Help Center Help Articles Professional Support Professional Integrators Community RMA & Warranty Downloads Tech Specs

Zone-Based Firewalls in UniFi

UniFi's Zone-Based Firewalling (ZBF) simplifies firewall management by allowing you to group network interfaces—such as VLANs, WANs, or VPNs—into zones. This approach lets you efficiently define and enforce policies that control how traffic flows between these zones, making it easy to manage network security and segmentation.

This feature is part of UniFi Network 9.0.108 Official Release.

    • For information on using our previous firewall rules: Read here
    • Curious how previously-configured rules will be migrated? Find answers here

Requirements

What are Firewall Zones?

Firewall zones are logical groupings of network interfaces, such as VLANs, WANs, or VPNs. By applying policies to these zones, you can define and control traffic flow with ease, eliminating the need to create individual policies for each interface. Each zone can represent different segments of your network, such as trusted, semi-trusted, or untrusted areas, enhancing both security and simplicity.

For a simpler guide to implementing network and client isolation, go here.

Advantages of Zone-Based Firewalls

  1. Simplified Policy Management: Policies are created between zones, reducing complexity and improving clarity compared to managing policies at the interface level.
  2. Granular Control Over Traffic: Define precise policies based on IP addresses, protocols, applications, or users, ensuring comprehensive traffic management.
  3. Enhanced Network Segmentation: Establish clear boundaries between zones to protect sensitive areas, such as limiting how traffic moves from an external WAN zone into your internal network.
  4. Better Visibility: Policies are shown visually in the Zone Matrix, providing greater insight and ease of management.

Built-in Firewall Zones

The UniFi firewall includes several predefined, built-in zones to which networks and interfaces are associated. 

  • External: For incoming traffic that is untrusted, or requires more strict control, such as general Internet traffic on the WAN, or a connection with a third-party VPN client service.
  • Internal: For trusted traffic, such as employee computers and internal servers on the local network.
  • Gateway: Handles traffic directed to or from the UniFi Gateway (such as DHCP, DNS, or HTTPS/SSH management requests).
  • VPN: For traffic from remote VPN users (Identity One-Click VPN, WireGuard, L2TP, and OpenVPN), or Site-to-Site VPNs (Site Magic, IPsec, and OpenVPN). 
  • Hotspot: For guest WiFi hotspot networks where devices have restricted access.
  • DMZ: For deployments which require outside access to public-facing resources, such as web or mail servers.

Creating and Modifying Zones

Predefined zones are marked with a lock icon to indicate they cannot be removed. However, admins can create custom zones for specialized traffic or more precise control. Network interfaces are limited to a single zone and are initially assigned to a predefined zone by default, but this assignment can be modified in the Firewall section.

The Zone Matrix: Viewing Traffic Segmentation Between Zones

The zone matrix provides a clear, visual representation of traffic flow between zones, displaying a grid of built-in and custom policies. Rows represent source zones (where traffic originates), and columns represent destination zones (where traffic is headed). The intersections, or cells, show and allow configuration of policies controlling traffic between zones. For example, clicking on the intersection between “Internal” and “External” zones lets you view or adjust specific firewall policies governing that traffic flow, streamlining policy management and enhancing network visibility.

Built-in Zones Destination Zone
Internal External Gateway VPN Hotspot DMZ
Source Zone Internal Allow All Policies Allow All Allow All Allow All Allow All
External Policies Policies Policies Policies Policies Policies
Gateway Allow All Allow All - Allow All Allow All Allow All
VPN Allow All Policies Allow All Allow All Allow All Allow All
Hotspot Allow Return Traffic Policies Policies Allow Return Traffic Block All Block All
DMZ Allow Return Traffic Policies Policies Allow Return Traffic Block All Block All

The following values are shown in the matrix:

  • Allow All - All traffic is allowed from the source zone to the destination zone
  • Block All - All traffic is blocked from the source zone to the destination zone
  • Allow Return Traffic - This value appears when there is a combination of "Allow All" and "Block All" between two zones. The source zone is allowed to send all traffic to the destination zone, but the destination zone can only reply to the traffic.
  • Policies - Specific traffic is allowed and blocked from the source zone to the destination zone, controlled via multiple firewall policies. By default, this applies to built-in policies associated with the External zone which is used for traffic coming and going to the internet.

Traffic Directions and Traffic Inside Zones

With zones, limiting of traffic is done in both directions. This means that if traffic is blocked from source "Zone A" to destination "Zone B" but allowed from "Zone B" to "Zone A", the end result is that traffic is still blocked in one direction. Carefully consider both directions of the traffic when creating firewall policies.

In addition to filtering traffic between different zones, it is also possible to filter within the same zone, for example Internal to Internal. This is useful when there are multiple networks assigned to a zone, but traffic needs to be filtered between them.

Assigning Networks to Zones

Networks can only be assigned to a single zone and are placed in one of the built-in zones by default. Upon creation or when editing the network, it is possible to place it in a different zone. This can also be done by editing the zone configuration in the Firewall section. 

Configuring Firewall Policies

Firewall policies control the flow of traffic between zones, letting you allow or block specific types of traffic. Follow these steps to set up and customize a firewall policy:

  1. Configure Source and Destination Zones: Specify the rule's scope by selecting the source and destination zones. Optionally, refine criteria for matching traffic using:
    • Any, Device, Network, IP or MAC
    • Port (Any, Specific or Object)
    • App, Domain ("Web") or Region
  2. Select Your Action: Choose how the policy will handle matching traffic:
    1. Allow: Permit the traffic.
      1. Auto Allow Return Traffic: Creates an additional built-in firewall policy to allow the return traffic from the destination to the source zone. This is not required if return traffic is already allowed via another policy.
    2. Block: Silently drop traffic.
    3. Reject: Block traffic and notify the sender.
  3. Specify Restrictions (Optional): Customize the policy further by selecting:
    • IP Version: Match IPv4, IPv6, or both.
    • Protocol: Target TCP, UDP, or other protocols like ICMP.
    • Connection State: Match established, invalid, or new connections.
  4. Enable Syslog Logging (Optional): Send traffic flow data to a remote SIEM server by enabling syslog logging. Configure your SIEM server in the Integrations section.
  5. Set a Custom Schedule (Optional): Define when the policy will be active, such as during work hours or weekends.
  6. Place the Rule: By default, your custom rule takes precedence over built-in rules but follows other custom rules. Use the "Reorder" option to adjust this hierarchy if needed.

Built-in Firewall Policies

Built-in Firewall policies can be identified via the lock icon. Although these cannot be modified or removed, you can add new policies that overrule them by placing them higher in the table.

Default policies are created as follows:

Gateway to External

The built-in firewall policies applied to these zone pairings are:

  • Allow All Traffic - Allows all traffic.
Other Zones to External

The built-in firewall policies applied to these zone pairings are:

  • Block Invalid Traffic - Blocks traffic with an invalid firewall connection state. 
  • Allow All Traffic - Allows all traffic.
External to Other Zones

The built-in firewall policies applied to these zone pairings are:

  • Allow Return Traffic - Allows traffic from the internet that are a reply to traffic sent by devices. This is done by matching the established and related firewall connection states.
  • Block Invalid Traffic - Blocks traffic with an invalid firewall connection state. 
  • Block All Traffic - Blocks all traffic.

Next to these policies, there will be others created depending on which options are configured on the UniFi Gateway. For example, there will be additional policies added when using IPTV Streaming, Port Forwarding or setting up a VPN server.

Important Considerations for Zone-Based Firewall Management

  • Removing Custom Zones: Deleting a custom zone will also delete all associated firewall policies. Use caution when a policy spans multiple zones.
  • Blocking Traffic to the Gateway Zone: Blocking traffic to the gateway zone may disrupt critical network functions like DHCP and DNS. Always double-check configurations when blocking gateway traffic.
  • Blocking All Traffic Between Zones: To block all traffic between zones while allowing specific access, create an allow policy for the desired traffic (e.g., to a storage server's IP) before adding a block policy to deny everything else.
Was this article helpful?