Skip to main content
UniFi - UXG IDS/IPS Setup

Learn how to configure IDS/IPS on the UXG Lite and UXG Pro

Alex Lowe avatar
Written by Alex Lowe
Updated over a week ago

The UXG Lite and UXG Pro supports all the latest security features Ubiquiti has integrated into UniFi. These include:

  • Country Restrictions

  • Intrusion Prevention and Detection

  • Dark Web Blocker

  • Malicious Website Blocker

  • Internal Honeypot

NOTE: The older USG models have some major throughput restrictions when IDS or IPS is enabled. For example, the USG-3P has a maximum of 75mbps when threat management is enabled. If you want to use IDS or IPS, we would recommend getting the newer UXG Pro as it can handle it much better.

The UXG Pro has throughput performance similar, if not the same as the UDM Pro which has a maximum throughput of 3.5Gbps with IDS/IPS enabled.

How to enable Intrusion Prevention and Detection

First, log into UniFi and go to 'Settings'

Next, go to the 'Firewall & Security' section

Here, we have the option to enable IPS and IDS. Ubiquiti has changed the naming recently.

'Detect only' is IDS and will only show you and alert you what security threats there are, but it won't block them.

'Detect and block' is IPS and will detect and alert you what security threats there are and it'll stop them from entering your network. This does use more system resources however.

Once enabled, we have the option to enable the Dark Web Blocker and the Malicious Website Blocker (UniFi real-time database)

To edit the categories that the UXG Pro will work on detecting and blocking, click on 'Edit threat categories'

You'll then have a list of categories to choose from. This screenshot is from UniFi with a UXG Pro attached, it might look different using a USG, UDM or UDR for example.

Testing & Verification

To test a detection, use a command line interface while connected to your UniFi gateway’s network.

Input:

curl -A "BlackSun" www.example.com

Expected alert result:

Threat Management Alert 1: A Network Trojan was Detected. Signature ET USER_AGENTS Suspicious User Agent (BlackSun). From: 192.168.1.172:55693, to:172.217.4.196:80, protocol: TCP

If the above happens, then the IDS/IPS system is working as intended.

HostiFi

HostiFi provides hosting for both Ubiquiti and TP-Link software-defined-networking (SDN) applications, with servers for UniFi, UISP and Omada. We also offer professional networking consulting, with HostiFi Pro.

If you run into any issues, send an email to support@hostifi.com or contact us via live chat.

Did this answer your question?