What ConfigGuardian Protects

ConfigGuardian monitors all MQTT-related configuration on the camera. This page documents every protected setting, its severity level, and the impact of unauthorized changes.

Protection Summary

┌──────────────────────────────────────────────────────────────────┐
│                  PROTECTED BY CONFIGGUARDIAN                      │
├──────────────────────────────────────────────────────────────────┤
│                                                                   │
│   🔒 CRITICAL (Immediate Heal)                                   │
│   ├── Broker Host & Port                                         │
│   ├── TLS Settings (Certificate Validation)                     │
│   ├── Client Identity                                            │
│   └── Device Certificates                                        │
│                                                                   │
│   ⚠️  HIGH (Immediate Heal)                                      │
│   ├── Command Subscriptions                                      │
│   ├── Config Subscriptions                                       │
│   └── Last Will Testament (LWT)                                  │
│                                                                   │
│   📋 MEDIUM (Alert Only)                                         │
│   ├── Additional Subscriptions                                   │
│   └── QoS Settings                                               │
│                                                                   │
│   ℹ️  LOW (Log Only)                                             │
│   └── Timing/Keepalive Settings                                  │
│                                                                   │
└──────────────────────────────────────────────────────────────────┘

Detailed Reference

CRITICAL Settings

These settings, if changed, could result in security breaches or complete loss of connectivity.

Setting	VAPIX Parameter	Expected Value	Impact if Changed
Broker Host	`mqtt.host`	`mqtt.anava.ai`	Complete disconnect or connection to rogue broker
Broker Port	`mqtt.port`	`8883`	Connection failure
Protocol	`mqtt.protocol`	`mqtt-tls`	Security downgrade or incompatibility
Validate Server Cert	`mqtt.tls.validateServerCert`	`true`	MITM attack possible (security bypass)
Client Certificate	`mqtt.tls.clientCertPath`	`/etc/anava/client.crt`	Authentication failure
Client Key	`mqtt.tls.clientKeyPath`	`/etc/anava/client.key`	Authentication failure
Client ID	`mqtt.clientId`	`{device_serial}`	ACL rejection, wrong identity

Why These Are Critical

Broker Host: The most sensitive setting. If changed to a rogue broker, all device telemetry, commands, and credentials could be intercepted. ConfigGuardian heals this immediately.

TLS Validation: If disabled (false), the device will accept any server certificate, enabling man-in-the-middle attacks. This is a common target for attackers trying to intercept traffic.

Client Identity: The Client ID must match the device serial number for ACL rules to work. A wrong Client ID means the device won't have permission to publish or subscribe.

HIGH Settings

These settings affect core functionality but are less likely to be security risks.

Setting	VAPIX Parameter	Expected Value	Impact if Changed
CA Certificate	`mqtt.tls.caCertPath`	`/etc/anava/ca.crt`	Trust chain broken, connection fails
Command Topic	`subscription[0].topic`	`anava/devices/{serial}/cmd/#`	Cannot receive cloud commands
Config Topic	`subscription[1].topic`	`anava/devices/{serial}/config`	Cannot receive configuration updates
Credentials Topic	`subscription[2].topic`	`anava/devices/{serial}/credentials`	Cannot receive token updates
LWT Topic	`mqtt.lwt.topic`	`anava/devices/{serial}/status`	Offline detection broken
LWT Payload	`mqtt.lwt.payload`	`{"online":false}`	Offline detection broken
LWT Retain	`mqtt.lwt.retain`	`true`	Status not persisted

Why These Are High

Subscriptions: Without the correct subscriptions, the device cannot receive commands, configuration updates, or credential refreshes from the cloud. The device becomes effectively "orphaned."

Last Will and Testament (LWT): The LWT is published by the broker when the device disconnects unexpectedly. If misconfigured, the cloud won't know when devices go offline.

MEDIUM Settings

These settings are monitored but changes only trigger alerts, not automatic healing.

Setting	VAPIX Parameter	Impact if Changed
Group Subscriptions	`subscription[N].topic` (N > 2)	May miss group-specific commands
Publish QoS	`mqtt.publishQos`	Message delivery reliability affected
Subscribe QoS	`subscription[N].qos`	Message delivery reliability affected

Why These Are Medium

Group subscriptions are dynamic and may change based on profile configuration. ConfigGuardian allows these changes when they come from legitimate profile updates.

LOW Settings

These settings are logged but do not trigger alerts or healing.

Setting	VAPIX Parameter	Impact if Changed
Keep Alive	`mqtt.keepAlive`	Connection stability may vary
Reconnect Delay	`mqtt.reconnectDelay`	Recovery time after disconnect
Clean Session	`mqtt.cleanSession`	Session state handling

Configuration Example

Here's an example of a complete golden configuration:

{
  "broker": {
    "host": "mqtt.anava.ai",
    "port": 8883,
    "protocol": "mqtt-tls"
  },
  "tls": {
    "validateServerCert": true,
    "clientCertPath": "/etc/anava/client.crt",
    "clientKeyPath": "/etc/anava/client.key",
    "caCertPath": "/etc/anava/ca.crt"
  },
  "identity": {
    "clientId": "ACCC12345678"
  },
  "subscriptions": [
    {
      "topic": "anava/devices/ACCC12345678/cmd/#",
      "qos": 1
    },
    {
      "topic": "anava/devices/ACCC12345678/config",
      "qos": 1
    },
    {
      "topic": "anava/devices/ACCC12345678/credentials",
      "qos": 1
    }
  ],
  "lwt": {
    "topic": "anava/devices/ACCC12345678/status",
    "payload": "{\"online\":false}",
    "qos": 1,
    "retain": true
  },
  "options": {
    "keepAlive": 60,
    "reconnectDelay": 5,
    "cleanSession": false
  }
}

Viewing Protected Settings

You can view the current protected settings via:

Camera Web UI

Navigate to Settings > MQTT to see the current configuration. Changes made here are monitored by ConfigGuardian.

VAPIX API

curl --digest -u root:password \
  "http://CAMERA_IP/axis-cgi/param.cgi?action=list&group=mqtt"

ACAP Health Endpoint

curl "http://CAMERA_IP:8080/api/v1/config/guardian"

Response:

{
  "status": "healthy",
  "lastCheck": "2025-12-19T10:30:00Z",
  "driftCount": 0,
  "healCount": 2,
  "goldenConfigAge": "3h 25m"
}

Updating Protected Settings Legitimately

To update protected settings without triggering healing:

Via Cloud Configuration: Send a configuration update through the Anava cloud. ConfigGuardian recognizes cloud-initiated changes and updates the golden configuration.
Via Profile Changes: When group or skill configurations change, related subscriptions are updated automatically.
Via Reinstallation: Uninstalling and reinstalling the ACAP resets the golden configuration.

Manual VAPIX changes are always reverted

If you change MQTT settings via VAPIX or the camera web UI, ConfigGuardian will detect the drift and restore the original settings. Always use cloud-based configuration for permanent changes.

How It Works - Monitoring and healing process
Alerts - Alert codes when drift is detected
Troubleshooting - Common issues

Last updated: December 2025

Protection Summary​

Detailed Reference​

CRITICAL Settings​

Why These Are Critical​

HIGH Settings​

Why These Are High​

MEDIUM Settings​

Why These Are Medium​

LOW Settings​

Configuration Example​

Viewing Protected Settings​

Camera Web UI​

VAPIX API​

ACAP Health Endpoint​

Updating Protected Settings Legitimately​

Related Documentation​