All Collections
Video Security
Advanced Installation
Verkada Devices with SSL Decryption
Verkada Devices with SSL Decryption

Verkada devices cannot operate with SSL decryption, but you can create a URL category for Verkada domains to be whitelisted

Updated over a week ago

Whitelisting Verkada domains from being decrypted

Verkada devices and Verkada Command use managed certificates to validate that their traffic isn’t subject to a man-in-the-middle attack. If they didn’t do this, communications such as encrypted video streams could be at risk of being decrypted by an unknown/untrusted source. If a man-in-the-middle attempt is detected (SSL/TLS decryption), Verkada devices won't come online or function properly.

Since Verkada devices do not have the ability to browse the internet or

download attachments, it isn't necessary to decrypt their traffic to mitigate this risk. They also do not communicate to any local servers (NVR/DVR, servers, etc.), local applications, or local databases which reduces the risk of disabling decryption. The only time they are able to talk to a local device is if local streaming is required which

dynamically builds a secure session using AES 128 over TLS 1.2.

To learn more about Verkada security please visit: https://www.verkada.com/security/.

Note: Verkada does not provide firewall support

Palo Alto Firewall Example

It's strongly recommended to create a backup of your Palo Alto's

firewall configuration prior to making any changes that are recommended in this guide. This guide is only intended as an example of how to whitelist by domain.

Topology example

In this example, there are two subnets that exist on a Palo Alto firewall. The computer/user VLAN (192.168.40.0/24) and the Verakda cameras VLAN (192.168.50.0/24). Currently, both subnets, part of the Inside Security Zone, have SSL/TLS decryption enabled which is preventing the Verakda cameras from coming online in Verkada Command.

Create a URL category

The first step in whitelisting Verakda domains from being decrypted is to create a URL category that will help the firewall determine what Verakda traffic is.

  1. Login to your Palo Alto firewall via HTTPS

  2. Navigate to Objects > Custom Objects > URL Category

  3. Add

4. Enter the domains below into the “Sites” field

*.control.verkada.com

*.command.verkada.com

time.control.verkada.com

You can view our up-to-date list of required network settings here

Create a new decryption policy

Now that the URL category is created for "Verkada_Domains", a new decryption policy needs to be created that will allow the category to be whitelisted.

  1. Navigate to Policies > Decryption > Add

2. General tab: Name of the decryption policy. Ex. Verkada_Disable_Decrypt

3 . Source tab: The source zone should be where the Verkada cameras are located. In this example, it’s the subnet 192.168.50.0/24, located in the “inside” zone.

4. Destination tab: The destination zone should be the internet. In this example, it’s the outside zone

5. Service/URL Category: For the URL Category, click add, Verkada_Domains

6. Options tab: The action should be set to "No Decrypt" and the decryption profile should be left blank.

7. Finally, move the new "Verkada_Disable_Decrypt" policy to the top of the list.

8. Finally, you must Commit your changes for them to take effect.

Testing the configuration

Now that the changes have been committed, power on the Verkada devices or power cycle them if they are already on. To confirm the rule is working as intended:

  1. Navigate to Monitor > Traffic on your Palo Alto firewall

  2. type ( category eq Verkada_Domains ) in the search field

  3. Enable the URL Category and Decrypted columns

  4. Verify the Verada_Domain traffic isn't being decrypted as shown in the screenshot below

If your Verkada cameras are still not coming online, please read over the steps in this guide. And for issues with any other Verkada device, please reach out to Verkada Support for assistance.

Did this answer your question?