Whitelisting Verkada domains from being decrypted
Verkada devices and Verkada Command use managed certificates to validate that their traffic isn’t subject to a man-in-the-middle attack. If they didn’t do this, communications such as encrypted video streams could be at risk of being decrypted by an unknown/untrusted source. If a man-in-the-middle attempt is detected (SSL/TLS decryption), Verkada devices won't come online or function properly.
Since Verkada devices do not have the ability to browse the internet or
download attachments, it isn't necessary to decrypt their traffic to mitigate this risk. They also do not communicate to any local servers (NVR/DVR, servers, etc.), local applications, or local databases which reduces the risk of disabling decryption. The only time they are able to talk to a local device is if local streaming is required which
dynamically builds a secure session using AES 128 over TLS 1.2.
To learn more about Verkada security please visit: https://www.verkada.com/security/.
Note: Verkada does not provide firewall support
Palo Alto Firewall Example
It's strongly recommended to create a backup of your Palo Alto's
firewall configuration prior to making any changes that are recommended in this guide. This guide is only intended as an example of how to whitelist by domain.
Topology example
In this example, there are two subnets that exist on a Palo Alto firewall. The computer/user VLAN (192.168.40.0/24) and the Verakda cameras VLAN (192.168.50.0/24). Currently, both subnets, part of the Inside Security Zone, have SSL/TLS decryption enabled which is preventing the Verakda cameras from coming online in Verkada Command.
Create a URL category
The first step in whitelisting Verakda domains from being decrypted is to create a URL category that will help the firewall determine what Verakda traffic is.
Login to your Palo Alto firewall via HTTPS
Navigate to Objects > Custom Objects > URL Category
Add
4. Enter the domains below into the “Sites” field
*.control.verkada.com
*.command.verkada.com
time.control.verkada.com
You can view our up-to-date list of required network settings here
Create a new decryption policy
Now that the URL category is created for "Verkada_Domains", a new decryption policy needs to be created that will allow the category to be whitelisted.
Navigate to Policies > Decryption > Add
2. General tab: Name of the decryption policy. Ex. Verkada_Disable_Decrypt
3 . Source tab: The source zone should be where the Verkada cameras are located. In this example, it’s the subnet 192.168.50.0/24, located in the “inside” zone.
4. Destination tab: The destination zone should be the internet. In this example, it’s the outside zone
5. Service/URL Category: For the URL Category, click add, Verkada_Domains
6. Options tab: The action should be set to "No Decrypt" and the decryption profile should be left blank.
7. Finally, move the new "Verkada_Disable_Decrypt" policy to the top of the list.
8. Finally, you must Commit your changes for them to take effect.
Testing the configuration
Now that the changes have been committed, power on the Verkada devices or power cycle them if they are already on. To confirm the rule is working as intended:
Navigate to Monitor > Traffic on your Palo Alto firewall
type
( category eq Verkada_Domains )
in the search fieldEnable the URL Category and Decrypted columns
Verify the Verada_Domain traffic isn't being decrypted as shown in the screenshot below
If your Verkada cameras are still not coming online, please read over the steps in this guide. And for issues with any other Verkada device, please reach out to Verkada Support for assistance.