MSS FW Best Practices: Unifi Equipment

CAUTION: These documents are intended to provide partners with firewall configuration recommendations ONLY. They contain examples and caution should be exercised when making changes to your firewall as unplanned changed could result in downtime based on the complexity of the environment and/or configuration. 

---

MSS Recomended SonicWall Firewall Best Practices Index

Unifi Network Cloud

• These instructions apply if the Unifi Network Application is hosted in the cloud.

Unifi Network Hosted in the Cloud

Finding Inform URL IP

The user will need to provide their Unifi Inform URL. They can do this by:

1. clicking on Copy Inform URL in their Unifi Network dashboard page.

2. Paste that into a notepad and copy the link NOT including the “http://” or anything after “.com”.

3. Do an NSLookup on that URL and that will give you the Inform URL IP address.

DHCP Option 43

You will need to create this so that the management traffic from the AP is forwarded to the Unifi Cloud Controller.

1. In the SonicWall firewall, navigate to Network > DHCP Server > Advanced and click Add Option
2. Fill in the following:
   1. Option Name: Enter the name for this (Unifi Cloud for example).
   2. Option Number: 43 (Vendor Specific Information)
   3. Option Array: Check this box
   4. Option Value: Enter the Inform URL IP address in One Byte Data. To do this, take the Inform URL IP and:
      1. Replace each “.” with a semicolon.
      2. Add “1;4;” to the front of the IP address.
      3. For example, if the IP address is “123.45.67.89”, you will enter “1;4;123;45;67;89” in the Option Value field.

5. Click Ok twice.

Access Point DHCP

Now we need to assign this DHCP option to the Unifi Access Points. To do this you can either edit the Dynamic DHCP scope for the network that the APs are on, or create static DHCP entries for each AP to statically assign them an IP address based on their MAC address.

1. Whichever option you go with, make sure to select the DHCP option created above on the Advanced page under DHCP Generic Options

Port/Service Restrictions

If the firewall has outbound port/service restrictions in place, you will need to ensure that the correct ports are open from the Unifi equipment to the WAN.

For the current list of required ports, see: UniFi Network - Required Ports Reference – Ubiquiti Support and Help Center

• The article assumes that you are hosting the Unifi Network Controller onsite which is why most of the tables say Incoming. Since the Unifi Network Controller is hosted in the cloud for this example, you will need to make sure these ports are open outbound.
• You DO NOT need to open any ports inbound.

Security Service Exclusions

It is recommended that you exclude Unifi equipment from the security services of the SonicWall as some of the Security Services will interfere with the management traffic.

You will first need to ensure that the Unifi equipment has static IP addresses.

To do this:

1. Create an Address Object Group that contains the IP addresses of the Unifi equipment.
2. Create a Service Object that contains the required ports.
3. Exclude the Address Object Group from the Security Services by following: MSS FW Best Practices: 12 Security Services

Unifi Network (Onsite)

• These instructions apply if the Unifi Network Application is hosted onsite.

Unifi Network Hosted Onsite (Same Network)

Same Network

These notes assume that the Unifi equipment and Unifi Network application are on the same network.

Port/Service Restrictions

If the firewall has outbound port/service restrictions in place, you will need to ensure that the correct ports are open from the Unifi equipment to the WAN.

For the current list of required ports, see: UniFi Network - Required Ports Reference – Ubiquiti Support and Help Center

• The article assumes that you are hosting the Unifi Network Controller onsite which is why most of the tables say Incoming. Since the Unifi Network Controller is hosted in the cloud for this example, you will need to make sure these ports are open outbound.
• You DO NOT need to open any ports inbound.

Security Service Exclusions

It is recommended that you exclude Unifi equipment from the security services of the SonicWall as some of the Security Services will interfere with the management traffic.

You will first need to ensure that the Unifi equipment has static IP addresses.

To do this:

1. Create an Address Object Group that contains the IP addresses of the Unifi equipment.
2. Create a Service Object that contains the required ports.
3. Exclude the Address Object Group from the Security Services by following: MSS FW Best Practices: 12 Security Services

Unifi Network Hosted Onsite (Different Networks)

Different Networks

These notes assume that the Unifi equipment and Unifi Network application are on different networks.

DHCP Option 43

You will need to create this so that the management traffic from the AP is forwarded to the Unifi Network application.

1. In the SonicWall firewall, navigate to Network > DHCP Server > Advanced and click Add Option
2. Fill in the following:
   1. Option Name: Enter the name for this (Unifi Cloud for example).
   2. Option Number: 43 (Vendor Specific Information)
   3. Option Array: Check this box
   4. Option Value: Enter the Unifi Network IP address in One Byte Data. To do this, take the Unifi Network IP and:
      1. Replace each “.” with a semicolon.
      2. Add “1;4;” to the front of the IP address.
      3. For example, if the IP address is “123.45.67.89”, you will enter “1;4;123;45;67;89” in the Option Value field.

5. Click Ok twice.

Access Point DHCP

Now we need to assign this DHCP option to the Unifi Access Points. To do this you can either edit the Dynamic DHCP scope for the network that the APs are on, or create static DHCP entries for each AP to statically assign them an IP address based on their MAC address.

1. Whichever option you go with, make sure to select the DHCP option created above on the Advanced page under DHCP Generic Options

Port/Service Restrictions

Since the Unifi equipment needs to communicate to the Unifi Network application, you will need to ensure the required ports are opened from the equipment to the Network application.

For the current list of required ports, see: UniFi Network - Required Ports Reference – Ubiquiti Support and Help Center

• The article assumes that you are hosting the Unifi Network Controller onsite which is why most of the tables say Incoming. Since the Unifi Network Controller is hosted in the cloud for this example, you will need to make sure these ports are open from the Unifi equipment to the Network application.
• You DO NOT need to open any ports inbound.

Security Service Exclusions

It is recommended that you exclude Unifi equipment & Network application from the security services of the SonicWall as some of the Security Services will interfere with the management traffic.

You will first need to ensure that the Unifi equipment has static IP addresses.

To do this:

1. Create an Address Object Group that contains the IP addresses of the Unifi equipment.
2. Create a Service Object that contains the required ports.
3. Exclude the Address Object Group from the Security Services by following: MSS FW Best Practices: 12 Security Services