Skip to main content

v26.01

Knocknoc 26.01

Knocknoc 26.01  sharpens the Palo Alto experience for both administrators and end-users, introducing a much simpler configuration option and stronger safeguards. It also adds Cloudflare support, improves multi-node deployments, and delivers broader usability and performance enhancements across the platform.

    🔌 Palo Alto improvements + Cloudflare!

    • EDLs and multiple serial numbers (Panorama)
      Multiple firewall serial numbers can now be provided in a single Passive+ Knoc configuration, simplifying hot/hot Palo Alto environments where multiple firewalls/clusters are orchestrated from a single access flow.

    • Virtual System support (Panorama and Passive+)
      Support for virtual systems has been added, specifically for Passive+ where this was previously lacking.
    • Passive+ configuration simplification for Palo Alto + Panorama!
      TLS/CA profile management within the Panorama can present challenge, both during initial set up and as the longer-dated CA certificates expire. This configuration can be greatly simplified using the user:pass structure. Read here. This reduces set up time on the Pano/Palo and removes ongoing review of SSL/TLS/CA certificate information.
    • Panorama updates separate from local/direct Palo Alto firewall orchestration
      Passive+ now supports the orchestration of a Palo Alto firewall directly, with User-ID information pushed to a  Panorama host/environment defined at a different location. Globally-distributed low-reliability networks may benefit from locally-controlled Palo Alto firewall devices, with less-critical User-ID information sent to a Panorama configured at another location.
    • Improved error visibility (Panorama and Passive+)
      We've improved error visibility within the front end, to aid initial configuration and troubleshooting.
    • Cloudflare IP address management and network allow-listing
      Knocknoc can orchestrate Cloudflare to dynamically update IP addresses that are utilized within Cloudflare. Read more here.

    🧩 Agent uplift

    • New high-availability options. Agents can subscribe to multiple servers, for distributed web environments
      If you're running multiple Knocknoc servers (for high-availability), agents can connect to each server through a single configuration option. Read more here.
    • Improved performance and responsiveness of access flows, for large environments
      The orchestration agents update Knoc's (and therefore user access) faster, whilst retaining reliability across your mixed underlying technologies being orchestrated. 
    • Configuration file uplift
      Config files and all the available options shouldn't be a mystery, now they show everything along with the defaults.
    • IPSets config files (ipset.list)
      Retention and re-installs now follow the operating-system "conffiles" approach, with package maintainer changes shown for merging or retention or replacement.
    • Redhat and Redhat derivatives 
      Improvements to Agents running on Redhat, including changes for older versions of systemd.

    🛠 Admin controls

    • Streamlined API Key consumption for Passive and Passive+ 
      API key creation and consumption is now streamlined, including offering a simplified URL format suitable for some integrations.
    • Redhat and Redhat derivatives 
      Improvements to Server running on Redhat, including changes for older versions of systemd.

    ✨ UI improvements

    • Responsiveness of user logins more apparent 
      Grants were processed swiftly but appeared to take longer in some cases, end-user feedback has been improved.
    • Parent/Child items have been improved 
      Children can be complicated, so we've improved the linking internally. This corrects a local-user direct-assignment issue whereby the active component of a Passive+ grant was not reliably triggered in some configurations.
    • Admin users postponing TOTP enrolment
      Better warnings for Admin users postponing TOTP enrolment.

    Release date: 21st January 2026

    How do I upgrade?

    We intentionally require you to update Knocknoc and any orchestration Agents through your operating system, eg: Linux package management. Ensuring you have complete control on the timing of upgrades and state of your machine, and intentionally avoid automatically updating.

    Follow this guide to upgrade when you're ready.

    New to Knocknoc? Get started here!

    Back to top