Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=ubiquitiunifi

Integrate Ubiquiti UniFi

Log collector Firewall

You must have the Firewall integrations license pack to use this feature.

You can integrate Ubiquiti UniFi with Sophos Central so that it sends firewall alerts to Sophos for analysis.

This integration uses a log collector hosted on a virtual machine (VM). Together, they're called an integration appliance. The appliance receives third-party data and sends it to the Sophos Data Lake.

This page describes integration using an appliance on ESXi or Hyper-V. If you want to integrate using an appliance on AWS, see Integrations on AWS.

Key steps

The key steps in an integration are as follows:

  • Add an integration for this product. In this step, you create an image of the appliance.
  • Download and deploy the image on your VM. This becomes your appliance.
  • Configure Ubiquiti UniFi to send data to the appliance.

Requirements

Your Ubiquiti product must be able to generate security alerts. Products that can do this include the following:

  • UDM Pro (Dream Machine)
  • USG - Unifi Security

Integration appliances have system and network access requirements. To check that you meet them, see Appliance requirements.

Add an integration

To add the integration, do as follows:

  1. In Sophos Central, go to Threat Analysis Center > Integrations > Marketplace.

  2. Click Ubiquiti UniFi.

    The Ubiquiti UniFi page opens. You can add integrations here and see a list of any you've already added.

  3. In Data Ingest (Security Alerts), click Add Configuration.

    Note

    If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See Provide your domain and IP details.

    Integration setup steps appears.

Configure the appliance

In Integration setup steps, you can configure a new appliance or use an existing one.

We assume here that you're configuring a new appliance. To do this, create an image as follows:

  1. Enter an integration name and description.
  2. Click Create new appliance.
  3. Enter a name and description for the appliance.
  4. Select the virtual platform. We currently support VMware ESXi 6.7 Update 3 or later and Microsoft Hyper-V 6.0.6001.18016 (Windows Server 2016) or later.

  5. Specify the IP settings for the Internet-facing network ports. This sets up the management interface for the appliance.

    • Select DHCP to assign the IP address automatically.

      Note

      If you select DHCP, you must reserve the IP address.

    • Select Manual to specify network settings.

  6. Select the Syslog IP version and enter the Syslog IP address.

    You'll need this syslog IP address later when you configure Ubiquiti UniFi to send data to your appliance.

  7. In Protocol, select UDP.

    You must use the same protocol when you configure Ubiquiti UniFi to send data to your appliance.

  8. Click Save.

    We create the integration and it appears in your list.

    The appliance's port number is shown in the integration details. You'll need this later when you configure Ubiquiti UniFi to send data to it.

    It might take a few minutes for the appliance image to be ready.

Deploy the appliance

Restriction

If you're using ESXi, the OVA file is verified with Sophos Central, so it can only be used once. If you deploy another VM, you must create an OVA file again in Sophos Central.

Use the image to deploy the appliance as follows:

  1. In the list of integrations, in Actions, click the download action for your platform, for example, Download OVA for ESXi.
  2. When the image download finishes, deploy it on your VM. See Deploy appliances.

When you've deployed the appliance, the integration shows as Connected.

Configure Ubiquiti UniFi

You now configure Ubiquiti UniFi to send alerts to us using syslog forwarding.

Note

You can configure multiple instances of Ubiquiti UniFi to send data to Sophos via the same appliance. After you finish integration, repeat the steps in this section for your other instances of Ubiquiti UniFi. You don't need to repeat the steps in Sophos Central.

You can configure log forwarding mode in the Ubiquiti UniFi OS user interface, but you must configure it on each site separately.

Names of settings vary slightly between different versions of UniFi OS, but the key steps are the same for all.

To configure alert forwarding, do as follows:

  1. Go to the logging settings: Settings > System > Advanced > Remote Logging Location.

    For earlier versions, go to logging settings as follows:

    • Settings > Site > Remote Logging (UniFi version 5)
    • Settings > System > System Logging (UniFi version 7)

  2. Configure logging as follows, using the settings appropriate for your version:

    • Set Logging Levels to Auto.
    • Turn on Syslog.
    • Don't turn on Debug logging, Debug logs, or Netconsole.
    • Turn on Enable remote syslog server.
    • Set Remote Logging Location to Remote Server.

  3. Enter the following details for the Sophos appliance you set up earlier:

    • Remote IP Address or Syslog Host: The IP address of your appliance. This must be the same as the syslog IP address you entered in Sophos Central.
    • Port or Syslog Port: The port number you set in Sophos Central.

  4. Click Apply Changes to save the settings. The UniFi device starts forwarding logs to Sophos.