How To Configure Unifi Controller 7.0.22 UDM-PRO Security Settings

In this tutorial you will learn how to configure your Unifi Controller 7.0.22 Network Security Settings so you can properly secure your networks. In this tutorial I will be utilizing a Unifi UDM-Pro on controller version 7.0.22.

Key Knowledge

GeoIP Filtering is a technology that can block web traffic from entire countries, can be an effective way to stop hackers from attacking your business. As the name suggests, it blocks network connections based on geographic location – information it gets based on IP addresses. This can then be used to filter and prevent both outgoing and incoming connections to and from your network.
An Intrusion Prevention System (IPS) is a type of engine that identifies malicious traffic by checking the signatures. The signatures contain known traffic patterns or instruction sequences used by malware. This type of signature-based engine can only detect anomalies based on known malicious traffic patterns.
An Intrusion Detection System (IDS) is a network security technology originally built for detecting vulnerability exploits against a target application or computer. IDS only listens for issues and alerts you and does not take preventative action.
Deep packet inspection (DPI) is a type of data processing that inspects in detail the data being sent over a computer network, and may take actions such as alerting, blocking, re-routing, or logging it accordingly. Deep packet inspection is often used to baseline application behavior, analyze network usage, troubleshoot network performance, ensure that data is in the correct format, check for malicious code, eavesdropping, and internet censorship, among other purposes.
Unifi Endpoint Scanner, this application will scan your network and document your devices Operating System version, IP addresses and opened ports. This provides you with a visibility into system ports that should not be opened throughout your environment.
Honeypot. This honeypot system intended to mimic likely targets of cyberattacks. It can be used to detect attacks or deflect them from a legitimate target. It can also be used to gain information about how cybercriminals operating within your network.
DNS Filtering is an engine that will block malicious websites and keep company data secure. DNS filters ensure that employees don’t access inappropriate content or get viruses from visiting malicious sites. This is often part of a larger access control strategy.
Device Isolation is an option that is best used in networks for Guests and IOT devices, this blocks communication between clients on the same local network.

Let’s Get Started

We will be configuring everything within the Unifi UDM-Pro that you have learned from the Key Knowledge above.

Make sure your Unifi Firewall and Unifi Controller is fully updated. (Unifi Controller version when this tutorial was created 7.0.22 )

Log into your Unifi Controller.
Click on Settings > Firewall & Security.
The first security setting we will be configuring is Country Restrictions. Click the radio button Block. Click the radio button Both directions. Now click on the dropdown and select the countries you wish to block.
Next, we will configure either IDS or IPS. IPS is the way to go.
Deep Packet Inspection or in Unifi’s case System Sensitivity, crank it up to high. We will also want to enable Dark Web Blocker and Malicious Website Blocker.
Scroll down a few until you locate Internal Honeypot. Check Enable and afterwards click Create Honeypot. You may want to apply a static IP address outside of the DHCP scope so there are no conflicts.
Now we can move forward with DNS Filtering. Click on Settings > Networks.
Locate and click on the network you wish to apply DNS Filtering to.
Scroll down to Advanced Configuration and click Manual. Here you have the option to select Work or Family. Click on the radio button that pertains to your environments needs.
Now for client device isolation, this will be best used for Wi-Fi guest networks or IOT networks. Click on Settings > WiFi. Now click on the SSID you wish to enable device isolation on.
Scroll down until you locate Client Device Isolation and click the check box. Afterwards click the Apply Changes button.