Skip to main content

Sonicwall

The Sonicwall can be orchestrated in three ways, Actively (API call from an Orchestration Agent to the Firewall), Passively via Sonicwalls DEAG polling capability, or a combination known as Passive+, where a DEAG is utilized with an active force-download-now call made to the Sonicwall API to shorten the polling period.

Active or Passive orchestration

Active - Knocknoc's Sonicwall orchestration capability utilises the Sonicwall API to actively manage the device, inserting and removing IP addresses as part of the Knocknoc Grant process. This is an active, near-real-time approach that provides the best user experience. Knocknoc manages the IP lists within address groups, but not the firewall policy itself. That is controlled by the Administrator or firewall team/MSSP.

Passive - Knocknoc's Allowlist feature provides a passive integration with firewalls that support polling for IP address lists, Sonicwall calls these Dynamic External Address Groups or DEAGs.  This feature pulls from the Knocknoc server a list of IPs of authenticated users, in the correct group/for the assigned firewall policy. The drawback of this feature is that the list can only be fetched every 5 minutes in the case of a Sonicwall.

Passive+ (Passive with an Active sync) - the Passive DEAG can be utilised in conjunction with an Active API hit to trigger a live refresh from the DEAG. This shortens the time taken for polling from 5 minutes to near instantaneous and is useful for large IP address lists.

Requirements

  • Sonicwall 7+
  • Agent version 25.12+ if you're using an Active or Passive+ integration.

Active (via Sonicwall API)

Sonicwall configuration

Log in to the Sonicwall as an Admin user.

You need to create an "Address group" along with a baseline V4 Host entry. Knocknoc will add/remove host IP entries from these groups actively as users login/logout of Knocknoc.

First we create a baseline host address, Sonicwall requires an entry in the address-group lists as a baseline.

  1. Navigate to Object (top menu), Match Objects (left menu), Addresses. Address Objects will be the first menu loaded.
  2. Click "+Add" (right hand side)
  3. A name "knocknoc_baseline4" is recommended, this is a placeholder for Sonicwall, not a rule/group.
  4. Select the correct Zone, likely WAN. Type is Host. IP address should be 127.0.0.1

    sonic1.jpg


  5. Now we set up the "Address Group" 
  6. Navigate to "Address Groups" on the same page. 
  7. Click "+Add"
  8. Name the item related to your firewall policy, eg: "kk_rdp" for a list of trusted IP addresses you will allow for RDP access. Naming is up to you.
  9. Add the "baseline" Host entry we created earlier, Sonicwall requires this to be not empty.

    sonic2.jpg


  10. You need to do this for IPv6 too. Note that the V6 does not need a baseline entry.
  11. Once completed, it should look like the below:

    sonic3.jpg

You're now ready to configure Knocknoc. 

Knocknoc configuration

Select the "Firewalls / Appliances" Knoc configuration, selecting "Active"

Follow the prompts, as the example below:

    Screenshot 2025-11-28 at 11.01.26.png

    A non-admin credential can created and utilized, however management must also be allowed on the network interface. Unfortunately Sonicwall does not allow fine grained controls, they may in future releases.

    Testing it out!

    Log in to Knocknoc as a user linked in the Knoc.

    On the Sonicwall, refreshing the Address Group will now list their IP address and username as an object.

    Navigate to the Address Groups section, then click Refresh on the top-right. The entry will appear similar to the below. On user logout of Knocknoc, refresh and the entry will be removed.

    sonic4.jpg

    Using this in a firewall rule

    You can now use this knocknoc-managed dynamic address group within firewall rules and policies.

    Passive (DEAG polling)

    Knoc configuration

    1. Log in to Knocknoc as an Admin
    2. Navigate to Knocs, Create new
    3. Select Firewalls, Passive
    4. Enter a meaningful name and proceed through to the API key step

      Screenshot 2025-11-28 at 11.11.24.png

    5. Select "Do not require API key" - Sonicwall does not support authentication on the DEAG polling, so a combination of IP source trust and/or randomness (security-through-obscurity..) is relied on to protect the IP address source list.

      Screenshot 2025-11-28 at 11.11.39.png

    6. Put in source IP addresses if possible, it's unlikely your firewall IPs will change so this is definitely worth doing.
    7. Save
    8. Copy the Allowlist URI, it is required in the next step.

    Sonicwall configuration

    Log in to the Sonicwall as an Admin user.

    1. Navigate to Object, Match Objects, Dynamic Group
    2. Click "+ Add"
    3. Provide a meaningful name, unfortunately you cannot use _ chars.
    4. Set the Type as "Address Group"
    5. Select the Zone, likely WAN
    6. Select "Enable Periodic Download" and set to 5 minutes. This can be shortened using Passive+ mode (see below)
    7. Select HTTPS
    8. Paste in the Knoc Allowlist URI created previously
    9. Save.sonic5.jpg
    10. Click Download (top right hand side) to make sure it connects.
    11. Log in to Knocknoc, then refresh the list in Sonicwall or wait for the polling time.
    12. The users IP address will now be visible in the list (see below), and removed when they logout/timeout.

    sonic6.jpg

    You're now ready to use this IP address group within your Sonicwall rules!

    Back to top