ConfigGuardian
Self-Healing MQTT Configuration Protection
ConfigGuardian is an enterprise security feature that continuously monitors and protects the MQTT configuration on Axis cameras running the Anava ACAP. It automatically detects unauthorized or accidental changes to critical MQTT settings and restores them to the known-good state.
Why ConfigGuardian Exists
Anava cameras connect to the cloud via MQTT. The MQTT configuration—broker address, TLS settings, subscriptions, and identity—is accessible through the camera's web UI. If anyone modifies these settings, whether accidentally, maliciously, or through firmware updates, the camera could:
| Risk | Impact |
|---|---|
| Complete Disconnect | Camera loses all cloud connectivity |
| Rogue Broker Connection | Security breach - data sent to unauthorized server |
| Lost Functionality | Cannot receive commands or configuration updates |
| Silent Failure | No indication of the problem until manual inspection |
ConfigGuardian eliminates these risks through continuous monitoring and automatic remediation.
Key Capabilities
Automatic Healing
Unlike traditional monitoring that only alerts, ConfigGuardian automatically restores correct configuration within seconds of detecting drift. No manual intervention required.
Intelligent Detection
ConfigGuardian compares live configuration against a "golden" reference captured after successful setup. It classifies changes by severity and responds appropriately.
Anti-Thrashing Protection
Smart backoff logic prevents configuration wars. If someone is actively fighting the guardian, it escalates to an alert rather than entering an infinite loop.
Full Visibility
Every configuration change is detected, logged, and reported to your dashboard for complete audit trails.
How It Works
- Capture: Golden configuration saved after successful MQTT setup
- Monitor: Every 30 seconds, compare actual vs expected configuration
- Detect: Identify any drift with severity classification
- Heal: Automatically restore critical settings
- Report: Send alerts to cloud for visibility
Quick Reference
| Component | Description |
|---|---|
| How It Works | Architecture overview and monitoring flow |
| Protected Settings | Complete list of monitored configuration |
| Alerts | Alert codes and response guidance |
| Troubleshooting | FAQ and common issues |
Requirements
- Anava ACAP version 2.0+
- AXIS OS 11.0 or later
- Active cloud connection for alert reporting
Related Documentation
- Security Overview - Platform security architecture
- PKI Authentication - Device identity and mTLS
- Architecture Overview - System design
Last updated: December 2025