They don't change the right thing though. Their way of doing firewalling is from the 2000-2010 era. We have moved away from that way of doing things and are now far ahead of this. They need to update the way they do security if they want to be taken seriously.
@@Traumatree The question is whats your goal and how big is your customers. I have some customers with UDM Pro which is working perfectly fine. When you have something that is really important and should be highly secure and you need a low of features then other solutions might be better.
Zone-Based firewall is a feature that the mainstream firewall manufactures have had for years. It's nice to see Ubiquiti has taken the Apple out of their firewall and started to get closer to what their high-end competitors have been doing for years.
This looks _so_ nice! Can't wait to get it on my UDMP! I've managed to get a decent set of firewall-rules for my VLANs thanks to your videos, but firewalls is not my thing. This makes firewalls so much more user-friendly!
I just saw this today on my unify network and installed it. As a newbie in networking, how do I set this up to “control” what apps or websites my young kids use?
Isn't this the same as using aliases in other firewalls like OPNsense? Been looking for a way to upgrade from my 2.5GbE OPNsense firewall, to something that can do 10Gb IDS/IPS. Just saw Unifi has their Enterprise Gateway that does exactly this but if they are just now adding in something as simple as firewall aliases (Zones), they are way too far behind other firewalls still.
I could be mistaken, but as I understand it from working with other firewall brands zones are groups of interfaces. Doesn't really change anything if you only have two interfaces, but it can simplify things if you have multiple lan or wan interfaces.
Would you relocate the IoT network into a new zone or keep it inside 'Internal'. I wanted to get a clear picture of policies applied on IoT network with ZBF but I'm not sure if moving out of internal would break things.
I noticed that there isn't a way to limit a device network speed. I use to create a firewall for specific devices to limit their speed that uses the wired connection
still trying to work out how to do something , allow only extremal traffic from a region ( The UK ) to a in internal IP , but still allow that IP allowed to get to any region .
Firewalling is the most fun part of networking... until you have to do it on a Ubiquity firewall. This is why all IT Pros are NOT using Unifi DM/DMP/Fortress to secure their network, although they might be using their switches and other hardware. We stick to true firewalls like Netgate, Fortigate, SonicWall, Watchguard, CheckPoint to just name a few. Edit: The fact that you still need to define policies to BLOCK traffic between networks or zones is a fundamental flaw in the way Unifi implement security. That behavior is the same as an L3 switch where you have it route traffic and where you need to add ACLs to prevent traffics between networks. A modern firewall blocks EVERTYHING from the get go, and you just need to open what you need. That is why it is inherently more secure then having to think to block everything and not forget anything.
Absolutely! We completely agree that Zero Trust is the gold standard for modern network security. Unifi is making strides to bring their existing user base closer to this approach, and it’s an encouraging step forward. While it’s true that Unifi’s solutions aren’t perfect, their market share suggests that many “IT Pros” are indeed using their products. They’re also providing upgrade paths and aligning more with industry standards, which is commendable. Additionally, when you create a new network in Unifi, you can specify which Zone it belongs to. For example, you can create a “block-by-default” zone, requiring manual traffic allowances, which aligns more closely with Zero Trust principles.
@@Traumatree it seems to work great right up till you want to try using one of their L3 switches to route one of the VLANS.. then the vlan mysteriously disappears like Unifi doesn't manage it, you can't assign it to a zone and it is just lumped in with the 'external' zone. Then good luck figuring out how to allow traffic to it since it seems to ignore rules and break all of the port forwards unless I move the vlan back to the UDM to route ;)
Whats really impressive that Ubiquiti listen to the Community and change things very quick and makes the product better and better.
They don't change the right thing though. Their way of doing firewalling is from the 2000-2010 era. We have moved away from that way of doing things and are now far ahead of this. They need to update the way they do security if they want to be taken seriously.
@@Traumatree The question is whats your goal and how big is your customers. I have some customers with UDM Pro which is working perfectly fine.
When you have something that is really important and should be highly secure and you need a low of features then other solutions might be better.
Zone-Based firewall is a feature that the mainstream firewall manufactures have had for years. It's nice to see Ubiquiti has taken the Apple out of their firewall and started to get closer to what their high-end competitors have been doing for years.
This looks _so_ nice! Can't wait to get it on my UDMP! I've managed to get a decent set of firewall-rules for my VLANs thanks to your videos, but firewalls is not my thing. This makes firewalls so much more user-friendly!
I just saw this today on my unify network and installed it. As a newbie in networking, how do I set this up to “control” what apps or websites my young kids use?
Isn't this the same as using aliases in other firewalls like OPNsense? Been looking for a way to upgrade from my 2.5GbE OPNsense firewall, to something that can do 10Gb IDS/IPS. Just saw Unifi has their Enterprise Gateway that does exactly this but if they are just now adding in something as simple as firewall aliases (Zones), they are way too far behind other firewalls still.
I could be mistaken, but as I understand it from working with other firewall brands zones are groups of interfaces.
Doesn't really change anything if you only have two interfaces, but it can simplify things if you have multiple lan or wan interfaces.
Would you relocate the IoT network into a new zone or keep it inside 'Internal'. I wanted to get a clear picture of policies applied on IoT network with ZBF but I'm not sure if moving out of internal would break things.
I noticed that there isn't a way to limit a device network speed. I use to create a firewall for specific devices to limit their speed that uses the wired connection
still trying to work out how to do something , allow only extremal traffic from a region ( The UK ) to a in internal IP , but still allow that IP allowed to get to any region .
Oh, this update seems awesome. I can't wait to tinker.
Major firewall vendors have had this for years.
I just updated to 9.x, but I dont see the ZBF options enabled on my UDM-Pro. anyone else having this issue ?
Do you have installed the new firmware version? It's not available at all versions at the moment.
@@renehoehle You need to install the new unifi OS as well, then go into the security and update to the zone based management
@@1stGruhn That was not my question :D i know that why i've said that he need the new firmware.
Firewalling is the most fun part of networking... until you have to do it on a Ubiquity firewall. This is why all IT Pros are NOT using Unifi DM/DMP/Fortress to secure their network, although they might be using their switches and other hardware. We stick to true firewalls like Netgate, Fortigate, SonicWall, Watchguard, CheckPoint to just name a few.
Edit: The fact that you still need to define policies to BLOCK traffic between networks or zones is a fundamental flaw in the way Unifi implement security. That behavior is the same as an L3 switch where you have it route traffic and where you need to add ACLs to prevent traffics between networks. A modern firewall blocks EVERTYHING from the get go, and you just need to open what you need. That is why it is inherently more secure then having to think to block everything and not forget anything.
Absolutely! We completely agree that Zero Trust is the gold standard for modern network security. Unifi is making strides to bring their existing user base closer to this approach, and it’s an encouraging step forward. While it’s true that Unifi’s solutions aren’t perfect, their market share suggests that many “IT Pros” are indeed using their products. They’re also providing upgrade paths and aligning more with industry standards, which is commendable.
Additionally, when you create a new network in Unifi, you can specify which Zone it belongs to. For example, you can create a “block-by-default” zone, requiring manual traffic allowances, which aligns more closely with Zero Trust principles.
@@unified-it I was waiting for something more substantial from their part, but I might just buy one of their DMP and try it out 'again' ;)
@@Traumatree it seems to work great right up till you want to try using one of their L3 switches to route one of the VLANS.. then the vlan mysteriously disappears like Unifi doesn't manage it, you can't assign it to a zone and it is just lumped in with the 'external' zone. Then good luck figuring out how to allow traffic to it since it seems to ignore rules and break all of the port forwards unless I move the vlan back to the UDM to route ;)
fix the dang loggin
So it’s basically the same as in OpenWRT