fortigate, Palo or other appliances, please talk to us.

Consider Your Use Case

SSH

FortiOS, FortiProxy, Palo Alto, or SSL VPN

Ivanti Connect Secure

Remote Desktop

Web applications

Video

VOIP

AWS Infrastructure

Azure Portal

Licensing Knocknoc

Server Installation

Agent Installation

Knocker - a cli utility for agents

Create Users

Create Groups

Admins

Settings

Local Authentication

LDAP

SAML

SAML Principles and Terms

SAML with EntraID (Azure AD)

SAML with OKTA

SAML with Gsuite as IDP

SAML with Jumpcloud

SAML for the Admin Interface

SAML with CyberArk

Knocknoc with ADFS

IPset (Linux Netfilter/IPTables)

HAProxy

IPsets with UFW

IPsets with Shorewall

Script Any Arbitrary Backend

AWS (EC2) Security Groups

Mikrotik RouterOS

Nginx

Apache Webserver

Fortigate Address Groups

Microsoft Entra

Allowlist

Juniper SRX with Allowlist

ACLs

Additional client IP addresses

Time for NTP

LDAP Troubleshooting tips

Knocknoc server behind HAProxy

HAProxy tips and tricks

FortiOS, FortiProxy, Palo Alto, or SSL VPN