UDM Pro Firewall logging

mmss_20691 · April 18, 2022, 3:00pm

Good afternoon all,

I have been looking for a means to add useful firewall logging information from my UDM Pro to my SIEM. The default logging is inadequate as it doesn’t provide info on whether the traffic was allowed or denied or the policy rule used. I believe I may have found a solution on github. See links below:

UDM / UDMPro Boot Script

github.com

boostchicken-dev/udm-utilities/blob/master/on-boot-script/README.md

# UDM / UDMPro Boot Script

## Features

1. Allows you to run a shell script at S95 anytime your UDM starts / reboots
1. Persists through reboot and **firmware updates**! It is able to do this because Ubiquiti caches all debian package installs on the UDM in /mnt/data, then re-installs them on reset of unifi-os container.

## Compatibility

1. Should work on any UDM/UDMPro after 1.6.3
2. Tested and confirmed on 1.6.6, 1.7.0, 1.7.2rc4, 1.7.3rc1, 1.8.0rc7, 1.8.0+

### Upgrade from earlier way

* As long as you didn't change the filenames, installing the deb package is all you need to do.  If you want to clean up beforehand anyways....

    ```bash
    rm /etc/init.d/udm.sh
    systemctl disable udmboot
    rm /etc/systemd/system/udmboot.service

This file has been truncated. show original

Enable log tags on your UDM

Has anyone in the community who are running version 1.11.4 and version 7.0.23 of the network app used these scripts before? If so, I’d like to know if the scripts still work with this setup.

Thanks.

LTS_Tom · April 18, 2022, 3:01pm

The one thing to keep in mind is that modifying the UDM Pro with scripts may not survive updates.

mmss_20691 · April 18, 2022, 3:21pm

Yeah I was hoping that someone in the community has deployed with the configuration above so I can ask them if it’s worth my time to set this up.

I do keep backups of my UDM Pro and I intend to keep 1 backup of the system pre-script just in case I need to roll back to that point for some reason.

mmss_20691 · April 18, 2022, 3:27pm

@LTS_Tom

Would you happen to know the answers to the following:

Is there perhaps a setting hidden somewhere in the Network app GUI or maybe a CLI command that would add the allowed or denied outcome and policy name to be added to the firewall logs?
If the answer to question 1 is no, are there any plans to fix the firewall logging problem? This has been ongoing for years with many users requesting a fix and no official response from anyone at Ubiquiti.

Any insight from you would be helpful as I’ve seen some of your videos on YouTube and you seem very knowledgeable about the platform.

Thanks so much!

LTS_Tom · April 18, 2022, 4:40pm

They lack a clear product roadmap which is why we don’t deploy their firewalls commercially. I have not deeply looked into those feature as I doubt they have them and I doubt they will add them.