Would you like to learn how to configure a group policy to copy files to remote computers? In this tutorial, we will show you how to copy files using a GPO.
• Windows 2012 R2 • Windows 2016 • Windows 2019 • Windows 10 • Windows 7
Equipment list
The following section presents the list of equipment used to create this tutorial.
There was a time when security awareness training was informal, short, and focused on simple things like using complex passwords. Well, it transpires that keeping these on a post-it note under your keyword or in a text file is in fact not a safe practice.
This was when cyber threats from hackers were the work of people with expert skills, and at worst resulted in your computer getting infected with a virus, causing a brief interruption to your working day. Fast forward to the modern reality of the dark web where you can literally shop around and choose the method in which you want to carry out a targeted attack.
Added to that are the near-constant cyber-attacks, where we can see an increase in phishing in the below graph from the Cyber Security Report 2023.
Attackers are not slowing down and always finding new, harmful ways to compromise businesses. The efforts therefore to stay ahead and protect organizations must continue, and one of those is to introduce security awareness training. There is significant evidence that security awareness training is more than just essential. A recent Remote Management Survey by Hornetsecurity showed in fact that 1 in 3 organizations do not provide any kind of cybersecurity awareness training to remote employees.
A reliance solely on an organization’s security function for detection and prevention is no longer sufficient. Employees must be armed with security awareness training to become foot soldiers in this war, and I’ll explain the reasons why.
1. Protects Sensitive Data
Security awareness training helps employees understand the importance of protecting sensitive information and the consequences of a data breach. Protecting sensitive data helps to ensure cyber security and maintain the confidentiality, integrity, and availability of your information systems.
Using security awareness services, users are educated to understand how and why sensitive data needs to be protected and can help prevent unauthorized access and data breaches. This security awareness software in turn protects the organization’s reputation and financial well-being, as well as protects the personal information of customers and employees.
Sensitive data is essentially confidential information such as financial records and personally identifiable information (PII) and, depending on the nature of the organization, could also include trade secrets or proprietary information considered commercially sensitive.
Theft and subsequent compromise of sensitive data is very common and a highly prized target during security or data breaches. In IBM’s “Cost of a data breach report 2022” we can see the year-on-year cost of a data breach is going in the wrong direction!
Through a cyber security training program, users become aware of the legal and ethical obligations they have to safeguard it from unauthorized access, disclosure, or misuse. Arming your users with security awareness training provides the knowledge and skills necessary how to handle sensitive information and significantly reduces the risk of a data or security breach.
2. Fosters a Sustainable Security Culture
Creating and fostering a culture of security within the organization is a fundamental step in raising awareness of security threats and practices for mitigating them.
Regular security awareness training promotes a security culture within an organization, making security a priority for all employees. You might have heard the catchphrase “security is everyone’s responsibility.” There’s a lot of truth to that.
Through a security awareness training program, employees benefit by learning and becoming aware of the roles and responsibilities and shifting their mindset from “that’s someone else’s problem” to “that’s my problem.”
Providing security awareness training empowers them to take responsibility and notice and report anything out of the ordinary. This can extend from information security things like phishing scams and emails to physical security and being able to identify or report someone suspicious lurking in the office or tailgating when entering the premises!
A security-conscious workforce brings about a culture where users are more likely to take proactive steps to protect their sensitive data and report suspicious activity.
3. Detects and Prevents Insider Threats
Security awareness training can help identify and prevent potential insider threats, such as employees who may be intentionally or unintentionally compromising the security of an organization, and here is why cybersecurity awareness training is important.
Insider threats refer to security breaches that are caused by a person who has authorized access to an organization’s systems, network, and data. Although only employees are commonly considered, it includes anyone who has access to the organization’s systems like vendors or contractors.
Theft of sensitive information, sabotage of systems, using security credentials, and unauthorized access to confidential data are also examples of insider threats. These threats can significantly impact the organization like financial loss, reputational damage, and even legal liabilities.
4. Increases Employee Engagement
By educating employees on the importance of security threats within and towards it, organizations can increase employee engagement and buy-in to security initiatives.
Engaged employees are more likely to feel like they have a vested interest in the success of their organization, thereby creating a sense of loyalty and responsibility towards it. Ultimately resulting in overall better security practices and reducing the risk of security breaches.
Increased employee engagement through security awareness training can result in employee retention, an often overlooked benefit. When employees leave an organization, they often take away with them potentially institutional sensitive information especially if an employee has a role within the security function of that organization, as their departure could create a security gap and therefore a security risk.
Although most organizations have a defined security policy, in reality, the only time an employee reads this is when they initially join and are required to read this part of their onboarding as a compliance exercise. By being and feeling more engaged, you’re likely to see better compliance with and understanding of security policies and procedures.
Understanding why these policies are necessary and how they contribute to the organization’s overall security reduces the risk of accidental or intentional security breaches.
5. Education on Security Threats and How to Mitigate Them
Educating employees on security threats and how to mitigate them is crucial to maintaining a strong cybersecurity posture within an organization.
Employees who don’t work in a security-related role are often unaware of the plethora of security threats their organization faces every day. Incorporating education of security threats in a security awareness training program is an effective method to “enlist” employees as “soldiers” in this perpetual war.
Time is often of the essence when it comes to recognizing an IT security threat. For example, if a user who has not undergone a security awareness training program opens a malicious link, then realizes this, they are less likely to understand the significance of how quickly they must act on this information and report this.
Employees who understand the impact posed by security threats are more likely to make better decisions armed with this education.
6. Reduces Human Error
Employees are less likely to make costly security mistakes if they have received training on identifying and responding to security threats. Human error is a common cause of security incidents and one of the most common methods attackers use to infiltrate a network.
As you will have been, whenever there is a data breach, along with significant reputational damage, the financial cost is often significant. Assessing the cost and worth of implementing these security measures and awareness training is easily outweighed by the savings in not.
7. Supports Incident Response
Security awareness training equips employees with the knowledge and skills to respond effectively to security incidents, reducing the impact and recovery time of such incidents.
In an organization’s cyber security incident response plan, it will include and detail the roles and responsibilities for everyone in the organization. In the event of a security incident, it is important for all members of the organization to understand their roles and responsibilities in responding to the incident.
A security awareness program will help to educate people who are involved in being able to respond in the face of a security incident adequately and more quickly. Educated users are also more likely to recognize the signs of a security incident and report is prompt, which can help the incident response team take action more quickly.
The ability of an organization to respond in such a manner that minimizes the impact can be the difference between “getting owned” and mitigating a potential disaster.
To keep up to date with the latest security best practices, become a member of theHornetsecurity blog now (it’s free).
Summary
The importance and benefits of security awareness training programs should not be underestimated for how organizations combat cybersecurity threats. Organizations can no longer think of cyber security awareness training as a maybe when they plan and strategize on how to improve cyber security posture, it’s essential.
In this digital age, many options and methods exist in which a cyber security awareness training program can be delivered, both online and in person. Hornetsecurity is one such place that offers a cyber security awareness training service.
FAQs
What is security awareness training?
Security awareness training is a kind of training that helps people learn about different security risks and how to keep themselves safe from them. Hornetsecurity provides security awareness training to help people become more aware and knowledgeable about security risks and how to protect themselves. By implementing proper security awareness training in your company, your employees will be able to recognize and avoid potential dangers.
Why is security awareness important?
Security awareness training is important to ensure the safety of sensitive data, and protecting against cyber threats is critical in today’s digital age. We at Hornetsecurity provide one-of-a-kind security awareness training that mainly focuses on creating a user-centric experience for employees better to understand the importance of security measures and procedures. With our training, you can rest assured that your systems and confidential information are secure.
What are the types of security awareness?
Our security expertise distinguishes 4 main types of security awareness training:
Classroom training (lecture-based training)
Video training
Cloud training
Simulation training
How often should security awareness training be conducted?
At Hornetsecurity, the Awareness Engine is the technological heart of our Security Awareness Service. It offers the following:
Everyone to have the right amount of training;
Each user receives as much training as necessary and as little as possible;
Demand-driven roll out of relevant e-training content;
Booster option for users who need more intensive e-training;
Layer 3 adoption is the process of adopting a UniFi device to a remote UniFi Network Application. This is only recommended for advanced users, or those adopting devices to the UniFi Cloud Console.
We highly recommend that users refer to Device Adoption for standard device adoption.
L3 Adoption Methods
For layer 3 adoption, your UniFi Network Application and connected devices must have internet access.
UniFi Network Mobile App
The Cloud Console can leverage your UniFi Network Mobile App (iOS / Android) to provide the easiest L3 adoption experience.
Refer to our UniFi Device LED Status guide to ensure the device is in a factory-default state.
Connect your mobile device to the same local network as your UniFi device.
Open your UniFi Network Mobile App and connect to site you want to adopt your device.
Your device should appear for adoption.
DHCP Option 43
This option leverages your DHCP server to inform your UniFi device of the location of your remote Network Application host. Those with a UniFi Gateway can easily accomplish this by entering the IP address of the remote Network Application in Option 43 Application Host Address field located in the Network Settings.
For those using a third-party gateway or DHCP server, we recommend consulting your manufacturer’s documentation to learn more.
DNS
You’ll need to configure your DNS server to resolve ‘unifi’ to your remote UniFi Network Application host.
There are two methods of specifying the Network Application host:
The UniFi device will now show up for adoption and can be treated as a standard L2 adoption.
Migrating From Another Network Application
A Layer 3 migration is useful for moving devices from a current Network application to a new Cloud Console. See Backups and Migration for more information.
Recovery Mode is a last-resort solution to recover an unresponsive UniFi device, often resulting from power loss occurring at the same time as an update. Only use Recovery Mode if you are unable to perform a standard factory reset.
Note: UniFi Power Backup can prevent unexpected power losses from occurring.
The following UniFi devices support Recovery Mode:
Dream Machine, Dream Machine Pro & Dream Wall
Access Points (all models)
Cloud KeyCloud Key Gen2+
Cameras
USW Flex Mini
Before Considering Recovery Mode
If you are considering Recovery Mode, first check two key points:
Reboot your UniFi device. If this resolves your symptoms, no further actions are required.
Factory reset your UniFi device. If you have cloud backups, you can easily restore your settings after factory resetting. If a factory reset works, no further actions are required.
Performing a Device Recovery
Dream Machine, Dream Machine Pro & Dream Wall
Download the most recent firmware for your device, found here.
Completely power-off the UniFi device and unplug it from its power source.
Press and hold the Reset button and then reconnect it to the power source.
Continue holding the Reset button for 5 seconds, or until the display (in supported models) indicates Recovery Mode.
Connect an Ethernet cable from your computer to the first LAN port (Port 1). This is usually the port nearest to the top left corner.
Note: Connect to the Dream Wall via Port 18, not Port 1.
Configure a static IP address on your computer in the 192.168.1.0/24 range (for example, 192.168.1.11).
Windows Client
Navigate to the Windows 10 Network connections
Settings > Network & Internet > Status > Change Adapter Option
Modify the IPv4 settings of the Ethernet adapter
Ethernet Adapter > Properties > Internet Protocol Version 4 (TCP/IPv4) > Propertie
Select the option to manually enter an IP address and add the following information:
IP address: 192.168.1.11
Subnet mask: 255.255.255.0
Default gateway: <blank>
DNS servers: <blank>
macOS Client
Navigate to the mac OS Network connections.
System Preferences > Networks > Ethernet Adapter
Select to manually enter an IP address and add the following information:
IP Address: 192.168.1.11
Subnet Mask: 255.255.255.0
Router: <blank>
DNS server: <blank>
In a web browser, navigate to http://192.168.1.30 to access the Recovery Mode UI.
Note: The Recovery Mode UI is accessible via HTTP only (not HTTPS). Your browser may try to redirect your session to HTTPS. Use a different browser if necessary.
Select Firmware Update > Choose and browse your computer for the previously downloaded firmware (.bin) image file.
Wait for the upgrade process to complete and reboot the device afterwards.
Access Points
Download the most recent firmware for your device, found here.
Connect your AP and computer to the same network or VLAN, either through a PoE switch or by connecting the computer directly to the network (data) port on the PoE adapter.
Press and hold the Reset button, and connect your computer to the available ethernet port of the AP.
Continue holding the Reset button until the LED flashes white, blue, off as indicated in our LED Status Guide. This indicates your device is ready for TFTP Recovery and you can release the button.
Set a static IP address on your computer to communicate with the AP, which has a default IP address of 192.168.1.20. The following is an example configuration:
Use TFTP to move the firmware from your computer to your AP. There are various programs and methods for accomplishing this. Here are two methods for your reference.
Windows
Use the built-in TFTP command line tool, or a separate program such as Tftpd64 or pumpKIN.
Select the downloaded firmware image and transfer it to the AP.
macOS and Linux
Open Terminal
Enter TFTP mode by entering the command:tftp
Once in TFTP, paste the following commands and hit enter.connect 192.168.1.20 binary rexmt 1 timeout 60 put /path/to/firmware_name.bin
The file transfer will begin. The firmware will upgrade and the device will automatically reboot once it has finished. Do not reboot it yourself.
Cloud Key
Cloud Key Gen2, Gen2 Plus
Download the most recent firmware for your device, found here.
Power off the system.
Press and hold the Reset button and then connect it to the power source.
Continue holding the Reset button for 10 seconds, until the LED flashes blue and white. The LCD screen on the front panel will also read “RECOVERY MODE.”
Open your browser and type the IP address for the Cloud Key, visible on the device’s screen.
Note: The IP address comes from your DHCP server. If it has not been assigned an IP address, you can try the fallback: 192.168.1.30.
Run the “Check Filesystem” to try searching for and repairing any problems with your storage disk that may cause system issues.
Restore the firmware you downloaded in step (1). Note that this will also factory reset your device.
The LED will flash white while upgrading and turn into a steady white when it is complete.
If your device fails again, this is a sign that you should replace your storage disk.
Cloud Key (Gen1)
Download the most recent firmware for your device, found here.
Power off the system.
Press and hold the Reset button and then connect it to the power source.
Continue holding the Reset button for 10 seconds, until the LED flashes blue and white.
Open your browser and type the IP address for the Cloud Key.
Note: The IP address comes from your DHCP server. If it has not been assigned an IP address, you can try the fallback: 192.168.1.30.
If your Cloud Key does have an IP address assigned by the DHCP server, the fallback IP will not work.
User Tip: If you don’t know your Cloud Key’s IP address, you can use thearp -a SSH command, or software such as nmap to find the IP address.
You will be taken to the Recovery Mode screen. From here you can reset, reboot, power off and most importantly upload an updated firmware bin file.
Upload the firmware you downloaded in step (1).
Once it is uploaded, reboot the Cloud Key to complete the firmware upgrade.
The LED will flash white while upgrading and turn into a steady white when it is complete.
Cameras
Unplug the PoE cable from the camera.
Press and hold the Reset button, then reconnect the camera to its PoE cable.
Continue holding the Reset button for at least 10 seconds, or until you see the LED flash 3 times rapidly.
Release the Reset button.
The device will automatically reboot to an older firmware.
To update to more recent firmware:
Find your specific camera model at our Downloads page using the left hand menu.
Copy the .bin file link of the firmware.
Use that link to upload it via the webUI of the camera, in System Settings.
Alternatively, adopt the camera to your NVR to perform an upgrade via the NVR-hosted UniFi Video user interface.
USW Flex Mini
Prepare a web server (see below*).
Set the server/computer’s IP to a static 192.168.1.99.
The method to set a static IP on a computer varies from platform to platform. Find instructions in your product’s documentation (Windows, macOS or Ubuntu/Linux).
Download the most recent firmware for your device, found here.
Rename the binary to fwupdate.bin and place it in the directory that was created earlier (webserver).
Power off the switch by unplugging it from its power source.
Press and hold the Reset button and then connect it to the power source.
Continue holding the Reset button for 10 seconds, until the LED flashes blue, white, off.
The USW-Flex-Mini should be updated.
* The first step in the recovery process is to prepare a web server. See below for a walkthrough on your operating system: Windows, macOS and Ubuntu/Debian.
Prepare a Web Server on Windows
Download Python for Windows (Executable Installer) here.
Open the downloaded file and make sure you select Add Python x.x to PATH during installation.
After the Python installation open Command Prompt as Administrator and confirm that Python is installed correctly with the command below: python -V
Create a directory for the web server by running the commands below: mkdir c:\webserver cd c:\webserver
5. Start the Python web server on port 80. Note that the version of Python can be found with the command from step 3:
After the Python installation open Terminal and confirm that Python is installed correctly with the command below: python -V
Create a directory for the web server by running the commands below: cd ~ mkdir webserver cd webserver
Start the Python web server on port 80. Note that the version of Python can be found with the command from step 2:
Python 3.x: python -m http.server 80
Python 2.x: python -m SimpleHTTPServer 80
Prepare a Web Server on Ubuntu/Debian
Install Python on your machine with the commands below: sudo apt-get update && sudo apt-get install python3
After the Python installation open a terminal and confirm that Python is installed correctly with the command below: python_version=$(dpkg -l | grep “^ii” | awk ‘/python/{print$2}’ | grep “^python[0-9].[0-9]$” | head -n1) sudo “${python_version}” -V
Create a directory for the web server by running the commands below: cd ~ mkdir webserver cd webserver
Start the Python web server on port 80. Note that the version of Python can be found with the command from step 2:
Running the UniFi Network application on Windows operating systems can be done using two methods:
Launcher – UniFi Network application runs in the foreground (default).
Windows Service – UniFi Network application runs in the background (advanced).
NOTES & REQUIREMENTS:
Applicable to the latest UniFi Network application versions for Windows.
This article applies to UniFi applications that are installed on Windows Desktop (Windows 10 / 11) and not Windows Server versions.
Make sure to allow the ports used by the UniFi application through the Windows Firewall. See the UniFi Network – Required Ports Reference article for more information.
Setting up a new UniFi Network application as a service
ATTENTION:
The latest versions of the UniFi Network application (7.3) requires Java 11.
Previous versions (7.2) use Java 8.
Install only the x64 Java release and only one version of Java.
1. If a previous UniFi Network application is running on the system, download a backup file and then close the launcher.
2. Download the latest UniFi Network application from the Download page and run the setup.
3. You will be prompted to install Java 11. Select the following options and download the x64 .msi file for Windows:
Package Type: JRE
Version: 11
CRITICAL:
If the JAVA_HOME variable is not set correctly, the service installation will not be successful.
If you are experiencing issues with the Java 11 installer or the variable, then remove the other/older Java versions that are present on the system.
3. Run the install, and set the Set JAVA_HOME variable to Will be installed on local hard drive.
CLI: Open an administrative Windows Command Prompt (CMD) window.
5. Change the directory to the location of UniFi installation.
cd "%UserProfile%\Ubiquiti UniFi\"
6. Once in the root of the UniFi folder, run the following command to install the service:
java -jar lib\ace.jar installsvc
7. Wait for the installation to complete, indicated by the Complete Installation log message.
8. Start the service with the command below:
java -jar lib\ace.jar startsvc
9. Open a browser and navigate to the application’s IP address or https://localhost:8443.
Upgrading an existing UniFi Network application as a service
1. Download a backup file of the UniFi Network application.
CLI: Open an administrative Windows Command Prompt (CMD) window.
2. Change the directory to the location of UniFi installation.
cd "%UserProfile%\Ubiquiti UniFi\"
3. Once in the root of the UniFi folder, issue the following to uninstall the service:
java -jar lib\ace.jar uninstallsvc
4. Wait for the service uninstall process to complete.
Note that this article is only applicable to advanced users with the self-hosted UniFi Network Servers installed on a Windows/macOS/Linux machine. We generally recommend using a UniFi OS Host for the best experience. Visit UI.com to learn more.
This article describes what the system.properties file is used for, and how to edit it.
Introduction
The system.properties file defines system-wide parameters for the UniFi Network Server. It is found within <unifi.base> in the data folder. Some advanced use-cases include:
Manual override of the Application IP Interface (the address to which Devices send inform packets).
Advanced Database adjustments.
Port Assignments, for purposes of the UniFi Network application communicating with Managed Devices, redirecting Guest Portal traffic, etc.
WARNING: Before editing the file, remember to create a backup of your system. It is also necessary to stop the application before performing any change in the file to avoid errors after changes are made.
Thesystem.properties file can be edited directly via any text editor. Keep in mind that lines preceded by hash-tags (#) exist as comments and are non-operational. Make edits at the bottom of the file. After changing this file, you’ll need to manually trigger provisioning on each site in order to make these effective.
Note:The file is created when UniFi Network runs successfully. If you cannot find the file within the <unifi_base>, create it by running UniFi Network.
Manually Specify the IP Interface for UniFi Network Application Communication
If a UniFi Host has multiple IP interfaces, the following configuration can manually set the exact IP interface that adopted APs should communicate to the Network application:
system_ip=a.b.c.d # the IP devices should be talking to for inform
Advanced Database Configuration
Below are advanced database configurations that most users will never need. Note: We do not perform tests on these configurations, they are enabled for the convenience of database experts. One possible usage scenario is where few people run their application on a NAS, which has a smaller footprint than a normal server, hence there’s a need to reduce the required resources.
unifi.db.nojournal=false # disable mongodb journaling unifi.db.extraargs # extra mongod args
The configuration below is used to facilitate UniFi Network application installation. Again, most users will never need to set this. When the is_default is set to true, the application will start with factory default configuration. For normal, everyday users, an uninstallation and then fresh re-installation is recommended over this.
is_default=true
From the UniFi Network application you can configure the auto-backup frequency, amount of backups to store, time of backup, etc. At the time of writing this, you cannot change the storage location via the application. We do have a variable in the system.properties if you wish to change the storage location. Currently, the default points to:
1. For Cloud Key: /data/autobackup (where SD card is mounted as /data by default) 2. For software installs: {data.dir}/backup/autobackup
autobackup.dir=/some/path
HSTS can be enabled, but should only be done by advanced system administrators who are familiar with it. If you run into issues, you likely will need to clear your browser’s cache after disabling this and restarting the service. To enable HSTS support add the following:
NOTE: Currently no characters after the custom line(s) are allowed. This includes spaces, pound/sharp signs/comments, etc.
SMTP Related Settings
By default, SMTPS validates certificates and will reject self-signed or untrusted certificates. If your mail server uses an untrusted certificate, you must disable certificate verification with the following:
smtp.checkserveridentity=false
Starting with UniFi Network version 6.1, STARTTLS is opportunistically enabled by default; e.g. will be used if the server announces support for it, and will require a trusted certificate. If using a self-signed or untrusted certificate, you must disable STARTTLS by setting the following:
smtp.starttls_enabled=false
This only controls whether STARTTLS will be used if the server supports it. To force its use, see: starttls_required.
With UniFi Network version 6.1 and newer, STARTTLS is opportunistically enabled by default, but only required if using port 587. This behavior can be overridden by setting smtp.starttls_required=true to force the use of STARTTLS on ports other than 587, or to make STARTTLS optional on port 587, set it to false.
If smtp.starttls_enabled=false is set, the starttls_required value has no impact.
This article only applies to advanced users running UniFi on their own Windows/macOS/Linux machine, to help diagnose and optimize self-hosted UniFi Network Servers running under a high load. We generally recommend using a UniFi OS Host for the best experience. Visit UI.com to learn more.
Notes & Requirements:
Ensure you are running the latest version of UniFi Network, found here.
This article describes advanced configuration options and should only be attempted by advanced users.
Create a backup prior to following the instructions in this article. See UniFi – Backups and Migration for more information.
Caution must be taken when self-hosting a UniFi Network Server if there are hundreds of UniFi devices connected across multiple sites. This increased system load may lead to performance degradation if certain things are not optimized.
Symptom: High CPU Usage
One of the most important metrics to monitor is the CPU usage of the UniFi Host. High CPU usage is the first indication that there is an issue. Unfortunately there is no easy solve for this, and merely increasing the CPU is not always the answer.
Allocating Additional Memory
Before increasing the RAM allocation on your machine, first try increasing the `XMX` and `XMS` options. By default, the UniFi Network application has these set to 1GB. The following lines set the xmx and xms to values to 2GB (2048MB):
unifi.xmx=2048
unifi.xms=2048
The changes above would increase the memory that the UniFi Network application is allowed to consume from 1 to 2GB. Before moving to a machine with more CPU resources, it is recommended to max out the available memory on that machine with the above settings to see if CPU usage decreases.
If 2GB is not sufficient, administrators may want to raise the limit to 4, 8, 16, or even 32GB depending on the scale. In this case it would simply be increasing the value above in increments of 1024, i.e. 4 GB= 4096.
Note: The jstat -gcutil Java command can be used to check whether the memory allocation is sufficient on your machine. See the Oracle documentation for more information.
Increase Mongo WiredTiger Engine Cache
If you already increased the UniFi Network application memory settings to at least 4GB (xmx), you may need to also change the default Mongo WiredTiger engine cache. By default the UniFi Network Application uses:
db.mongo.wt.cache_size=256
On UniFi Network version 6.5.13 and above you can change this setting or let Mongo pick the default value by using:
If increasing memory does not solve the problem, administrators may consider also adding this line to the system.properties file:
unifi.G1GC.enabled=true
This enables a new Java Garbage Collector that can help optimize performance. However, if after these changes high CPU usage does continue after memory increase, a larger machine with more CPU cores and more memory to handle the workload may be necessary.
Changing Mongo Version/Engine
In persistent cases, administrators may consider updating MongoDB version to 3.2+ with WiredTiger as storage engine, as a means of better scaling their UniFi Network deployment. See the following links for instructions:
All devices work by communicating to UniFi Network. These regular inform messages are referred to as “heartbeats”. By default, the application can handle 200 simultaneous device connections so heartbeats shouldn’t be missed unless thousands of devices are being managed. The number of simultaneous inform messages that can be processed can be set in the system.properties file by adding the following lines and adjusting the values to best suit your needs. It does not matter where these lines are added in the file.
The default value is 200 and the max_keep_alive_requests value should always be lower than than num_thread. Try adjusting up from there. An increase in device stability should be seen, and by pushing the configuration out to other devices, become even more stable.
Database Connection Tuning
When running a large UniFi installation, it may be desired to run an external Mongo cluster to be able to scale the database independently from the UniFi Network application. Discussion on that can be found here on our Community Beta forum. If high CPU usage is seen on the Mongo process, it can indicate the need of a bigger box or the need to separate the mongodb process as mentioned above. Once that is done, the following can be tuned to see if it results in better application performance:
This results in 500 threads that can be waiting for a Mongo connection. So keep in mind that more threads can mean higher CPU usage because the CPU has to context-switch between threads. It may allow for higher DB throughput, but only if the Mongo process is able to consume more CPU to serve requests faster.
Use this article to repair the database of malfunctioning UniFi Network applications. Please note this only applies to users self-hosting the UniFi Network Server on their own Windows/macOS/Linux machine, or those hosting UniFi Network on a legacy Cloud Key.
We generally recommend using a UniFi OS Host for the best experience. Visit UI.com to learn more.
Symptoms
Statistics are only recorded for a few days and then are cut off or are only intermittently available.
Backups including statistics data cannot be generated.
Settings-only backups cannot complete, or are created but are unable to be restored due to corruption.
An error 400 is generated when trying to open UniFi Network.
The UniFi Network application service will not start due to database errors.
32-bit MongoDB Limitations
32-bit MongoDB collections are limited to a total size of 2GB. While running the MMAPv1 storage engine this can cause issues when trying to shrink the aggregate collection sizes. When running a compact command on the MongoDB, the database is rewritten and defragmented without error correction. This process does not return useable disk space to the UniFi Host when the storage engine is MMAPv1.
Getting back that valuable disk space on a 32-bit MongoDB instance will require a repair of the database. This repair may be needed for those who are suspecting invalid entries, corruption, or collection scaling issues. To be able to run a database repair, the Cloud Key will have to have enough free disk space equal to the size of the current data set plus 2 gigabytes. If the dataset has already grown too large to proceed with the db.repairDatabase() command there are instructions below to work around that.
Note: The Legacy Cloud Key (UC CK) utilizes the following:
Download the mongo pruning script. As written, the script will only keep entries from the past 7 days. It will not remove entries that are required for UniFi administration. Do so by running the following command: cd /tmp/ wget https://help.ui.com/hc/en-us/article_attachments/360008640574/CK_repair.js
Stop the UniFi service: service unifi stop
The UniFi service will shut down the mongo process. Make sure that the UniFi service has been completely shut down. Repair the database to compact the data entries and free unused disk space field that is included in the query criteria. mongod –dbpath /usr/lib/unifi/data/db –smallfiles –logpath /usr/lib/unifi/logs/server.log –repair
NOTE: Steps 5-8 are optional if you need to prune back the database to conserve disk space.
NOTE: Journaling may not be have been enabled in your mongo database. If so, then remove the –journal option in the above command.
Execute the script to prune the stat collections that are causing the problem: mongo < /tmp/CK_repair.js
Shut down the mongo server with this command: mongod –dbpath /usr/lib/unifi/data/db –smallfiles –logpath /usr/lib/unifi/logs/server.log –shutdown
Note: The last command in the CK_repair.js script is “db.repairDatabase()”. It may result in an error if the stats collections have already grown too large to be repaired while the mongo server is running. If you see such an error running the script then you will need to repair the database from the command line once again by running the command in step 3.
Finally, restart the UniFi service: service unifi start
The Cloud Key should now be able to run the Network application. If you still have database issues, please upgrade to the latest Cloud Key Gen2 Plus which does not experience this problem.
Repairing a Debian-based Linux Database
Stop the UniFi service service unifi stop
In some cases, where the journal is corrupted, it will be helpful to run the following command before repairing the database, to move it to another location: mv -vi /usr/lib/unifi/data/db/journal /usr/lib/unifi/data/db/journal-$(date -I)
Repair the database with this command: mongod –dbpath /usr/lib/unifi/data/db –smallfiles –logpath /usr/lib/unifi/logs/server.log –repair
Finally, restart the UniFi service: service unifi start
Note: If this process was performed as root the file ownership may have changed. This can be changed with: chown -R unifi:unifi /usr/lib/unifi/data/db/ chown -R unifi:unifi /usr/lib/unifi/logs/server.log
If you still have suspected database issues please migrate to a Cloud Key Gen2 Plus or Dream Machine Pro. These UniFi OS Hosts do not experience this type of database corruption.
Repairing a macOS Database
Create a temporary working directory. For repair purposes, we will call this directory /repair. In terminal: mkdir ~/repair
You can also download 2.4.14 here directly: 2.4.14.tgz.
Move the downloaded package to your working directory, and extract it by double-clicking it or using the application of your choice.
Locate the bin/mongo binary file, and copy it to your working directory. At this point, the downloaded .tgz package and any extra extracted files can be deleted as we only need the mongo binary.
Open Terminal and move to your working directory: cd ~/repair
Close or stop UniFi.
Repair the database with this command: mongod –dbpath ~/Library/Application\ Support/UniFi/data/db –smallfiles –logpath ~/Library/Application\ Support/UniFi/logs/server.log –repair
Open the UniFi application from Finder: open -n /Applications/UniFi.app
If you still have suspected database issues please migrate to a Cloud Key Gen2 Plus or Dream Machine Pro. These UniFi OS Hosts do not experience this type of database corruption.
Note: The recommended MongoDB version is 3.4.x. You can download 3.4.23 directly here: 3.4.23.zip.
Extract \bin\mongod.exe to a working directory of your choice. In this example, we will use C:\repair\ You may ignore all other files included in the .zip.
Close or stop UniFi.
Open the command prompt by pressing WINDOWS + R. In the popup, type cmd, and press ENTER.
Enter Working Directory: cd C:\repair\
Repair the database with this command: mongod.exe –dbpath “%userprofile%\Ubiquiti UniFi\data\db” –smallfiles –logpath “%programfiles%\Ubiquiti UniFi\logs\server.log” –repair
Open the UniFi application.
If you still have suspected database issues please migrate to a Cloud Key Gen2 Plus or Dream Machine Pro. These UniFi OS Hosts do not experience this type of database corruption.
How to Migrate from MMAPv1 to WiredTiger
Attention: This section does not apply to 32-bit architecture hosts including the UC-CK G1.
After UniFi Network is functional again, a user may wish to migrate it to the WiredTiger storage engine.
To verify how much space is used, run the following command:
du -shc /usr/lib/unifi/data/db/ace* /usr/lib/unifi/data/db/journal/* /usr/lib/unifi/data/db/local* | grep total
To verify which MongoDB version is being used, run the following:
mongod --version | grep "db version"
To verify what storage engine version is being used, run the following two commands:
Create a backup under Settings > Maintenance > Backup with the desired retention settings.
Uninstall UniFi from Windows or macOS. Purge UniFi from Debian-based Linux with the command: sudo dpkg -P unifi
Reinstall UniFi on Windows or macOS. Reinstall UniFi on Debian-based Linux with the commands: cd /tmp/ wget <https link to download> sudo dpkg -i unifi_sysvinit_all.deb
In the UniFi Setup Wizard restore the backup from step 1.
Self-hosting a UniFi Network Server should only be done by experienced network administrators. For the best and most streamlined experience, we recommend running UniFi Network on a UniFi OS Console or other UniFi OS Host, such as a Cloud Key. This will eliminate compatibility risks associated with third-party software and hardware.* Other benefits of UniFi OS Hosts include:
Optimized hosting and management performance
Automatic scheduling of backups and updates
Seamless email and mobile push notifications for important system activity
*UniFi also offers the Cloud Key Enterprise (on-premise) and a native Cloud Hosting subscription for scaleable deployments managing hundreds of UniFi APs.
If you choose to continue, see below for instructions to install the UniFi Network Application on your device.
Instructions
Windows
Linux
macOS
Download the latest version of the UniFi Network application (UniFi-installer.exe) from the Download page.
The latest versions of the UniFi Network Application (7.3) require Java 11.
Previous versions (7.2) use Java 8.
Install only the x64 Java release and only one version of Java.
You will be prompted to install Java 11. Select the following options and download the x64 .msi file for Windows:
Package Type: JRE
Version: 11
Install Java, and set the Set JAVA_HOME variable to Will be installed on local hard drive.
After installing Java, continue the UniFi Network application installation and start it.
Ensure that any anti-virus/spyware programs and the Windows firewall are not blocking the application.
Open a browser, navigate to https://localhost:8443 and proceed when seeing the security warning.
1. Does the UniFi Network application have to run at all times?
If the UniFi Network application is turned off, adopted UniFi devices (access points, switches) will keep functioning.
However, it is highly recommended to keep the UniFi Network application running at at all times. This enables you gather accurate statistics and make configuration changes whenever needed.
If you are not able to keep the Self-Hosting Network Server running continuously, then we recommend to upgrade to a UniFi OS Console, which is optimized to run UniFi Network and other applications.
2. Can I manage UniFi Devices that are adopted by another UniFi Network application?
No. The UniFi Network application installed on Windows/macOS/Linux is not a viewer for other UniFi Network applications (running on UniFi OS Consoles or other hosts).
3. The UniFi Network application is running slow.
Verify if the Self-Hosted Network Server is capable of running the UniFi Network application. The more UniFi and client devices that are connected, the more resources that will be needed.
Please be aware that self-hosting the UniFi Network application is an advanced setup for those familiar with network administration. If you are experiencing poor performance, we recommend upgrading to a UniFi OS Console, which is optimized to run UniFi Network and other applications.
4. The UniFi Network application is not able to start.
Verify if the Self-Hosted Network Server is capable of running the UniFi Network application and that the correct version of Java is installed.
If you continue to experience issues, try installing the application on a different host machine.
Please be aware that self-hosting the UniFi Network application is an advanced setup for those familiar with network administration. If you are unable to get the UniFi Network application running on your host machine, we recommend upgrading to a UniFi OS Console, which is optimized to run UniFi Network and other applications.
5. The UniFi Network application starts up, but I do not see any nearby UniFi devices.
Make sure that the firewall on the host machine is allowing the ports needed by UniFi and that the UniFi Network application is not blocked by any anti-virus/spyware programs.
Also make sure that the UniFi devices and the application are on the same network. If not, then remote adoption is required.
6. I get a “Your connection is not private” warning when accessing via my browser.
This can be safely ignored. Proceed to the next page.
7. What are the UniFi Network application system requirements?
At a bare minimum, we recommend the following system requirements (make sure to read the Release Notes for more details about a particular version):
Operating system:
Linux: Ubuntu Desktop / Server 22.04; Debian 11 “Bullseye”
Windows: Windows 10; Windows Server 2016
macOS: Mavericks 10.9, 10.10 Yosemite, 10.11 El Capitan, 10.12 Sierra, 10.13 High Sierra, 10.14 Mojave, 10.15 Catalina.
Use advanced techniques as a last resort to update UniFi devices and UniFi software when it is not possible to do so via the user interface.
We highly recommend that most users enable automatic updates, or trigger updates through the user interface. See How to Update UniFi to learn more.
Update UniFi Devices via Web Application
Updating via the Device Property Panel
Use Case: You want to try Early Access firmware releases for specific devices, or you want to return to an official release after trying an EA release.
2. Paste the link in the address bar found in the Settings tab of the device’s properties panel.
Updating via Your Network Cache
Use Case: You prefer to download and store updates in your Network application so they can be used by other devices, as opposed to downloading multiple, device-specific files from the internet. This is an ideal solution for reducing bandwidth within high-volume networks that host a large number of similar UniFi devices. It is also suitable for the advanced users who disable internet access on their UniFi device’s management network.
Device updates can be cached in your Network application’s System Settings. Once an update is cached, you can open to your UniFi Devices page and click Update Available.
Note: The Cache link will appear when you hover your cursor over an update.
Updating via SSH
Please note that SSH updating is not an officially supported process and may prevent your UniFi OS console from functioning. Only do this at the request of UI Support. It is only prescribed to work around specific scenarios, such as when:
Prior, traditional, update attempts have failed, likely due to an incorrect network configuration. For more details, see How to Update UniFi.
Your UniFi Network device is not being discovered or cannot be adopted because it has been preloaded with outdated firmware.
Your UniFI OS Console cannot be set up because it has been preloaded with an outdated version of UniFi OS.
Run the following command:upgrade paste_download_link_here Example:upgrade https://dl.ui.com/unifi/firmware/UAL6/5.60.1.12923/BZ.mt7621_5.60.1+12923.210416.1641.bin
Use the following SCP command to copy the file into the /tmp folder of your device from your workstation. This requires a compatible SCP application (e.g., Terminal on macOS and Linux, PuTTY/PowerShell on Windows).scp /folder_path/firmwarefile.bin <user>@<IP of device>:/tmp/fwupdate.binExample: scp /Users/alexpro/Desktop/BZ.mt7621_5.60.1+12923.210416.1641.bin Alex@192.168.1.219:/tmp/fwupdate.bin
Use the following SCP command to copy the file into the /tmp (/mnt/data for version 1.12 and below) folder of your device from your workstation. This requires a compatible SCP application (e.g., Terminal on macOS and Linux, PuTTY/PowerShell on Windows).scp /folder_path/firmwarefile.bin <user>@<IP of device>:/tmp/fwupdate.binExample: scp /Users/alexpro/Desktop/UDR-2.4.10.bin root@192.168.1.1:/tmp/fwupdate.binIf you are running Version 1.12 and below, use the following command: scp /folder_path/firmwarefile.bin <user>@<IP of device>:/mnt/data/fwupdate.binExample: scp /Users/alexpro/Desktop/UDR-2.4.10.bin root@192.168.1.1:/mnt/data/fwupdate.bin
Run the following command:upgrade <paste_download_link_here> Example: upgrade https://dl.ui.com/unifi/firmware/UGW3/4.4.56.5449062/UGW3.v4.4.56.5449062.tar
Use the following SCP command to copy the file into the /home/<user> folder of your USG from your workstation. This requires a compatible SCP application (e.g., Terminal on macOS and Linux, PuTTY/PowerShell on Windows).scp /folder_path/upgrade.tar <user>@<IP of device>:/home/<user>/upgrade.tarExample: scp /Users/alexpro/Desktop/upgrade.tar Alex@192.168.1.1:/home/Alex/upgrade.tar
Store the new application version on your device using the download link:curl -o “/tmp/unifi_sysvinit_all.deb” <network application link.deb>Example: curl -o “/tmp/unifi_sysvinit_all.deb” https://dl.ui.com/unifi/6.2.26-a79cb15f05/unifi_sysvinit_all.deb
Once downloaded, install the new version:apt-get install -y /tmp/unifi_sysvinit_all.deb
Following installation, remove the downloaded file:rm /tmp/unifi_sysvinit_all.deb
Updating Devices in a Broken State
In rare occurrences, a device may stop functioning. UniFi APs may be updated using our TFTP Recovery. This should only be used if your AP completely stops functioning as a last resort prior to submitting an RMA. UniFi OS Consoles and gateways my be updated using Recovery Mode. This should only be used if prompted on your device’s LCM screen.
Print
