First, I am completely aware that UniFi’s products won’t be in the same league as a FortiGate, OPNsense, Sophos XGS, WatchGuard, etc. I have also seen this thread from three years ago.
The use-case is a home office with limited space and even more limited administration time. I have, in a past career, set up servers and networks but I am not interested in doing that right now. My focus at this time is business and customer-centric tasks rather than messing too much with infrastructure. All I want is something I can plug in and do minimal configuration in exchange for some extra security functionality above that offered by an ISP issued router.
It seems to me that the Cloud Gateway Ultra’s suspicious activity, internal honeypots, ad blocking, basic traffic filtering, and Teleport VPN functionality offers what I need. As a bonus, I can use it as an on-ramp for UniFi’s camera security offering but that’s not a major factor.
Videos like this and this seem to reinforce that idea. However, reddit replies to some of my other questions here and here sort of indicate that going the UniFi route will be a waste of money.
So, what do you think? Could the Cloud Gateway Ultra work as a very basic security appliance for a home office?
This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can.
Please read and understand the rules in the sidebar, as posts and comments that violate them will be removed. Please put all off topic posts in the weekly off topic thread that is stickied to the top of the subreddit.
If you see people spreading misinformation, trying to mislead others, or other inappropriate behavior, please report it!
All of Ubiquiti’s firewall options can be used as basic network security. In my opinion anything beyond what the ISP controls is a step forward. Without any additional context to your situation - it’s very unclear what your question is.
As someone who has used and currently maintains a number of Ubiquiti setups, I do not like their firewall and its integration - especially when running inside an all-in-one device (dream machine, dream machine pro, etc). There is very limited logging and configuring. Testing custom firewall rules is not as simple as I would like. I love the idea of everything being under one controller but bad experiences on updates and dropping of product lines has me moving away from Ubiquiti. I still have two dream machines in the wild and they have been ok but I fear the day when they fail.
For a small home office with no security requirements it’s probably an effective and cost wise move. Just stay up-to-date by using auto update and get a backup every 6 months or each time you make a change to any setting.
As with anything technology, have a backup plan in case it fails.
You’re right that it’s not in the same league Fortigate, etc., but it also doesn’t require the same level of management. It’s also significantly cheaper. If you’re looking for a set it and forget it, basic security appliance, it’s definitely better than what you’d get from your ISP or your average consumer grade router. As long as you’re not hosting any internet facing servers behind it, it’ll do the job just fine.
I love my UCG-Ultra as well as my USW-Lite-8-PoE switch and several APs. I like the USW-Lite-8-PoE over the USW-Ultra because it has more switching features and one doesn’t need that many PoE ports generally.
Nearly all of my tech infrastructure is cloud-based so security is off-loaded to people with the necessary resources. The security perimeter of my home office is quite small. My home network is segmented using hardware routers to separate work machines and home/family devices:
The work segment only needs to be protected to the extent that devices are clean (they don’t pass malware to the cloud/client resources) and local backups remain intact.
The family segment needs to have simple content filtering to protect minors who have good sense but still need a shield from the wretched hive of scum and villainy that is the Internet.
That’s all there is to my needs. I don’t have time to set up elaborate firewall rules or trawl through logs. I don’t have lots of users with specific application use-cases that require consideration. All I want is to plug in a device, click a few settings and be reasonably confident that well-behaved internal actors have some basic protection and if something suspicious happens, some simple alerting and countermeasures.
My question is this: Can the UniFi Cloud Gateway Ultra do this job?
It seems to have this basic capability but some responses I’ve received have given me doubts so I’m doing more checks before purchasing.
Yes, that’s what I’m looking for and none of the services are internet-facing. If I want access from the outside, the Teleport VPN seems to offer a secure solution.
Same here. A few things that I miss, but for the moment it’s been a good trade.
My needs have decreased significantly over the last few years pretty significantly, today’s unifi product would not have replaced my pfSense / OPNsense environment a year ago.
Only UniFi can answer for sure but I suspect it’s a trade-off between ease-of-use and the complexity of security configuration for many different use-cases.
The Unifi Firewall system sounds ideal for what you’re looking for. The question isn’t will the Cloud Gateway Ultra do the job - the question is do you want a single device performing multiple functions on your network so when it fails or has issues, you have a single point of failure for all devices. The Dream Machine was just that, an ideal solution that dropped costs by rolling multiple roles into a single bottle. The failures that led to full business outages and my scrambling to get a network pieced together leaves a bad taste in my mouth but that was 1st generation technology. I’ve had stable devices running everything in locations now for multiple years. The risk/reward is up to you. If you can handle being down until you get another device installed (or have a backup plan to run things temporarily) then I’d say go for it.
I think a big reason is a switch to cloud-first services in many organisations. A huge chunk of the security headache now gets off-loaded to BigTech. There are advantages and disadvantages with this but it does mean fewer things to secure on your local network.
You’re experience is good to know, thanks. This kind of single point of failure won’t be a huge issue for me as getting back to 80% capacity would only mean rerouting a few ethernet cables.