Palo Alto

Passive, Active or a combination

Passive - Knocknoc's Allowlist features provides a very powerful integration with firewalls that support a External Dynamic Lists or EDLs. This feature pulls from the Knocknoc server a list of IPs of authenticated users, in the correct group/for the assigned firewall policy. The drawback of this feature is that the list can only be fetched every 30 seconds or 5 minutes in the case of Palo Alto.

Active - Knocknoc's Palo Alto back-end capability utilises the Palo API to actively orchestrate the device, inserting and removing IP addresses as part of the Knocknoc Grant process. This can take time to "commit" the changes to the device which is a Palo constraint. Newer versions of Palo can offer better speeds. If commit speeds are a problem, using the Passive approach with an Active trigger can be the fastest approach.

Passive with Active Trigger - the Passive EDL can be utilised in conjunction with an Active API hit to trigger a live refresh from the EDL. This shortens the time taken for polling, and can outperform Active rule management due to the Commit process of the Palo framework.

Full Configuration Flow

Configure the Knocknoc Server: Set up Allowlist and Palo Backend
EDL Configuration: Configure the Palo to point the EDL to the Knocknoc distribution server. You also need to extract the server CA/chain for the Palo.
Security Policy Rule: Create a policy referencing the dynamic address and other relevant parameters to suit your intended firewall policy.
Allocate ACLs: Associate users and groups to ACLs, then test.

Palo Alto Configuration

Configuring the External Dynamic List (EDL)

Extract and upload your Knocknoc servers CA chain, this is required by the Palo to verify the Knocknoc server without using third-party/global CAs.

If you do not have easy access to this, you can use a third-party site such as https://whatsmychaincert.com/

Using the Dynamic Address in Firewall Rules

The EDL can be selected within the Source Address section. This is effectively a dynamically updated list of authenticated and authorised users IP addresses.

Managing from the Palo Shell

Palo provides various options to observe EDLs from the shell.

Viewing the configuration of the external dynamic list: admin@PA-VM# show external-list Knocknoc

Viewing the contents of the dynamic list: admin@PA-VM# request system external-list show type ip name "Knocknoc"

Forcing a refresh/pull on the dynamic list: admin@PA-VM# request system external-list refresh type ip name "Knocknoc"

Consider Your Use Case

SSH

FortiOS, FortiProxy, Palo Alto, or SSL VPN

Ivanti Connect Secure

Remote Desktop

Web applications

Video

VOIP

AWS Infrastructure

Azure Portal

Licensing Knocknoc

Server Installation

Agent Installation

Knocker - a cli utility for agents

Create Users

Create Groups

Admins

Settings

Local Authentication (MFA included as an option)

SAML

SAML Principles and Terms

SAML with EntraID (Azure AD)

SAML with OKTA

SAML with Gsuite as IDP

SAML with Jumpcloud

SAML for the Admin Interface

SAML with Keycloak

SAML with CyberArk

SAML with Authentik

Knocknoc with ADFS

LDAP

IPSet (Linux Netfilter/IPTables)

Fortigate Address Groups (Fortinet)

Palo Alto

Juniper SRX with Allowlist

Allowlist

Microsoft Entra

HAProxy

IPsets with UFW

IPsets with Shorewall

Script Any Arbitrary Backend

AWS (EC2) Security Groups

AWS WAF Ipset

Mikrotik RouterOS

Nginx

Apache Webserver

ACLs

Additional client IP addresses

Time for NTP

LDAP Troubleshooting tips

Knocknoc server behind HAProxy

HAProxy tips and tricks

Palo Alto

Passive, Active or a combination

Full Configuration Flow

Palo Alto Configuration

Configuring the External Dynamic List (EDL)

Using the Dynamic Address in Firewall Rules

Managing from the Palo Shell