Palo Alto

Active, Passive+ or Passive?

Knocknoc integrates with Palo Alto firewalls and the Panorama management system to dynamically grant and revoke network access based on authenticated user sessions. Knocknoc updates existing in-policy lists rather than changing policies overall, making dynamic access change-safe, least-privilege and securely implemented.

There are three integration modes:

• Active - Near-instant access control for Palo Alto/Panorama, no commit required (recommended)
• Passive+ - Firewalls poll a securely-hosted External Dynamic List (EDL), with an active refresh signal sent to Panorama/Palo Alto to reduce access latency from ~5 minutes to ~2 seconds
• Passive - Firewalls poll an EDL every 5 minutes. No agent required, good for data-diode environments.

	Active (Recommended)	Passive+ (Simpler environments)	Passive (Data-diode)
Speed	Near-instant	~2s (large EDL sets slow)	~5 minutes
Mechanism	Active API	EDL refresh signal	EDL polling (no agent)
Commit required	No	No	No
Auto timeout	In-firewall	Agent orchestrated	Polling period
Agent required	Yes	Yes	No
Panorama support	Yes	Yes	Yes

Active Mode

Active mode provides real-time access control by communicating directly with the Palo Alto firewall or Panorama, via the Server Orchestration Agent. No user/client installation is required. When a user authenticates and is granted access, their IP is added immediately; when the grant expires or is revoked, the IP is removed. No commit is required.

Prerequisites on the Firewall

Before configuring Knocknoc, you need to set up the following on your Palo Alto firewall or Panorama.

1. Enable User-ID on Zones

1. Navigate to Network > Zones
2. Edit the zone where you want to enforce access control
3. Check Enable User Identification
4. Commit the change

2. Create an Address Group

1. Navigate to Objects > Address Groups
2. Click Add to create a new address group
3. Set Type to Dynamic
4. In the Match field, enter your tag name enclosed in single quotes (e.g., 'knocknoc-ssh')
5. Click OK and commit

When using Panorama, create the address group in the appropriate Device Group and push to managed firewalls.

3. Create a Security Policy Rule

1. Navigate to Policies > Security
2. Create or edit a rule that should grant access to tagged IPs
3. In the Source section, add the address group you created
4. Configure the destination, application, and action as needed
5. Commit and push (if using Panorama)

4. Create an API profile and API user

Required Permissions

The API User role for the API key must have:

• User-ID Agent

Create a user for the API key:

Panorama:

Palo Alto:

5. Generate an API Key (via Orchestration Agent)

Run the following command on an Orchestration Agent to generate an API key:

/opt/knocknoc-agent/knocker/knocker enable panos

This returns a base64-encoded API key.

Knocknoc Configuration

1. When creating a new Knoc Application, select Active as the Application Type
2. Select Palo Alto as the vendor
3. Configure the backend settings:
   • I am using Panorama - Check if connecting through Panorama
   • Firewall Hostname (or Panorama Hostname) - The management URL (e.g., https://192.168.1.1)
   • Skip TLS verification - Check if using a self-signed certificate
   • API Key - The API key generated above
   • Tag Name - The tag to register IPs with (must match your address group exactly, e.g., knocknoc-ssh)
   • VSys - The virtual system (e.g., vsys1)
   • Device Group - The Panorama device group (if using Panorama)
   • Serial Numbers - Firewall serial numbers for Panorama deployments (see below)
   • Map User - Optionally map the authenticated user identity to the IP via User-ID

Panorama with Serial Numbers

When managing firewalls through Panorama, tag registration commands are sent through Panorama to each specified firewall:

1. Check I am using Panorama
2. Set the Panorama Hostname to the Panorama management URL
3. Configure the VSys for the target firewall
4. Add one or more Serial Numbers for the managed firewalls you want to target
5. The agent will send tag registration commands through Panorama to each specified firewall

Timeout

Active mode supports native timeouts on the PAN-OS firewall, which ensures IPs are removed even if Knocknoc Agent loses connectivity for an extended period of time.

• When a grant is created, the IP is tagged with a timeout (in seconds) matching the grant's expiry
• When a grant is extended, the tag timeout is updated automatically
• When the timeout expires, the IP is removed from the address group
• If the grant is explicitly revoked (eg: user logout, Knocknoc session timeout), access is removed immediately

Multiple users from the same IP: When multiple users connect from the same source IP, the tag timeout is set to the longest expiry across all active grants. The tag is only removed when the last grant for that IP expires or is revoked.

Verifying & Testing

1. Create a Knoc Application with Active mode
2. Assign it to an agent connected to your Palo Alto firewall
3. Grant access to a test user (login, or create a manual-grant/break-glass entry as an Admin)
4. Verify the IP appears in the GUI (or CLI show object registered-ip all) with your tag name
5. Verify the IP appears in the address group membership
6. Log the user out revoking the grant, and verify the IP is removed

Active Checklist

• User-ID enabled on the relevant zone(s)
• Address group created with correct tag match criteria (single quotes around the tag name)
• Security policy references the address group
• API key has User-ID Agent permissions
• Tag name in Knocknoc matches the address group match criteria exactly (case-sensitive)
• Serial numbers configured (if using Panorama)
• Commit and push completed (if using Panorama)

High-availability Failover

For direct-to-firewall deployments with a high-availability (HA) pair, you can configure automatic failover.

Configuration

In the Knoc Application settings, expand the HA Failover section:

1. Secondary Firewall URL - The management URL of the secondary firewall
2. Secondary API Key - API key for the secondary firewall
3. Skip TLS verification - Check if the secondary uses a self-signed certificate

How It Works

Before each operation (grant, revoke, or extend), the agent:

1. Checks the primary firewall's HA state via the operational API
2. If the primary is active - sends the command to the primary
3. If the primary is passive or unreachable - automatically falls back to the secondary
4. If both firewalls are unreachable or both are passive - reports an error

Note: HA failover is for direct-to-firewall deployments only. When using Panorama with serial numbers, Panorama manages device failover itself - do not configure HA failover in this case.

Passive+ Mode

Passive+ mode combines EDL polling with an active refresh signal. Firewalls retrieve IP address lists from a Knocknoc-hosted EDL, and the orchestration agent triggers EDL refreshes dynamically - reducing the effective latency from ~5 minutes to 0–2 seconds.

Prefer video?

End to end walk through of Panorama and Palo Alto integration for Passive+

Knocknoc Configuration

1. When creating a new Knoc Application, select Passive+ as the Application Type
2. Select Palo Alto as the vendor
3. Configure the backend settings:
   • I am using Panorama - Check if connecting through Panorama
   • Firewall Hostname (or Panorama Hostname) - The management URL
   • API Key - API key for the orchestration agent
   • EDL Name - The name of the External Dynamic List on the firewall
   • VSys - The virtual system (e.g., vsys1)
   • Map User - Optionally map the authenticated user identity via User-ID
   • Serial Numbers - Firewall serial numbers (if using Panorama)

API Key Generation

Run the following command on the orchestration agent to generate the API key:

/opt/knocknoc-agent/knocker/knocker enable panos

This returns a base64-encoded API key.

Required Permissions

The admin role for the API key must have:

• Operational Requests (for EDL refresh)

• User-ID Agent (optional, only if User-ID mapping is enabled)

Create an administrator for the API key:

Panorama:

Palo Alto:

EDL Secret Configuration

1. Create authentication credentials for firewall EDL retrieval in the Knocknoc admin portal
2. Configure IP allowlisting to restrict which source addresses can retrieve the EDL
3. Do not permit access from the entire Internet - restrict to your firewall management IPs

Firewall Configuration - External Dynamic List

1. Navigate to Objects > External Dynamic Lists

2. Click Add to create a new list
3. Configure:
   • Name - A descriptive name (e.g., FirewallManagers, SSH)
   • Type - IP List
   • Source - The Knocknoc EDL URL (use Basic Auth format)

4. If strict TLS validation is required, apply a Certificate Profile
5. Click OK, then Commit (and push if using Panorama)

Security Policy

Reference the External Dynamic List in your security policy rules as a source address, enabling access control based on authenticated user sessions.

Testing

Assign users or groups to the Knoc Application:

Status Indicators

• Published - IP address has been sent to the EDL, awaiting firewall consumption
• Read - Firewall has retrieved and accepted the entry

Verify on the Palo Alto device that IP changes are visible:

Passive+ Tuning

If you experience timing issues with EDL refreshes, the agent supports retry configuration:

PanosRetry = 16
PanosWait = 2

• PanosRetry - Number of retry attempts for EDL refresh
• PanosWait - Delay in seconds between retries

Passive+ Checklist

• Knoc Application configured with correct EDL name
• API key generated and has Operational Requests permission
• EDL created on firewall with correct source URL and credentials
• Security policy references the EDL
• EDL secret configured with IP allowlisting
• Commit and push completed (if using Panorama)

Passive Mode

Passive mode is the simplest integration - firewalls poll an EDL hosted by Knocknoc at their standard refresh interval (~5 minutes). No orchestration agent, API key, or active refresh signal is required.

Configuration

1. When creating a new Knoc Application, select Passive as the Application Type
2. Select Palo Alto as the vendor
3. Configure the EDL name and credentials

Firewall Configuration

Follow the same External Dynamic List setup as Passive+ mode above, but without the orchestration agent or API key configuration.

Passive Checklist

• Knoc Application configured with correct EDL settings
• EDL created on firewall with correct source URL and credentials
• Security policy references the EDL
• Commit and push completed (if using Panorama)

Troubleshooting

Error 200150 - Failed to Register Tag

The agent was unable to register a tag on the firewall. Common causes:

• API key does not have User-ID Agent permissions
• Firewall is unreachable from the agent
• Invalid VSys or serial number configuration

Error 200151 - Failed to Unregister Tag

The agent was unable to unregister a tag from the firewall. Same causes as 200150 - check API key permissions, connectivity, and configuration.

Error 200200 - HA Check Failed

The agent was unable to determine the HA state of the primary firewall. Common causes:

• Primary firewall is unreachable
• API key does not have Operational Requests permission
• Unexpected HA state response

Common Issues

• Tag not appearing in address group - Ensure the tag name in Knocknoc matches the address group match criteria exactly (case-sensitive). The match criteria uses single quotes: 'tag-name'.
• User-ID not enabled - The zone must have User Identification enabled for address group matching to work.
• API permission denied - Check that the admin role has the correct permissions for your chosen integration method.
• Panorama push required - After creating the address group, EDL, or security policy on Panorama, commit and push to devices.
• EDL not refreshing (Passive+) - Check agent logs for refresh errors. Verify the EDL name matches exactly.
• Published but not Read (Passive+/Passive) - The firewall hasn't polled the EDL yet. For Passive+, check the agent is triggering refreshes. For Passive, wait for the next poll interval.

Agent Diagnostics

• Review orchestration agent logs for error details
• Verify API key validity and role permissions
• Confirm firewall/Panorama connectivity from the agent host
• Check EDL configuration and device commits

Certificate Management

For strict HTTPS validation when firewalls retrieve EDLs, configure a CA certificate profile:

• Panorama: Navigate to Certificate Manager > Certificate Profiles

• Standalone Firewall: Navigate to Device > Certificate Management > Certificate Profiles

Reference the certificate profile in the EDL source configuration for enhanced security.

Still Having Issues?

We can help you out - contact us at support@knocknoc.io.

 

 

Log in to your orchestration agent host, execute knocker enable panos:

 /opt/knocknoc-agent/knocker/knocker enable panos

Follow the prompts, as below:

$ /opt/knocknoc-agent/knocker/knocker enable panos
Enabling backend panos on this machine.
Note: Some operations may require sudo rights.
PAN-OS Integration Setup
Please provide the following information:
PAN-OS Hostname or IP: 13.236.94.186
Enter Username: knocknoc-api
Enter Password:
Generating API key for user 'knocknoc-api' on host '13.236.94.186'...
Successfully retrieved API key.
API Key: LUFRPT0vR...BlVHc9PQ==
Please save this key securely. It will not be saved in the config.
You can use this key to authenticate API requests.

Once you have this base64 blob/API key, save it somewhere safe.

Be sure to copy any terminating equals (==) signs.

Alternatively the official Palo documentation suggests using Curl: curl -H "Content-Type: application/x-www-form-urlencoded" -X POST "https://firewall/api/?type=keygen" -d 'user=<user>&password=<password>'

Place the API key in Knoc, you should have something similar to the screenshot below

Complete the remaining data as required, and click Next.

EDL Secret

Your Knocknoc Server publishes the EDL for collection, which requires an incoming EDL secret or username/password to be provided by the Palo Alto firewall device (even when using a Panorama), to ensure the confidentiality of the IP address lists.

This is the EDL secret within the Knoc creation flow as outlined below.

Noting this secret becomes the users password, in the case of Palo Alto. You can opt for no password, or to re-use an existing key, along with restricting by IP address source, who can present and use the key for access.

Set any IP allowlisting restrictions - this is the IP of the firewall. Note the firewall will be polling/retrieving the EDL, even with a Panorama in place. Naturally we recommend removing the "entire Internet" rules and being more specific. These IP restrictions can be edited later through the Knoc's EDL Security section.

Be mindful of the IP address restrictions, by default it will allow the entire IPv4/IPv6 Internet.

The next steps occur in your Palo Alto devices.

Configuring the External Dynamic List (EDL)

1. Log in to the Palo Alto or Panorama
2. Under Objects, External Dynamic Lists, click Add+ for a new list.
3. Create a name for the list, noting this is per Knoc - allowing a per-policy list, for example "FirewallManagers" and "SSH" may be two Knoc's that map to different firewall policies.

We will fill in the source later - leave this tab open as we finish the API integration first which will give us the 'Source'.

EDL Access URL

Back in Knocknoc, assign the relevant users/groups to the Knoc, and submit the final configuration.

You will now be presented with data similar to the below:

You have two options with Palo Alto, either using the "1. Use a Basic Auth URL format" option or "2 Use separate credentials".

The option-1 basic auth url is simpler and does not require a ca-profile to be configured, this is the most convenient.

The Basic Auth URL can be copied from the above and pasted into the 'Source' for the EDL, within Palo Alto.

Save and Commit this to your Palo Alto environment.

Using the Dynamic Address in Firewall Rules

The EDL can be selected within the Source Address section. This is effectively a dynamically updated list of authenticated and authorised users IP addresses. You can inspect the EDL contents in a number of ways. Remember to set your Source Zone and Destination Zones.

You're now good to go! To test as a user, ensure you assign them and or their group to the knoc as seen below.

To test as a user, make sure to visit their access page. When a user is requesting access they'll see 'Published', meaning the request has been sent, and 'Read' when it has been processed and accepted and can now access the application. 

Importantly to see IP's being added and removed, you have to be in your Palo specifically and not your Pano.

If you are having issues remember to commit with Panorama / Palo Alto, and push to the devices.

Passive+ Checklist 

✅ Your Knoc has the correct settings;

• ✅ If you're using Panorama you've ticked that box
• ✅ Your URL matches correctly to what you've entered into the Knoc's settings
• ✅ If you're using an insecure URL, you've ticked 'insecure'

✅ You've added in the correct API Key

• ✅ You've created the custom role with the appropriate permissions
  • Minimum perms for the role include:
    • XML API: Operational Requests
    • REST API: External Dynamic Lists
      
• ✅ Matching API admin to the API role
• ✅ You've made the API key with the correct IP, username, and password with the appropriate role added

✅ The EDL Name is correct and has been made WITH the API source added from the end at the creation of the Knoc

✅ The dynamic address in firewall rule has been configured to reference the source EDL

Option 2 - Passive mode

If you prefer to use Passive mode, follow the below.

1. Configure the Knocknoc Server: Set up a Passive Knoc.
2. EDL Configuration: Configure the Palo to point the EDL to the Knocknoc server. You also need to extract the server CA/chain for the Palo to verify the server.
3. Security Policy Rule: Create a firewall policy in the Palo referencing the dynamic address/group being managed by Knocknoc.
   

Knoc configuration

Create a Knoc under Firewalls/Appliances. Select Passive. Note that no Agent is required for this configuration as the Server is publishing/hosting the Allowlist.

Passive Checklist 

✅ Your Knoc has the correct settings, having chosen the correct URL of choice

Option 3 - Active (API) mode

Active will update the address group for each users requested access grant, this will update the access list immediately. 

1. Configure the Knocknoc Server: Set up an Active Knoc, noting some configuration data is required from the Palo  Alto environment.
2. Security Policy Rule: Create a firewall policy in the Palo referencing the dynamic address/group being managed by Knocknoc.

Knoc configuration

Select the "Firewalls / Appliances" Knoc configuration, selecting "Passive+" or "Active"

Follow the prompts, as below, entering the API key as created above:

Select the Agent you want to execute the Knoc from. We recommend deploying an Agent adjacent to the Palo devices and remove external attack surface on the Palo.

Once an authorized user logs in to Knocknoc that is linked to the Active Palo Knoc, they will appear within the Palo address group. On logout, the IP address is removed from the address group.

Active API permissions

For Active, the API configuration is the exact same as Passive+, except with these permissions below:

REST API: Addresses, Address Groups

Address Group

You'll also need an address group for all the addresses to go into

Active Checklist 

✅ Your Knoc has the correct settings;

• ✅ If you're using Panorama you've ticked that box
• ✅ Your URL matches correctly to what you've entered into the Knoc's settings
• ✅ If you're using an insecure URL, you've ticked 'insecure'

✅ You've added in the correct API Key

• ✅ You've created the custom role with the appropriate permissions
  • Minimum perms for the role include:
    
    • REST API: Addresses, Address Groups
      
• ✅ Matching API admin to the API role
• ✅ You've made the API key with the correct IP, username, and password with the appropriate role added

✅ The Address Group has been added and firewall policy made

✅ You've committed your work

User experience and EDLs

When your user logs in they will see "Published" alongside the relevant access item. This means their IP address or access information has been "published" and is awaiting consumption by the relevant firewall/system.

Once the firewall/system polls or "reads" the EDL, the state will change from Published to Read, signalling to the user their access has been established on the relevant back-end environment.

API role/permissions

Knocknoc/Palo orchestration mode	API access and permissions required
Passive	No API access is required
Passive+	XML: Operational Requests
Passive+ with "map user ID" enabled	XML: Operational Requests, UserID Agent
Active	REST API: Addresses, Address Groups
Active with "map user ID" enabled	XML: User-ID Agent REST API: Addresses, Address Groups

Troubleshooting

If you're experiencing errors the first step is checking the Agent logs, permissions or user-access tokens may be invalid or incorrect.

Is the EDL configured? Has the change been committed to the Panorama or Palo Alto device?

Do you get errors on the Agent?

If you're finding that Passive+ is taking too long, you can tune the retries using these settings in the Agent config file:

PanosRetry = 16
PanosWait = 2

Where Retry is the number of re-tries, and Wait is the number of seconds to wait between retries.

A note on EDL and HTTPS CAs

Whilst the EDL method uses HTTPS, using the https://username:token/ method may not adequately validate TLS/SSL certificate authorities. To use strict mode, use a CA profile as below:

Panorama - Certificate Manager --> Certificate Profile --> Add --> Add --> CA Certificate Dropdown Menu --> Certificate File Browse --> Commit

Palo Alto - Device --> Certificate Management --> Certificate Profile --> Add --> Add --> CA Certificate Dropdown Menu --> Certificate File Browse --> Commit

Select the certificate profile in the EDL (same spot as EDL from prior findings)