UniFi Gateway - Suspicious Activity

Suspicious Activity is a feature found in the Security section of your UniFi Network Settings that allows you to detect and block potentially harmful traffic to all or select networks, as well as show notifications in the System Log section when the UniFi Gateway encounters anything suspicious. This feature may also be referred to as Intrusion Detection System and Intrusion Prevention System or IDS/IPS.

Requirements

Available Options

Suspicious Activity can be configured to:

  • Detect traffic and show a notification.
  • Detect and block traffic and show a notification.
  • Use different detection levels (Low, Medium, High) or a Custom sensitivity.
  • Select one or more networks that the feature is enabled on.
  • Configure IP addresses or subnets that should be excluded.
Testing

To test a detection, first set the Detection Sensitivity to High, and then open a terminal session or command prompt on a client device that is connected to the LAN behind the UniFi gateway. Run the below command on the client:

curl -A "BlackSun" http://www.example.com

Note: When testing, the client device should send traffic through the UniFi gateway in order to reach the internet. If a security detection is not shown, verify that the Detection Sensitivity is set to High and wait a few moments for the notification to be displayed in the System Log section. 

Privacy Guarantee

When Suspicious Activity is enabled, a token is generated for the gateway. The following information is sent over a encrypted connection whenever there is a signature match:

  • Timestamp
  • Interface
  • Source IP
  • Source port
  • Destination IP
  • Destination port
  • Protocol
  • Signature

The data is only temporarily stored until the UniFi Network application downloads the information. After the information is downloaded by the application, the data is deleted from our cloud except for the attacker's IP. The attacker IP information helps Ubiquiti maintain an up-to-date and effective attacker list for all Ubiquiti users around the world.

Ubiquiti will use this information to improve its products and services, including generating lists of IP Reputation, Malicious IP addresses, Threat Intelligence and creating blacklists and new signatures for Ubiquiti devices.

Frequently Asked Questions

1. I Got a Threat Detection. What Should I Do?

Depending on your Suspicious Activity settings, you may receive notifications regarding security detections discovered by UniFi. These notifications exist so that you can be sure your gateway is doing its job in protecting your network.

If you have been alerted to a threat, you probably don't have anything to worry about. Security detections are typically harmless, and a result of settings you have already enabled.

In the Suspicious Activity configuration, you can choose to either only Notify, or Notify and Block threats. If you select the latter, the block will last for 5 minutes. This ensures that false detections do not result in permanently blocking all traffic from a client device or website that is otherwise not harmful. 

For permanent blocks or to allow a signature, use the options available in the System Log section for a threat entry:

  • Block This Connection - Block traffic between the source and destination IP addresses.
  • Block This IP - Completely block incoming and outgoing traffic from the source IP address.
  • Allow This Threat Signature - Allow this signature so that security detections are no longer generated for it. Use this for false positives
  • Allow This IP - Allow this source IP so that security detections are no longer generated for it. Use this for false positives
2. How Can I Get Fewer Notifications?

There are four Detection Sensitivity levels that control what categories (types of traffic) are detected and blocked. If the sensitivity is set to High, more notifications will be shown.

If you are forwarding ports to a client device on the LAN, it can also lead to more notifications as the UniFi gateway is inspecting the traffic from devices on the internet that are trying to access the forwarded port. We recommend only forwarding ports when necessary.  

3. How long is traffic blocked when using Notify and Block?

The block duration is 5 minutes. This ensures that false detections do not result in permanently blocking all traffic from a client device or website that is otherwise not harmful. 

For permanent blocks or to allow a signature, use the options available in the System Log section for a threat entry.

4. Does enabling Suspicious Activity affect the performance or speed?
Suspicious Activity can potentially reduce the speed or performance. The maximum amount of networks that the feature can be enabled on is limited depending on which UniFi Gateway model is used.
  • UDR / UDM - 10 Networks
  • UDM-Pro / UDM-SE / UXG-Pro / UDW - 20 Networks
Was this article helpful?
2517 out of 3682 found this helpful