Video Streaming is Not Working
61160
Created On 09/25/18 20:39 PM - Last Modified 11/29/23 03:06 AM
Symptom
- Video surveillance architecture consists of video cameras and a server that can communicate successfully using RTSP.
- When passing through Firewall, the video is not streaming and the session table displays "undecided" and "Discard" state.
Environment
- Palo Alto Firewalls
- Supported PAN-OS
- Video Streaming application through Firewall
- Real Time Streaming Protocol (RTSP)
Cause
- The reason for this issue is that Real Time Streaming Protocol (RTSP) uses RTP and RTCP to stream and control the quality of the video stream.
- In order to establish RTP and RTCP communication when using RTSP, a predict happens where the Palo Alto Networks firewall tries to predict which ports that RTP and RTCP will be using to communicate.
- In this case the predict session fails, however the discarded traffic is RTP and RTCP because of the port assignment.
- The RTP port will be an even number and the RTCP port will be the RTP port +1, meaning it will be the odd number.
Resolution
- Create an Application Override Policy on the Firewall by:
- GUI: Policies > Application Override and click Add.
- Identify the Source zone and Destination zones and define the port for RTSP.
- Create a security policy for RTSP port 554 using the custom application and a separate security policy with the service ports defined for RTP/RTCP for the designated video streaming architecture.
- For the RTP/RTCP security policy allow the ports the video architecture uses from zone to zone by defining a custom service.
- Commit the configuration.
- Once done the session table will be similar to that below. Custom_RTSP is the custom RTSP application and RTP_RTCP is the service ports.
Video streaming should now work successfully.
Additional Information
An example of Application Override can be found at: How to create an application override for FTP