UniFi Identity Enterprise - Add and Manage Behavior Rules
Add a Location Behavior Rule
A location behavior defines security policies based on changes in the user's geographical location during sign-in. For example, admins can configure the system to send a multi-factor authentication notification to the user when a sign-in attempt from a new country is detected but allows user access when the location change is at the city level.
- Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).
- Go to Security > Identity Firewall.
- In the Behavior Rule session, click Show More.
- Click + New Behavior.
- Specify the following:
- Behavior Name: Enter a name.
- Type: Select ”Location“.
- Location Granularity: Select a location granularity setting.
- Evaluate Against Past: Specify the number of successful past sign-in attempts that UniFi Identity Enterprise checks against the detected sign-in attempt. The default number of past sign-in attempts checked is set to 20. You can set the checked past sign-in attempts from 1 to 100 attempts.
- When you select the "New Geo-location" option, the Radius From Location field appears, and you need to define the radius parameter in kilometers.
- Click Add. The location behavior rule is added to the Behavior Rule list, and it can be selected to apply in the Policy.
Add an IP Behavior Rule
An IP behavior defines security policies based on changes in the user's IP address during the sign-in time. For example, admins can configure a policy that sends a multi-factor authentication notification to the user when a sign-in attempt is from a new IP address.
- Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).
- Go to Security > Identity Firewall.
- In the Behavior Rule session, click Show More.
- Click + Behavior.
- Specify the following:
- Behavior Name: Enter a name.
- Type: Select ”IP“.
- Evaluate Against Past: Specify the number of successful past sign-in attempts that UniFi Identity Enterprise checks against the detected sign-in attempt. The default number of past sign-in attempts checked is set to 20. You can set the checked past sign-in attempts from 1 to 100 sign-in attempts.
- Click Add. The IP behavior rule is added to the Behavior Rule list, and it can be selected to apply in the Policy.
Add a Device Behavior Rule
A device behavior defines policies based on changes in the user device during sign-in. For example, admins can configure a policy that sends a multi-factor authentication notification to the user when a sign-in attempt is from a new device.
Note: A new browser on the same device is considered a new device.
-
Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).
-
Go to Security > Identity Firewall.
-
In the Behavior Rule session, click Show More.
-
Click + New Behavior.
-
Specify the following:
- Behavior Name: Enter a name.
- Type: Select "Device".
- Status: Select "Active".
- Evaluate Against Past: Specify the number of successful past sign-in attempts that UniFi Identity Enterprise checks against the detected sign-in attempt. The default number of past sign-in attempts checked is set to 20. You can set the past sign-in attempts from 1 to 100 sign-in attempts.
-
Click Add. The device behavior rule is added to the Behavior Rule list, and it can be selected to apply in the Policy.
Add a Velocity Behavior Rule
A velocity behavior defines security policies based on changes in the user's geographical locations from two subsequent sign-in attempts. Velocity is measured by comparing the current user authentication request time and location against a previous successful sign-in from the same user. Velocity indicates the possibility of a user traveling and signing in from two geolocations based on the sign-in time from the two locations.
- Admins can configure policies that send users authenticator requests when the velocity between two authentication requests is 3,000 kilometers per hour. This would be equivalent to a user signing in from New York and then trying to sign in from Los Angeles less than 1 hour later.
- Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).
- Go to Security > Identity Firewall.
- In the Behavior Rule session, click Show More.
- Click + Behavior.
- Specify the following:
- Behavior Name: Enter a name.
- Type: Select “Velocity“.
- Velocity: You can set the velocity from 10 to 5,000 km/h.
- Click Add. The velocity behavior rule is added to the Behavior Rule list, and it can be selected to apply in the Policy.
Add a One-Click VPN Behavior Rule
A One-Click VPN behavior rule defines security policies based on the user's One-Click VPN connection status, and you can set the buffer time condition before the system checks the One-Click VPN connection logs to determine if the user behavior matches the conditions outlined in the behavior rule.
For example, admins can configure policies to send a multi-factor authentication notification when a user attempts to authenticate but has not connected to the One-Click VPN in the past 30 minutes.
- Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).
- Go to Security > Identity Firewall.
- In the Behavior Rule session, click Show More.
- Click + New Behavior.
- Specify the following:
- Behavior Name: Enter a name.
- Type: Select “One-Click VPN“.
- Evaluate Against Past: Specify the buffer time for the user to establish a One-Click VPN connection before executing the One-Click VPN behavior rule. The default buffer time is 30 minutes. You can set the One-Click VPN connection buffer time from 1 minute to 4,320 minutes (or 1 hour to 72 hours).
- The One-Click VPN behavior is applied to the sign-on rule. So if you set the buffer time to 1 hour, the system will check if the user established a One-Click VPN connection within 1 hour during login. If the user establishes a One-Click VPN connection within the specified buffer time of 1 hour, the system will be able to match the configured One-Click VPN behavior rule.
- Click Add. The configured One-Click VPN behavior rule is added to the Behavior Rule list, and it can be selected to apply in the Policy.
Add a One-Click WiFi Behavior Rule
A One-Click WiFi behavior defines security policies based on the user's One-Click WiFi connection status, and you can set the buffer time before the system checks the One-Click WiFi connection signs to determine if the user behavior matches the conditions outlined in the behavior rule.
For example, admins can configure policies to send a multi-factor authentication notification when a user attempts to authenticate but has not connected to the One-Click WiFi in the past 30 minutes.
- Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).
- Go to Security > Identity Firewall.
- In the Behavior Rule session, click Show More.
- Click + New Behavior.
- Specify the following:
- Behavior Name: Enter a name.
- Type: Select “One-Click WiFi“.
- Evaluate Against Past: Specify the buffer time for the user to establish a One-Click WiFi connection before executing the One-Click WiFi behavior rule. The default buffer time is 30 minutes. You can set the One-Click WiFi connection buffer time from 1 minute to 4,320 minutes or 1 hour to 72 hours.
- The One-Click WiFi behavior is applied to the sign-on rule. So if you set the buffer time to 20 minutes, the system will check if the user established a One-Click WiFi connection within 20 minutes during sign-in. If the user establishes a One-Click WiFi connection within the specified buffer time of 20 minutes, the system will be able to match the configured One-Click WiFi behavior rule.
- Click Add. The configured One-Click WiFi behavior rule is added to the Behavior Rule list, and it can be selected to apply in the Policy.
Add a Door Access Behavior Rule
A Door Access behavior defines policies based on users' door access behaviors, and you can set the buffer time for the system to check the Door Access log to determine if the user behavior matches the conditions outlined in the behavior rule.
For example, admins can configure policies to send a multi-factor authentication notification when a user attempts to authenticate but has not unlocked the door in the past 30 minutes.
- Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).
- Go to Security > Identity Firewall.
- In the Behavior Rule session, click Show More.
- Click + New Behavior.
- Specify the following:
- Behavior Name: Enter a name.
- Type: Select Door Access.
- Sites: Select sites.
- User’s access direction is: You can select the door access direction as Entry or Exit.
- Evaluate Against Past: Specify the buffer time for the user to enter or exit a site door before executing the Door Access behavior rule. The default buffer time is 30 minutes. You can set the user door entry or exit buffer time from 1 minute to 4,320 minutes or 1 hour to 72 hours.
- The Door Access behavior is applied to the sign-on rule. So if you set the buffer time to 45 minutes, the system will check if the user entered the site door within 45 minutes during sign-in. If the user enters the site within 45 minutes, the system matches this Door Access rule with the sign-on rule.
- Click Add. The configured Door Access behavior rule is added to the Behavior Rule list, and it can be selected to apply in the Policy.
Manage Behavior Rules
If a behavior rule is enabled, the indicator before the rule will be green. If a behavior rule is disabled, the indicator before the rule will be gray.
The following behavior rules are generated by default and cannot be edited, disabled, or removed.
- New City
- New State
- New Country
- New Geo-Location
- New Device
- New IP
- Velocity
- Connect to One-Click WiFi within 30 minutes (require One-Click WiFi service to be enabled)
- Connect to One-Click VPN within 30 minutes (require One-Click VPN service to be enabled)
- Enter Office within 30 minutes (require Door Access service to be enabled)
To manage behavior rules:
- Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).
- Go to Security > Identity Firewall.
- In the Behavior Rule session, click Show More > Manage.
- Select a behavior rule, and click Enable, Disable, or Remove.