Buggy, rushed to market software in infrastructure products such as these would concern me.
How many security vulnerabilities lie buried in that code?
The one and only lesson I learned on switching to Unifi devices was, that I should have done it sooner. Much sooner.
1 Like
I’m a pfsense user. Been using their product for a good 10 years.
I don’t know if any good geographs like that exist but you can install ntop and watch live traffic and pull historical data.
It also includes a product (pfblockerng) that monitors top spammers and countries that can be added automatically to your rules. It’s updated automatically to include known spam IP’s. Works very well. Commercial products use features like this.
You can also add snort for ids/ips too.
1 Like
pfSense is good, used it for many years. Been using Untangle for the last 4-5 years, it is good too.
Either product is way ahead in terms of flexibility and capability versus what you can do in a unifi usg.
That doesn't mean the usg might be "good enough" for someone, just that it isn't ever going to be the "best" security appliance.
How do you like untangled ?
I am also using untangled, and think it works well. Full featured, easy to navigate GUI, nice dashboards, and decent reports "out-of-the-box". Until Unifi can pull off GEO filtering, and IP whitelist at the same time (UDM has it, but sold out) I will stick with untangled, and always have it as my fall back.
1 Like
I've been using OpnSense firewall a fork of pfSense.. Really like the interface and pace of development.
I like opensense as well. I have some philosophical issues with pfSense and their parent company, so won't use that any more.
If I switched away from Untangle today, it would likely be to opensense.
I would love it if Ubiquiti would make a usg/udm that could replace how I use untangle. But so far they haven't.
1 Like
I ended up purchasing a sg-1100.
I use to run it off a vm.
I’m also using untangled. Like it so far, was very easy to setup and has already protected the network from a number of bad actor requests my wife has accidentally clicked on....
Was on a USG, replaced it with untangled device
What are the reasons? I have untangled and want to run USG/UDM as it is what my company is running at most small businesses. Curious what pitfalls one might encounter.
Personally I had instability with cloud key access and router stability. After losing connectivity to APs and having to physically reset my network yet again (hardware resets of all AP, up on ladders around y house...) I elected to switch. In addition from what I had read USG security is not as robust, and turning IPS on dramatically lowers throughput (unless you are at UDM pro hardware level). In addition the reporting with untangle seems to be much more robust and helpful than the USG.
reference point: I'm a home user with extremely limited cybersecurity knowledge. A "prosumer" at best. take anything I have to say with that grain of salt.
1 Like
No pitfalls, from my usage, per se. Mainly just lack of features and flexibility. Dual WAN failover and load balancing often is wonky with UDM/USG, no real web filtering service, limited application control to identify and block specific applications, no real granular bandwidth control, limited capability of having different filtering rules/applications based on users/profiles,
When I was using the USG, what it did do seemed to work OK. It just didn't do everything I wanted it to...
1 Like
The first generation cloud keys do have some stability issues, largely related to unexpected power loss causing corruption. The newer second generation keys take steps to resolve this problem, by including a small battery for safe shutdown on power loss. That being said I haven't personally used either generation cloud key as I manage several cloud controllers.
I haven't had many issues with devices losing their configuration following a power loss. In the past two years I think the total is around 5 devices out of around 300 I help manage across ~80 sites. I suspect your issue may be more related to the cloud key corrupting due to power loss.
The security gateway line (USG, USG 4 Pro) are older devices and in some respects don't perform well compared to newer systems. The USG for example can route a gigabit fiber connection without any problems. If you are looking to enable some of the newer features such as GeoIP Blocking and/or IPS/IDS your connection speeds will suffer. The USG wasn't originally designed for those capabilities, so there simply aren't enough system resources. Their newer products (UDM and UDM-Pro) on the other hand do have the resources needed for these features.
That being said Ubnt doesn't currently offer a unified threat platform that covers the same laundry list as other systems. Given their target audience I don't expect those features will be added in the near future, as organizations tend to address these needs in different manners. I wouldn't mind having some of that functionality as a home user, but then again I am only purchasing 5-10 devices compared with over 300 at work.
3 Likes
When I first added the Unifi APs to my home network I tried the USG and it was certainly nice to see everything in one control panel. I had switched from pfSense after many many years to Sophos XG firewall. The Sophos gave me so much more drill down visibility into what was happening on the network than what I could see with the USG that I switched back to the Sophos XG after a very short time. There is a free version of the XG for home use if I remember. Well worth a look.
The problem with the free Sophos versions, at least in the past - haven't looked in a while, was the low device limit. With phones, tablets, computers, TVs, TIVOs, cameras, google home, amazon echo, etc all taking IP addresses I would blow past their free device limit before half my devices even checked in.
EDIT: Looks like the limits are different in XG than they were in the pre-XG (UTM) version. May be more usable now in more home environments, cool.
https://community.sophos.com/products/xg-firewall/f/licensing/91048/xg-home-edition-limitations
1 Like
No limit that I was aware. My network can have 70 or 80 devices running and it was never an issue.
2 Likes
Yup, I was living in the past I guess. The limits are different in XG than it was for Sophos UTM. Probably worth taking another look at it sometime.
1 Like
What about logging? One of my biggest issue in limited use so far, is no ability to check firewall logs for what/why something is being blocked. Do you run a syslog server for sites?
We haven't spent much time on logging, at this point in time. We have found the currently logging combined with our other systems to be sufficient. That being said we do leverage several employ several syslog, that would be leveraged if there were issues.
I do plan to dig into the logging further once I can get my hands on a UDM Pro or the upcoming adoptable version.
1 Like
