Migrating to Zone-Based Firewalls in UniFi
UniFi Network 9.0, introduces a zone-based approach to firewalling, designed to simplify policy management. By grouping interfaces like VLANs or WANs into zones, you can define rules more efficiently, improve traffic control, and enhance network segmentation with better policy visualization.
This article answers frequently asked questions specific to users who had custom firewall rules defined prior to migration. Users with new setups, and users who have already performed the migration can click here to see how it works.
For users that have not yet migrated and are looking for information on our prior firewalling approach, click here.
Will there be downtime during migration?
No. The migration process takes just a few seconds, and traffic will continue to pass during the transition.
What happens during the migration?
Your existing rules will be mapped to the new zone-based framework, based on the table below. While this might result in multiple rules being generated, your firewall policies will be functionally identical.
Ruleset | Source Zone | Destination Zone |
LAN_IN | Internal | Internal, Hotspot, External, VPN |
LAN_OUT | Internal, Hotspot, External, VPN | Internal |
LAN_LOCAL | Internal, VPN | Gateway |
GUEST_IN | Hotspot | Internal, Hotspot, External, VPN |
GUEST_OUT | Internal, Hotspot, External, VPN | Hotspot |
GUEST_LOCAL | Hotspot | Gateway |
WAN_IN | External | Internal, Hotspot, External, VPN |
WAN_OUT | Internal, Hotspot, External, VPN | External |
WAN_LOCAL | External | Gateway |
Why do I have so many rules after migration?
We took a conservative approach in order to ensure identical functionality before and after the migration. As a result, the migration may generate a variety of rules that are redundant or otherwise have no impact. After testing to see which rules are functional or not, you are welcome to remove any redundant rules.
How do I migrate my rules?
To migrate to Zone-Based Firewalls, navigate to Security > Traffic & Firewall Rules and click Upgrade.