How To: Ubiquiti UniFi Security Gateway Pro 4 & Intrusion Prevention (IPS) Updated

Introduction

The focus of this article is the upgrade of our Ubiquiti UniFi security gateway from the entry-level model, USG, to the mid-level model, the USG Pro 4. Because our primary reason for upgrading was to enable Unifi’s new intrusion prevention system, that also will be covered in detail, below. This is the fourth of my articles covering our family’s experiences with Ubiquiti’s Unifi product line including the security gateway, controller, switches, and WiFi access points in a home environment. See part 1, part 2, and part 3.

Our UniFi Home Network… One Year Later

Before: our original deployment included a single Unifi Switch 24 aggregator switch, the entry-level USG, the original Cloud Key hardware controller, and three UAP‑HD access points. I would still recommend these devices as a starter kit for those that want to deploy Unifi in a residential setting but substituting the Unifi nanoHD access points if cost is an issue.

Original Unifi System. Credit Michael Connelly.

After: a year later, we have significantly expanded and upgraded our Ubiquiti Unifi home network:

  • we upgraded our entry-level USG to the USG Pro 4,
  • we swapped the three UAP‑HD with five nanoHD access points,
  • we upgraded our Cloud Key to the Cloud Key Gen 2 including the rack-mount adapter,
  • we complemented our aggregator Unifi Switch 24 with a 16 POE-150W switch so that we can support current and future PoE devices like the Cloud Key Gen 2, Ubiquiti Unifi WiFi APs, and Ubiquiti Unifi Protect video cameras
  • we replaced five legacy passive switches in our network with six 8 POE-60W actively managed switches, and
  • we deployed Unifi Protect with nine cameras (G3 Flex).

So now, all of our networking, WiFi devices, and security cameras are from Ubiquiti, centrally managed by the UniFi SDN and Protect controllers.

With all this new equipment, we also installed an additional 7U rack, for a total of 11U of rack space in our data closet.1 We also replaced our legacy Ethernet cables with CAT-6 Ultra Thin Ethernet cables, which enable gigabit speeds while conserving space in our data closet cable runs.

Credit Michael Connelly.

Comparing the USG & USG Pro 4 Hardware

When we first purchased Ubiquiti networking gear, the USG was an ideal firewall for our home network. It has a small form factor and a fan-less design. About my only complaint was that it was too underpowered to run an Internet speed test on the security gateway, as distinct from an Ethernet-wired client. At the time, the USG Pro 4 seemed overkill for our home network and the XG gateway hadn’t been released.

comparison of usg models
Comparison of USG Models. Credit Ubiquiti.

Later in 2018, Ubiquiti introduced IDS and IPS functionality that required heftier processing by the security gateway’s CPU (because IPS is not hardware accelerated). This made the USG Pro 4’s 2x faster CPU and 4x greater memory more attractive. The USG Pro 4’s rack-mount design also seemed more rational as I rebuilt my data closet.

My complaints are:

  1. as noted by many other consumers, there is the persistent, loud, high-pitch fan noise. Even though our switching gear is in a closed data closet, I can hear the USG Pro 4’s fan noise upstairs in my study.
    • the best way to fix this issue is by swapping the two OEM fans for Noctua NF-A4x20 PWM Premium-Quality Quiet 40mm fans, as shown in this video, here.
    • it’s a shame that consumers need to spend the time and money (~$30) to fix the issue, particularly since this has been a known issue for some time!
    • but, the result is a dead quiet USG Pro 4 that also is 5C cooler across every measurement.
  2. as described below, even the USG Pro 4 is unable to make full use of a symmetrical gigabit Internet connection with both IPS and DPI enabled (even before enabling QOS).
    • A newer CPU is likely needed for the USG for optimized IDS/IPS functionality.
    • In the interim, I would suggest that Ubiquiti use the Cloud Key Plus 2 to calculate speed tests, rather than the running the test on the USG.
  3. the blue LED indicator is offset by several millimeters to the left of every other rack-mounted Ubiquiti appliance (see photo).
Replacement fans for the USG Pro 4. Credit Michael Connelly.

Intrusion Detection & Prevention

The purpose of an Intrusion Prevention System (IPS) is to detect, alert you, and then block potentially malicious IP traffic based on either a known signature of network intrusions and attacks or statistical anomalies. Firewalls evaluate packet headers and reject packets based on protocol type, source address, destination address, source port, and/or destination port. An IPS analyzes whole packets (header and payload), looking for known events. When a known event is detected, the packet is rejected. Early IPS’ registered the signatures of known worms. Today, an IPS can recognize and block malicious application-level based attacks and also attacks at other layers of the OSI model.2

Additionally, some IPS are anomaly-based. These IPS focus on statistical deviations from IP traffic baselines. For example, a server might be generating more traffic than usual. Or, a new host might be identified.

There are different types of intrusion detection and prevention systems:

  • dedicated network-based hardware appliances,
  • virtualized network-based appliances, and
  • host-based applications.

Ubiquiti’s IDS/IPS runs within the Unifi security gateway to provide network-wide coverage.

At the heart of Unifi’s IDS/IPS functionality is the open source Suricata engine, sponsored by the Open Information Security Foundation. Suricata provides real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing. Suricata is compatible with Snort’s rules and signatures. Both systems’ signature language match known threats, policy violations and malicious behavior. Suricata is also able to do protocol anomaly detection.3

Because hardware acceleration is disabled, Ubiquiti says that enabling IPS will affect the USG’s maximum throughput:

  • on the entry-level model USG, WAN speed is limited to 85 Mbps,
  • on the USG Pro 4: WAN speed is limited to 250 Mbps, and
  • on the USG-XG-8: WAN speed is 1 Gbps.

Enabling DPI or QOS may further impact throughput. In our experience, with DPI enabled on the USG, we saw only 60-70Mbps symmetrical throughput even though we have a gigabit Internet WAN connection. And, as noted above, we couldn’t run an accurate speed test from the USG.

With the USG Pro 4, our WAN throughput with both IPS and DPI enabled is 479 Mbps up and 647 Mbps down, as reflected on the USG Pro 4’s new speed test.

Recommended Configuration

Activating Unifi’s IPS only takes a few steps:

  • Enable IPS
  • Restrict Access to Tor: this will block access to The Onion Router.
  • Restrict Access to Malicious IP Addresses: this will block access to IP addresses or blocks of addresses that have been recognized as passing malicious traffic.
  • Select the IPS/IDS categories that you wish to block in addition to the default categories (e.g. “compromised” is not enabled by default).

I find that Ubiquiti’s enabled categories are too limited as compared to best practices based on what Ubiquiti’s IPS can block and the performance tradeoffs. Beyond throughput limitations, the other performance tradeoff is blocking desired traffic. For example, I also recommend blocking compromised, DOS, dshield, scan, shellcode, spamhaus, SQL, and telnet).

Unifi IPS Defaults. Credit Michael Connelly

Unifi permits you to both whitelist specific IP addresses and to whitelist specific signatures. Similarly, you can blacklist specific IP addresses. From the intrusion prevention dashboard, you can then view anomalous events by geo-location and within a specific time frame. This includes a historical log including threat details.

For more details, see here.

Migrating from the USG to the USG Pro 4

  1. In the UniFi configuration, select “Forget this Device”
  2. Power down and disconnect the USG
  3. Install USG Pro 4 and connect the LAN and WAN
  4. Adopt the USG Pro 4
  5. USG Pro 4 will then pull your configuration from the Cloud Key.

The one thing that requires significant effort is if, like me, you use an IP address block other than 198.168.1.x. In that case, although the UniFi controller can see your USG as 198.168.1.1, it will try to update and upgrade it. And, depending on both your home network and your Internet service provider’s configuration, that may fail leaving the USG Pro unable to be adopted and provisioned. The solution–before doing anything else–is to use your web browser to visit the admin page of the USG Pro (username: ubnt / password: ubnt) and to change your USG Pro’s initial network configuration to the same as your existing home network. Then, you can safely upgrade and adopt your USG Pro.



Updated on February 2nd, 2020


  1. I plan to add 4 Sonos AMPs in the additional rack space.

  2. See also, “Open Source IDS High Performance Shootout”. SANS Institute. February 2015.

  3. See Protocol Anomalies Detection