Suspicious Activity is a feature found in the Application Firewall section of your UniFi Network Application that allows you to detect and block potentially harmful traffic to your network, as well as show notifications in the System Log section when the UniFi Gateway encounters anything suspicious. This feature may also be referred to as Intrusion Detection System and Intrusion Prevention System or IDS/IPS.
Suspicious Activity can be configured to:
- Only detect traffic and show a notification.
- Detect and block traffic and show a notification.
- Use different detection levels (Low, Medium, High) or Custom categories.
I Got a Threat Detection. What Should I Do?
Depending on your Suspicious Activity settings, you may receive notifications regarding security detections discovered by UniFi. These notifications exist so that you can be sure your gateway is doing its job in protecting your network.
If you have been alerted to a threat, you probably don't have anything to worry about. Security detections are typically harmless, and a result of settings you have already enabled.
In the Suspicious Activity configuration, you can choose to either only Detect, or Detect and Block threats. If you select the latter, the block will last for 5 minutes. This ensures that false detections do not result in permanently blocking all traffic from a client device or website that is otherwise not harmful.
For permanent blocks or to allow a signature, use the options available in the System Log section for a threat entry:
- Block This Connection - Block traffic between the source and destination IP addresses.
- Block This IP - Completely block incoming and outgoing traffic from the source IP address.
- Allow This Threat Signature - Allow this signature so that security detections are no longer generated for it. Use this for false positives.
- Allow This IP - Allow this source IP so that security detections are no longer generated for it. Use this for false positives.
How Can I Get Less Notifications?
There are four Sensitivity levels that control what categories (types of traffic) are detected and blocked. If the sensitivity is set to High, more notifications will be shown.
If you are forwarding ports to a client device on the LAN, it can also lead to more notifications as the UniFi gateway is inspecting the traffic from devices on the internet that are trying to access the forwarded port. We recommend to only forward ports when necessary.
To test a detection, first set the Sensitivity to High, and then open a terminal session / command prompt on a client device that is connected to the LAN behind the UniFi gateway. Run the below command on the client:
curl -A "BlackSun" http://www.example.com
Note: When testing, the client device should send traffic through the UniFi gateway in order to reach the internet. If a security detection is not shown, verify that the Sensitivity is set to High and wait a few moments for the notification to be displayed in the System Log section.
When Suspicious Activity is enabled, a token is generated for the gateway. The following information is sent over a encrypted connection whenever there is a signature match:
- Source IP
- Source port
- Destination IP
- Destination port
The data is only temporarily stored until the UniFi Network application downloads the information. After the information is downloaded by the application, the data is deleted from our cloud except for the attacker's IP. The attacker IP information helps Ubiquiti maintain an up-to-date and effective attacker list for all Ubiquiti users around the world.
Ubiquiti will use this information to improve its products and services, including generating lists of IP Reputation, Malicious IP addresses, Threat Intelligence and creating blacklists and new signatures for Ubiquiti devices.