Video Streaming is Not Working
Video surveillance architecture consists of video cameras and a server that can communicate successfully using RTSP. However, the video is not streaming and is showing the following session table output:
The reason for this issue is that Real Time Streaming Protocol (RTSP) uses RTP and RTCP to stream and control the quality of the video stream. In order to establish RTP and RTCP communication when using RTSP, a predict happens where the Palo Alto Networks firewall tries to predict which ports that RTP and RTCP will be using to communicate. In this case the predict session fails, however the discarded traffic is RTP and RTCP because of the port assignment. The RTP port will be an even number and the RTCP port will be the RTP port +1, meaning it will be the odd number.
To resolve this issue, create an Application Override Policy. To create an Application Override Policy in the firewall go to Policies > Application Override and click Add. Identify the Source zone and Destination zones and define the port for RTSP.
For more information on Application Override review the following document: How to create an application override for FTP
Create a security policy for RTSP port 554 using the custom application and a separate security policy with the service ports defined for RTP/RTCP for the designated video streaming architecture. For the RTP/RTCP security policy allow the ports the video architecture uses from zone to zone by defining a custom service.
The following output is an example of the session table. Custom_RTSP is the custom RTSP application and RTP_RTCP is the service ports.
Video streaming should now work successfully.