UniFi Gateway - Intrusion Prevention and Detections (IPS/IDS)

Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS) are critical components in enhancing network security. These systems serve as a frontline defense, identifying and mitigating threats before they can cause harm.

What Are IPS and IDS?

  • Intrusion Detection System (IDS): Monitors network traffic for suspicious activity and alerts administrators.
  • Intrusion Prevention System (IPS): Similar to IDS but also takes proactive steps to block detected threats.

Why Are IPS and IDS Important?

  • Threat Detection & Prevention: Identifies malicious traffic, preventing potential damage. Real-time signature updates ensure you are protected against new and evolving threats.
  • Continuous Monitoring & Analytics: Provides detailed logs of security events to better understand network trends.
  • Compliance: Helps meet security standards and regulatory requirements (PCI-DSS, HIPAA, etc).

IPS/IDS & Threat Signatures

IPS and IDS work by scanning network traffic for patterns, known as signatures, that indicate known threats. Deep Packet Inspection (DPI) is used to thoroughly examine the contents of data packets at various layers of network communication:

  • Layer 3 (Network Layer): IP addresses
  • Layer 4 (Transport Layer): Ports and protocols
  • Layer 7 (Application Layer): Application payloads

A signature’s matching characteristic may consist of various elements from one or multiple layers, either within a single packet, or multiple packets throughout a communication session. For example, a given signature might look for multiple packets of a specified size being sent from a particular IP address over a specific port. 

UniFi has thousands of signatures, each grouped into distinct threat categories so you can flexibly configure your network to best meet your organizational goals.

Configuring IPS/IDS

To configure IPS/IDS, follow these steps:

  1. Navigate to Network Settings > Security > Intrusion Prevention.
  2. Select the networks you wish to apply IPS/IDS to
  3. Choose Configuration Mode:
    • Auto Mode (Default):
      • Mode: Notify (IDS)
      • Detection Sensitivity: Medium
      • Dark Web Blocker: Enabled (Blocks Tor traffic)
      • Block Known Malicious IPs: Enabled (Reputation-Based IP Filtering)
    • Manual Mode: For detailed adjustments.
      • Detection Sensitivity: Select Low, Medium, High, or Custom.
        • Low: Fewer alerts, less resource usage, fewer detected threats.
        • Medium: Balanced alerts, resource usage, good threat coverage.
        • High: More alerts, higher resource usage, detects more threats.
        • Custom: Configure specific threat categories and signatures.
      • Dark Web Blocker: Enable to block Tor traffic.
      • Reputation-Based IP Filter: Enable to block known malicious IPs.
      • Security Detection Allow List: Add sites to bypass security blocks.

Testing IPS/IDS

To test IPS/IDS, follow these steps:

  1. Set Detection Sensitivity to High
    • Note: This is needed to enable the “Trojan” threat category associated with the test signature.
  2. Open a terminal or command prompt on a client connected to the UniFi network.
  3. Run the following test command:
    curl -A "BlackSun" http://www.example.com.
  4. Check System Log > Security Detection for the alert.
    Note: The alert may take a moment before appearing.

Responding to a Detection

When a threat is detected, both IPS and IDS will generate email and mobile push alerts. However, IPS will also block the detected threats automatically.

  1. View Detections:
    1. Check detections in the System Log located at System Log > Security Detection or the Inspection tab located at Insights > Inspection.
  2. Recognize Important Alert Details:
    1. Identify the affected client, threat source IP, protocol, signature, threat category, date/time, and any other relevant information or descriptions.
  3. Verify the Threat Details:
    1. Research the Threat Signature: Look for analyses from cybersecurity researchers, or other reputable cybersecurity databases and forums for more detailed information and community insights about the threat.
    2. Determine Expected Traffic: Based on who/what the IP address belongs to, determine if this is expected traffic, and thus likely false positive. Note: Media and gaming traffic are common contributors to false positives
    3. Check the Affected Client: Check the affected client to see if there are obvious signs of it being compromised, such as slowness, lack of responsiveness, or unwanted pop-ups.
    4. Confirm OS Relevance: If the signature is associated with a particular operating system (OS), confirm if your device runs that OS. If not, it's likely a false positive.
  4. Respond Accordingly:
    1. Block Connection: Blocks the connection between the specific source and destination by automatically generating a Firewall Rule.
    2. Block Source IP: Blocks all traffic from the source of the threat by automatically generating a Firewall Rule.
    3. Allow Signature: Prevents the associated signature from triggering IPS/IDS by adding it to the Signature Suppression table located in Settings > Security > Intrusion Prevention
    4. Exclude Source IP: Prevents the source IP from triggering IPS/IDS by adding it to the Security Detection Allow List located in Settings > Security > Intrusion Prevention.


Does UniFi have real-time signature updates?

Threats evolve and patterns change, but UniFi’s IPS/IDS solutions stay ahead by regularly updating our threat signature databases. This ensures your network is protected from even the latest threats.

Does enabling Intrusion Prevention affect speed or performance?

Enabling this increases CPU and memory utilization. As a result, we set limits on the quantity of networks it can be simultaneously applied to.

Since traffic is being actively inspected, maximum routing performance may be reduced. See techspecs.ui.com for more information.

Is my information private?

Yes, UniFi ensures that your information is kept private and secure. The only data retained is that of the attacker's IP address to ensure our threat database remains up-to-date.

Note: When security detections are triggered, certain metadata including timestamps, IP addresses, ports, protocols and signatures temporarily pass through an encrypted communication channel with our cloud before it is ultimately deleted.

Was this article helpful?
2571 out of 3754 found this helpful