Whitelisting Verkada domains from being decrypted

Verkada cameras and Command use managed certificates to validate their traffic isn’t being man-in-the-middled. If they didn’t do this, the encrypted video feed could be at risk from being decrypted by an unknown source. If a man-in-the-middle attempt is detected (SSL/TLS decryption), the cameras won't come online or function properly.

Since Verkada cameras do not have the ability to browse the internet or

download attachments, it isn't necessary to decrypt their traffic to mitigate this

risk. They also do not communicate to any local servers (NVR/DVR), local applications,

or local databases which reduces the risk of disabling decryption. The only time

they are able to talk to a local device is if local streaming is required which

dynamically builds a secure session using AES 128 over TLS 1.2.

To learn more on Verkada security please visit: https://www.verkada.com/security/

Verkada does not provide firewall support

Palo Alto Firewall Example

It's strongly recommended to create a backup of your Palo Alto's

firewall configuration prior to making any changes that are recommended

in this guide. This guide is only intended as an example of how to whitelist

by domain.

Topology example

In this example, there are two subnets that exist on a Palo Alto firewall. The

computer/user VLAN (192.168.40.0/24) and the Verakda cameras VLAN

(192.168.50.0/24). Currently, both subnets, part of the Inside Security Zone, have

SSL/TLS decryption enabled which is preventing the Verakda cameras from

coming online in Command.

Create a URL category

The first step in whitelisting Verakda domains from being decrypted is to create a URL category that will help the firewall determine what Verakda traffic is.

  1. Login to your Palo Alto firewall via HTTPS.
  2. Navigate to Objects > Custom Objects > URL Category
  3. Add

4. Enter the domains below into the “Sites” field

*.control.verkada.com

*.command.verkada.com

time.control.verkada.com

You can view our up to date list of required network settings here\

Create a new decryption policy

Now that the URL category is created for "Verkada_Domains", a new decryption policy needs to be created that will allow the category to be whitelisted

  1. Navigate to Policies > Decryption > Add

2. General tab: Name of the decryption policy. Ex. Verkada_Disable_Decrypt

3 . Source tab: The source zone should be where the Verkada cameras are

located. In this example, it’s the subnet 192.168.50.0/24, located in the “inside”

zone.

4. Destination tab: The destination zone should be the internet. In this example, it’s the outside zone.

5. Service/URL Category: For the URL Category, click add, Verkada_Domains

6. Options tab: The action should be set to "No Decrypt" and the decryption profile should be left blank

7. Finally, move the new "Verkada_Disable_Decrypt" policy to to the top of the list

8. Finally, you must Commit your changes for them to take effect.

Testing the configuration

Now that the changes have been committed, power on the Verkada cameras or

power cycle them if they are already on. To confirm the rule is working as

intended:

  1. Navigate to Monitor > Traffic on your Palo Alto firewall
  2. type ( category eq Verkada_Domains ) in the search field
  3. Enable the URL Category and Decrypted columns
  4. Verify the Verada_Domain traffic isn't being decrypted as shown in the screenshot below

If your Verkada cameras are still not coming online, please read over the steps in this guide.

Did this answer your question?