Verkada devices and Verkada Command use managed certificates to validate that their traffic isn’t subject to a man-in-the-middle attack. If they didn’t do this, communications such as encrypted video streams could be at risk of being decrypted by an unknown/untrusted source. If a man-in-the-middle attempt is detected (SSL/TLS decryption), Verkada devices won't come online or function properly.

Since Verkada devices do not have the ability to browse the internet or

download attachments, it isn't necessary to decrypt their traffic to mitigate this risk. They also do not communicate to any local servers (NVR/DVR, servers, etc.), local applications, or local databases which reduces the risk of disabling decryption. The only time they are able to talk to a local device is if local streaming is required which

dynamically builds a secure session using AES 128 over TLS 1.2.

To learn more about Verkada security please visit: https://www.verkada.com/security/.

It's strongly recommended to create a backup of your Palo Alto's

firewall configuration prior to making any changes that are recommended in this guide. This guide is only intended as an example of how to whitelist by domain.

In this example, there are two subnets that exist on a Palo Alto firewall. The computer/user VLAN (192.168.40.0/24) and the Verakda cameras VLAN (192.168.50.0/24). Currently, both subnets, part of the Inside Security Zone, have SSL/TLS decryption enabled which is preventing the Verakda cameras from coming online in Verkada Command.

The first step in whitelisting Verakda domains from being decrypted is to create a URL category that will help the firewall determine what Verakda traffic is.

4. Enter the domains below into the “Sites” field

*.control.verkada.com

*.command.verkada.com

time.control.verkada.com

You can view our up-to-date list of required network settings here

Now that the URL category is created for "Verkada_Domains", a new decryption policy needs to be created that will allow the category to be whitelisted.

2. General tab: Name of the decryption policy. Ex. Verkada_Disable_Decrypt

3 . Source tab: The source zone should be where the Verkada cameras are located. In this example, it’s the subnet 192.168.50.0/24, located in the “inside” zone.

4. Destination tab: The destination zone should be the internet. In this example, it’s the outside zone

5. Service/URL Category: For the URL Category, click add, Verkada_Domains

6. Options tab: The action should be set to "No Decrypt" and the decryption profile should be left blank.

7. Finally, move the new "Verkada_Disable_Decrypt" policy to the top of the list.

8. Finally, you must Commit your changes for them to take effect.

Now that the changes have been committed, power on the Verkada devices or power cycle them if they are already on. To confirm the rule is working as intended:

If your Verkada cameras are still not coming online, please read over the steps in this guide. And for issues with any other Verkada device, please reach out to Verkada Support for assistance.