v8.0
Knocknoc 8.0
Knocknoc 8.0 delivers a powerful set of updates, enhancing validation on connecting clients beyond just source IP addresses through the introduction of Knocknoc Access Tokens for web transactions. Additionally, fine-grained per-Knoc session limits are available to enable shorter session periods based on risks you perceive as the Administrator. User experience wise, feedback on the new end-user UI has seen the introduction of a simple "list-mode" view. API capability for integration within your SOAR or response environment are also now available, along with many other useful features, many based on your feedback.
🔗 Knocknoc Access Token
- Source IP address trust too broad? Use tokens!
In some cases source IP address trust is too broad, an airport lounge or a hostile CGNAT environment - if your underlying protected application offers little individual defence, allowing a shared IP address through can be risky. So we've introduced Knocknoc Access Tokens (KATs), a single-use token passed in the web-uri to a Knocknoc-orchestrated reverse-proxy, which validates the user at the individual browser level. Even when accessing from the same machine and naturally same IP address, without the KAT, you simply don't get access to that web applications attack surface. HAProxy is fully supported today, with others coming soon.
🌐 Network-location aware Knoc access
- Enable Knoc's for specific IP ranges only (for VPN users, RFC1918 or specific IPs)
You can now control where users can access a Knoc from - adding another layer of intelligent, just-in-time access control. A Knoc now supports IP-based policies (allow-list, deny-list, or RFC1918), selecting RFC1918 means only users on private/internal networks (e.g. connected VPN clients) will activate the Knoc.
🔐 Session control
- Individual timeout
Custom session lengths can now be set per Knoc via the “Maximum grant duration” option. When the time expires, the grant is revoked and users must “Click to Grant,” allowing shorter access windows for sensitive Knoc's while maintaining standard durations for others. - Terminate user sessions (via API)
A new API route allows you to immediately revoke all active sessions for a username (local or SAML) across connected systems, ideal for when internal alerts or manual checks mark a user as untrusted. Sessions are ended immediately, including for active Knocs, forcing re-authentication everywhere. - Public computer mode
Users can reduce session duration on shared or public devices with the “Public Computer” login option. It defaults to 45 minutes but can be controlled by Admins to as little as 10 minutes, helping prevent forgotten logouts and reduce exposure in lower-security settings.
📦 Knocknoc client
- Scripting a file transfer?
A CLI client is now available that logs in to Knocknoc opening up access, this is particularly useful in headless/scripted use cases such as scheduled/automated file transfers. Note that the access API can also be called from a REST client as well. Local users can be configured specifically with this access along with an API key that has IP address restrictions if you so desire, don't worry it's not on by default for all users.
✨ End-user UI update (thanks for the feedback!)
- Card and list view toggle
Toggle between list and card view, allowing end-users to view Knocs in their preferred layout. Thanks to everyone who shared early feedback and helped further shape this update! -
User login and access performance
Visual feedback on access after the login process is now more responsive. -
Single Knoc redirect (auto-browse option)
Auto-browse redirects users that only have a single Knoc, if that option is enabled for the Knoc. This obviates the need for end-users to click a Knoc after logging in, should the URL be configured. It will now redirect the end-user automatically after login, eliminating extra navigation steps.
🔥Admin boosters
- Native Azure NSG orchestration
Azure NSG orchestration is now native within the Knocknoc experience, reducing manual work. Protect those Azure assets with IP address allowlisting at scale. -
FortiManager support
FortiManager local-in access is now available, to control trusted-sources for Administrator users. - Palo Alto Passive+ mode, rate limit retries
Passive+ refresh requests can be rate-limited by the Palo device, this improvement retries numerous times to ensure the EDL is refreshed more reliably. -
Agent page update
The agent page now displays the IP address, giving you clearer insight into where each agent is connecting from. - Logging improvements
Logs updated to provide clearer ACL grant descriptions, grant errors, and agent registration details for better troubleshooting. We love logs.
🛠 Bug Fixes
-
Username variable update
Editing environment variables in custom-scripting wasn't great, so we fixed it. -
Local user account expiry
Time formatting for local user account expiry has been corrected. -
User Knoc assignment fixes
Improvements made to user Knoc assignments to ensure updates work reliably.
Release date: 3rd July 2025