Arlo|Smart Home Security|Wireless HD Security Cameras

Reply
Discussion stats
  • 7 Replies
  • 8554 Views
  • 6 Likes
  • 2 In Conversation
deejus
Tutor
Tutor

Im using a Watchguard Firewall and noticed the Proxy was blocking the Live feed. When clicking it would just say connection failed unles you disabled the proxy.

the proxy deny message is 

HTTP Invalid Request-Line Format

When this occurs, the HTTP Proxy denies the request. It is not possible to configure the HTTP Proxy to allow invalid requests.

Note: HTTP-Proxy Exceptions will not bypass this error message, as the request does not adhere to the RFC standards for the HTTP protocol.

 

The only way around this is to add a new policy above that and allow connections to the following FQDN

*.arlo.com

*.arlo.netgear.com

*.netgear.com

*.amazonaws.com

dev.visualwebsiteoptimizer.com

rum-collector.pingdom.net

rum-static.pingdom.net

After these are put in you can then view the live feed through the website. Hopefully the arlo Dev team will notice this and correct these issues with their site and I also express concern with the live feed not using HTTPS.

These setting should work with other firewall proxy's such as cisco/sonicwall/fortigate etc.

This took myself and a collegue several hours to backtrack with the help of watchguard support.

Hopefully this will save you guys the work as i've seen about 10+ other forum posts closed due to inactivy with no resolution.

 

1 ACCEPTED SOLUTION

Accepted Solutions
deejus
Tutor
Tutor

you have to do a normal http outbound packet filter and not a proxy. Proxy's will not work.

 

arlo.png

View solution in original post

7 REPLIES 7
Brink2Three
Tutor
Tutor

Hey deejus, 

I also am using a Watchguard Firebox as well and I attempted to create an FQDN list as you suggested, but I still cannot preview live feed. Does yours still work with this list? If so, can I share a screenshot with you to see if I am configuring it the same way? 

 

I contacted Arlo and they claim they will call me back in 24 hours with a solution. We'll see if that involves an FQDN list or otherwise, but I'm curious to see what they say. 

deejus
Tutor
Tutor

you have to do a normal http outbound packet filter and not a proxy. Proxy's will not work.

 

arlo.png

Brink2Three
Tutor
Tutor

Hey deejus, 

I've attached a screenshot of my policy as implemented right now. 

I've also attached a google drive link as uploaded photos have to be manually approved by a moderator. 

From what I understand, this is an outbound packet filter rule, not a proxy (If it was a proxy, the blue menu bar along the top would have a proxy actions option, and this does not. Again for clarity I am using your original list of FQDNs as listed in your first post.

Just as a troubleshooting step, I also tried making this a packet filter over all protocols, not just port 80 (HTTP), and it still did not work. Any suggestions would be greatly appricicated. 

 

https://drive.google.com/file/d/1qQkDVTgQ08Az2D22E9Rz-8E5vlREFNy2/view?usp=sharing


Arlo FQDN Livestream Policy.PNG
Brink2Three
Tutor
Tutor

I've just spotted my own mistake. I have the To and From fields backwards on the Firewall Policy. I reversed them and that has fixed it. 

deejus
Tutor
Tutor

Thats wonderful to hear. Now Im hoping the Devs will do something with not using HTTPS.

deejus
Tutor
Tutor

I would also recommend trying to use Watchguard system manager to manage the firewall. It is a great tool and allows you to setup numerous things before it gets pushed to the firewall instead of having to save each change instantly.

Brink2Three
Tutor
Tutor

I have a call scheduled with their senior dev team to talk about the security issue that splitting a site into http and https elements. I'll also suggest adding the FQDN lists to their official documentation for troubleshooting livestreaming issues. Maybe not as a basic troubleshooting step, but still should be easier to find then this thread. It took me close to 4 days to find this after first diagnosing the problem. 

 

And yes, I was using the WGSM, I was just on my laptop and found it easier to sceenshot from the webpage then to reboot into windows.