topic Allow iOS Ring doorbell in Custom Signatures

Allow iOS Ring doorbell

SethArnoff — Wed, 25 Apr 2018 15:02:45 GMT

Hello,

I'm looking for a proper way to allow the iOS Ring app to connect back to the video feed from an iOS device. Android phones work with no issue.

The problem is that it reports the web URL category as "unknown" which I am currently blocking.

I wrote my policy (below) to allow ssl traffic for all unauthenticated users (mobile devices) to connect to the Ring IP address range, and assigned a new URL filtering policy that mirrors our current URL filtering policy, with the exception that "unknown" category is set to Alert instead of block.

Is there a more proper way to do this?

The Ring ports are here: https://support.ring.com/hc/en-us/articles/205385394-What-Ports-Do-I-Need-to-Open-in-My-Firewall-for-Ring-Doorbells-and-Chimes-

Specifically the iOS ports TCP out 80, 443, 5223, 15064 and UDP out 53, 123, 18306 - 63919

Ring IP range: 35.174.122.0-35.174.123.255

Re: Allow iOS Ring doorbell

jvalentine — Sat, 28 Jul 2018 20:19:14 GMT

All of the *.ring.com URLs are categorized as "business-and-economy" in my firewall. Are you still having this issue?

Re: Allow iOS Ring doorbell

JoeAndreini — Mon, 30 Jul 2018 16:24:04 GMT

If you know the URLS, and they are being categorized incorrectly, why not create a custom category for them and allow it?

Re: Allow iOS Ring doorbell

JoshFountaine — Mon, 23 Sep 2019 15:29:07 GMT

I know this is an older thread, but we are experiencing this issue as well. All of the functionality within the Ring app works as far as we can tell except the live video feed. The other Ring traffic hits URL Category: business-and-economy.

The live video feed traffic is showing up in our URL filtering logs as category: unknown, and action is block-continue. Unlike the rest of the Ring traffic, these requests are not resolving DNS, so the URL entry just shows an IP address:15064, so I don't have a list of URLs to add to a category.

Thoughts/ideas to get this to work without allowing unknown category?

Re: Allow iOS Ring doorbell

Rosenbusch — Sat, 16 Nov 2019 22:47:08 GMT

I have the exact same problem with my 220. Only way that I can get it to work is remove the Palo. I have an any any rule and it still doesn't work.

Re: Allow iOS Ring doorbell

jeremyw — Fri, 29 Nov 2019 02:11:36 GMT

I've had this issue for a while and have just looked into it further.

In our case I just changed the unknown category to alert.

However I understand that this might not be appropriate in all cases.

To keep the unknown URL category blocked, what you could do is create a rule above your web browsing policy to permit ssl on TCP/15064 to the internet, and on this rule have a URL filtering profile applied which permits unknown URLs.

If you wanted to make this more specific you could set up an external dynamic list for Amazon AWS using MineMeld and use that as the destination address.

Hope that helps 🙂

Re: Allow iOS Ring doorbell

FrankJamesWilson — Wed, 27 May 2020 10:06:12 GMT

I know this is an old post, but I just ran into this problem as well. I have two Ring Cameras, one door bell cam and one stick-up cam in my backyard.

All of sudden, both cams stopped showing recorded images and the live feed didn't work.

I did get motion alerts, but when I tried to click on live view the image just never showed up.

After some investigation, I found that RING was being stopped by threat prevention in the Palo.

In the logs it appeared that there were to instances of calls being made from the inside that hit the Threat policy.

Suspicious TLS Evasion Found on port 443 and

Microsoft Communicator INVITE Flood Denial of Service Vulnerability on port 15063

Both of which where informational.

To mitigate this I created a new Security Profile where I removed dropping packet that where on informational nature and added that to a policy that matched the predefined RING application.

Once that was done, all feeds and events came right back up.

Re: Allow iOS Ring doorbell

JohnSmock — Thu, 30 Dec 2021 21:15:31 GMT

Frank,

Thanks for posting your solution, but I am not clear on how you see it in the logs? Which log were you seeing the threat? I can not find any log details that match up with this. Also, which security profile did you setup? I tried matching the Ring application and then just not having any security profile at all...

Re: Allow iOS Ring doorbell

BenNoonan — Mon, 28 Feb 2022 02:45:32 GMT

After reading the article on ring, it doesnt specify but is required. TCP9002 for liveview on app.