Whitelisting Verkada domains from being decrypted
Verkada cameras and Command use managed certificates to validate their traffic isn’t being man-in-the-middled. If they didn’t do this, the encrypted video feed could be at risk from being decrypted by an unknown source. If a man-in-the-middle attempt is detected (SSL/TLS decryption), the cameras won't come online or function properly.
Since Verkada cameras do not have the ability to browse the internet or
download attachments, it isn't necessary to decrypt their traffic to mitigate this
risk. They also do not communicate to any local servers (NVR/DVR), local applications,
or local databases which reduces the risk of disabling decryption. The only time
they are able to talk to a local device is if local streaming is required which
dynamically builds a secure session using AES 128 over TLS 1.2.
To learn more on Verkada security please visit: https://www.verkada.com/security/
Verkada does not provide firewall support
Palo Alto Firewall Example
It's strongly recommended to create a backup of your Palo Alto's
firewall configuration prior to making any changes that are recommended
in this guide. This guide is only intended as an example of how to whitelist
by domain.
Topology example
In this example, there are two subnets that exist on a Palo Alto firewall. The
computer/user VLAN (192.168.40.0/24) and the Verakda cameras VLAN
(192.168.50.0/24). Currently, both subnets, part of the Inside Security Zone, have
SSL/TLS decryption enabled which is preventing the Verakda cameras from
coming online in Command.
Create a URL category
The first step in whitelisting Verakda domains from being decrypted is to create a URL category that will help the firewall determine what Verakda traffic is.
- Login to your Palo Alto firewall via HTTPS.
- Navigate to Objects > Custom Objects > URL Category
- Add
4. Enter the domains below into the “Sites” field
*.control.verkada.com
*.command.verkada.com
time.control.verkada.com
You can view our up to date list of required network settings here\
Create a new decryption policy
Now that the URL category is created for "Verkada_Domains", a new decryption policy needs to be created that will allow the category to be whitelisted
- Navigate to Policies > Decryption > Add
2. General tab: Name of the decryption policy. Ex. Verkada_Disable_Decrypt
3 . Source tab: The source zone should be where the Verkada cameras are
located. In this example, it’s the subnet 192.168.50.0/24, located in the “inside”
zone.
4. Destination tab: The destination zone should be the internet. In this example, it’s the outside zone.
5. Service/URL Category: For the URL Category, click add, Verkada_Domains
6. Options tab: The action should be set to "No Decrypt" and the decryption profile should be left blank
7. Finally, move the new "Verkada_Disable_Decrypt" policy to to the top of the list
8. Finally, you must Commit your changes for them to take effect.
Testing the configuration
Now that the changes have been committed, power on the Verkada cameras or
power cycle them if they are already on. To confirm the rule is working as
intended:
- Navigate to Monitor > Traffic on your Palo Alto firewall
- type
( category eq Verkada_Domains )
in the search field - Enable the URL Category and Decrypted columns
- Verify the Verada_Domain traffic isn't being decrypted as shown in the screenshot below
If your Verkada cameras are still not coming online, please read over the steps in this guide.