UniFi gateways provide a range of options for improving your network’s security. In this article we will discuss Threat Management which allows you to detect and block potentially harmful traffic from your system based on pre-configured threat “signatures”.
Check out our Traffic Rules article for more information on Content and DNS filtering, as well as configuring internet permissions for certain devices on your network.
Configuring Threat Management
Threat Management is enabled in the Settings > Firewall & Security section of the UniFi Network Application. You must select one of two options:
- Detect Only (IDS): You will be notified of any potential threats, but the traffic will continue unless you manually select to block it.
- Detect and Block (IPS): Detected threats will result in the threat source being blocked for 300 seconds. This ensures that false detections do not result in permanently blocking all traffic from a website that is otherwise not harmful. You will have the ability to select if you wish to permanently block the threats, or whitelist them as harmless.
Once enabled, select a Sensitivity. These sensitivities are based on Threat Categories, each of which contains a list of “Threat Signatures” to known threats belonging in each category. We recommend most users select from the list of pre-configured options.
Note: Enabling Threat Management will reduce throughput speeds.
Managing Detected Threats
Detected threats will be listed in the Traffic Inspector section of the UniFi Network Application. Clicking on a detected threat will enable you to configure how the threat is handled:
- Block: Block traffic between this threat's source and destination IP addresses.
- Isolate Device: Block incoming and outgoing internet traffic from this threat's source IP address.
- Allow from All IPs: This threat signature will no longer trigger threat detections. This will create an entry in the Signature Suppression table found in your Firewall & Security settings.
- Allow for This IP: This source IP address will no longer trigger threat detections. This will create an entry in the Threat Management Allow List table found in your Firewall & Security settings.
Testing & Verification
To test a detection, use a command line interface while connected to your UniFi gateway’s network.
curl -A "BlackSun" http://www.example.com
Expected alert result:
Threat Management Alert 1: A Network Trojan was Detected. Signature ET USER_AGENTS Suspicious User Agent (BlackSun). From: 192.168.1.172:55693, to:18.104.22.168:80, protocol: TCP
When Threat Management is enabled, a token is generated for the gateway. The following information is sent over a TLS 1.2 encrypted connection whenever there is a signature match: timestamp, interface, source IP, source port, destination IP, destination port, protocol, signature id.
The data is only temporarily stored until the UniFi Network application downloads the information. After the information is downloaded by the application, the data is deleted from our cloud except for the attacker IP. The attacker IP information helps Ubiquiti maintain an up-to-date and effective attacker list for all Ubiquiti users around the world.
Ubiquiti will use the alert information to improve its products and services, including generating lists of IP Reputation, Malicious IP addresses, Threat Intelligence and creating blacklists and new signatures for Ubiquiti devices. A sanitized version of IP addresses (Ex: 200.200.x.x) can also be displayed on Ubiquiti Public Threat Map to help give visibility to malicious traffic.