Skip to main content

Palo Alto

Passive, Active or a combination

Passive - Knocknoc's Allowlist features provides a very powerfulpassive integration with firewalls that support a External Dynamic Lists or EDLs.  This feature pullsallows the firewall to pull from the Knocknoc server a list of IPs of authenticated users, in the correct group/for the assigned firewall policy. The drawback of this feature is that the list can only be fetched every 30 seconds or 5 minutes in the case of Palo Alto.minutes.

Active - Knocknoc's Palo Alto back-endorchestration capability utilises the Palo API to actively orchestratemanage the device, inserting and removing IP addresses as part of the Knocknoc Grant process. This is an active, near-real-time approach that provides the best user experience. Older versions of Palo Alto devices can take time to "commit" the changes to the device which is a Palo constraint. Newer versions of Palo can offer better speeds. If commit speeds are a problem, using the PassivePassive+ approach can offer better speeds for older devices.

Passive+ (Passive with an Active trigger can be the fastest approach.

Passive with Active Triggersync) - the Passive EDL can be utilised in conjunction with an Active API hit to trigger a live refresh from the EDL. This shortens the time taken for polling, and can outperform Active rule management due to the Commit process of the Palo framework.

Passive (EDL)

  1. Configure the Knocknoc Server: Set up Allowlista andPassive Palo BackendKnoc.
  2. EDL Configuration: Configure the Palo to point the EDL to the Knocknoc distribution server. You also need to extract the server CA/chain for the Palo.
  3. Security Policy Rule: Create a policy referencing the dynamic address and other relevant parameters to suit your intended firewall policy.
  4. Allocate ACLs: Associate users and groups to ACLs, then test.

Knoc configuration

Create a Knoc under Firewalls/Appliances. Select Passive. Note that no Agent is required for this configuration as the Server is publishing/hosting the Allowlist.

Screenshot 2025-04-10 at 15.26.51.png

Set an API key name, and define any IP allowlisting restrictions on the API key-use. Naturally we recommend removing the "entire Internet" rules.

Screenshot 2025-04-10 at 15.39.08.png

Be mindful of the IP address restrictions, by default it will allow the entire v4/v6 Internet.

Copy the API key/token that is displayed, you will not be able to recover this after it has been shown.

Screenshot 2025-04-10 at 15.40.48.png

Copy the API key and store this for future use.

Configuring the External Dynamic List (EDL)

Log in to the Palo Alto.

Under Objects, External Dynamic Lists, Add+ a new list.

Create a name for the list, noting this is per Knoc - allowing a per-policy list, for example "FirewallManagers" and "SSH" may be two Knoc's that map to different firewall policies.

Screenshot 2025-02-06 at 00.20.55.pngScreenshot 2025-04-10 at 16.54.16.png

The "Source" URI can be found by copying off the Knoc configuration:

Screenshot 2025-04-10 at 15.41.26.png

This can also be seen by viewing the Knoc itself:

Screenshot 2025-04-10 at 15.42.07.png

Create a "certificate profile", this places the Knocknoc servers certificate/chain in to the Palo.

Extract and upload your Knocknoc servers CA chain, this is required by the Palo to verify the Knocknoc server without using third-party/global CAs. 

If you do not have easy access to this, you can use a third-party site such as https://whatsmychaincert.com/

Screenshot 2025-02-06 at 00.20.18.png

Select the newly-created Certificate Profile.

Screenshot 2025-02-06 at 00.20.55.png

Select "client authentication", setting the username as "apikey" and the API token as the Password.

Note that the "Test source URL" button does not use the client-authentication, therefore it will fail. Thanks Palo..

Using the Dynamic Address in Firewall Rules

The EDL can be selected within the Source Address section. This is effectively a dynamically updated list of authenticated and authorised users IP addresses.

Screenshot 2025-02-05 at 23.54.09.png

You can also see the EDL contents via the Palo shell:

Viewing the configuration of the external dynamic list: admin@PA-VM# show external-list Knocknoc

Viewing the contents of the dynamic list: admin@PA-VM# request system external-list show type ip name "Knocknoc" 

Forcing a refresh/pull on the dynamic list:  admin@PA-VM# request system external-list refresh type ip name "Knocknoc"

Active configuration (API)

To use the Palo Alto or Panorama API you first must create an API key, which is derived from an Admin username/password.

To do this, the official Palo documentation suggests using Curl as below:

curl -H "Content-Type: application/x-www-form-urlencoded" -X POST https://firewall/api/?type=keygen -d 'user=<user>&password=<password>'

https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-panorama-api/pan-os-api-authentication/get-your-api-key

Once you have this base64 blob/API key, save it somewhere safe. You will need it when creating the Active Palo Alto Knoc.

 

Looking at the EDL contents

You can see the addresses added to the EDL, to do so log in to Knocknoc with an appropriate user, then refresh the view in the Palo UI.

Alternatively, you can also see the EDL contents via the Palo shell:

Viewing the configuration of the external dynamic list: admin@PA-VM# show external-list Knocknoc

Viewing the contents of the dynamic list: admin@PA-VM# request system external-list show type ip name "Knocknoc" 

Forcing a refresh/pull on the dynamic list:  admin@PA-VM# request system external-list refresh type ip name "Knocknoc"

Back to top