Windows services are often useful since they are background applications that don’t require any attention from the end-user. The service launches upon startup, without any intervention from the user. The service is a direct replacement for running the Network application manually (via the icon or a scheduled task), so there is no need to run the UniFi Network application if it is being run as a Windows service.
This article describes how to set up the UniFi Network application to run as a Windows service, and how to update it when it’s running this way.NOTES & REQUIREMENTS:
Applicable to the latest UniFi application versions for Windows.
This article applies to UniFi applications that are installed on Windows Desktop (Windows 10) and not Windows Server versions.
It is recommended to only install the x64 version of Java 8 for the UniFi Cloud Access Portal to work properly.
Make sure to allow the ports used by the UniFi application through the Windows Firewall. See the UniFi – Ports Used article for more information.
How to set up the UniFi Network application as a Windows Service
ATTENTION: It is recommended to only install the x64 version of Java 8 for the UniFi Cloud Access Portal to work properly. However, older versions of the Network application may require both x64 and x86 Java to be installed on a Windows x64 system.
1. Close any instances of the UniFi Network application on the computer. If the UniFi Network application was just installed, make sure to open the application manually at least once, or let it run at the end of the wizard. Once you see the message UniFi Network application (a.b.c) started, the application may be closed.CLI:Open an administrative Windows Command Prompt (CMD) window.
2. Change the directory to the location of UniFi installation.
cd "%UserProfile%\Ubiquiti UniFi\"
Click to copy
3. Once in the root of the UniFi folder, run the following command to install the UniFi Network application service:
java -jar lib\ace.jar installsvc
Click to copy
4. Wait for the installation to complete, indicated by the Complete Installation log message.
5. Start the service with the command below:
java -jar lib\ace.jar startsvc
Click to copy
6. Open a browser and navigate to the application’s IP address or https://localhost:8443.
How to upgrade a UniFi Network application that is running as a Windows Service
1. Create a backup of your Network application.CLI:Open an administrative Windows Command Prompt (CMD) window.
2. Change the directory to the location of UniFi installation.
cd "%UserProfile%\Ubiquiti UniFi\"
Click to copy
3. Once in the root of the UniFi folder, issue the following to uninstall the Network application service:
java -jar lib\ace.jar uninstallsvc
Click to copy
4. Wait for the service uninstall process to complete.
5. Launch the Network application and update it through the Settings section. Alternatively, download the latest installation file from the Downloads section.
6. Repeat the steps from the section above after the new Network application version is installed.
This article describes how to perform advanced configurations on the UniFi Security Gateway (USG and USG-PRO-4) using the config.gateway.json file. This article is not applicable to the UniFi Dream Machine models. The UDM line does not support configurations done outside of the UniFi Network application.NOTES & REQUIREMENTS:
Ubiquiti Support cannot assist in the creation of the config.gateway.json file nor will assistance be provided for command line configuration. If assistance is required, feel free to visit our Community to create a topic and ask for help with your desired configuration.
This article covers advanced configuration, and should only be used by advanced users.
The config.gateway.json is a file that sits in the UniFi Network application filesystem and allows custom changes to the USG that aren’t available in the web GUI. Some possible customizations will be: configuring site-to-site VPNs with hostnames, policy routing certain traffic out WAN2, or even adding multiple IP addresses on an interface. These features don’t exist in the UniFi Network application yet, so the config.gateway.json file will supplement those features until they’re available in the GUI.
When making customizations via the config.gateway.json file, it is best to enter only the customizations that can’t be performed via the Network application. If the formatting is incorrect, a provisioning loop will be triggered on the USG, and a reboot will take place once the USG comes out of the provisioning loop. At this point the config.gateway.json file could be corrected or removed to correct this.WARNING:Some users may find they can get away with using the full config, but this is not recommended as it will most likely cause issues down the road. A provisioning loop might take place when a setting is changed in the Network application that conflicts with a setting in the config.gateway.json file.
Creating the config.gateway.json File
By default, the config.gateway.json file doesn’t exist, it has to be created in order to use it.
1. Create a new file using a text editor such as TextEdit or Notepad++.
2. The structure of a json file is just as important as the words themselves. Incorrect placement of brackets, indentations, line breaks or any other structural element will make the json file invalid. It is recommended to run the text through a json validator in order to verify it has the correct syntax. The JSON Formatter website is one example of the many options of json validators you’ll find online.
3. Once the contents of the file has been validated, save it by naming it config.gateway.json and placing it under the <unifi_base>/data/sites/site_IDdirectory stored on the Network application. User Tip:Depending on your operating system, placing the file under this directory might be as simple as drag and drop, or using a FTP server might be necessary. The config.gateway.json file must have unifi:unifi as the owner and group permissions. You can check to verify with ls -l <unifi_base>/data/sites/site_ID. To change it, once you’re in the site directory, use the command: chown unifi:unifi config.gateway.json
The location <unifi_base> will vary from one operating system to another. See this article for more information. The site_ID can be seen in the URL of your browser when on the Network application. The original site is named “default”, and every site that is created will be assigned a random string. For example, this is what would be seen in the URL bar when inside the dashboard page of a site:
In the above case, the random string ceb1m27d is the folder name that shall be used under <unifi_base>/data/sites/. Therefore, theconfig.gateway.json should be placed inside <unifi_base>/data/sites/ceb1m27d/.User Tips:
On Cloud Key install the path for the .json file is: /srv/unifi/data/sites/[site name/default]/
On an Ubuntu install the path for the .json file is: /usr/lib/unifi/data/sites/[site name/default]/
Editing the config.gateway.json File
Before customizing firewall or NAT rules, take note of the rule numbers used in the UniFi Network application under Settings > Routing & Firewall > Firewall. Default firewall rules start at either 3001 or 6001, and NAT rules will also start at 6001 (which don’t overlap with firewall rules). The custom rules created in the config.gateway.json cannot have duplicate rule numbers with the existing rules in the USG, or there will be a provisioning loop. It is recommended to put custom rules before the existing ruleset, as the lower number will win between two matching rules.NOTE: When editing thiscustom json file, it is not necessary to include everything. You must only include the complete “path” to the items you have edited, anything outside of the path can be omitted. Think of each node in the json file as a folder that is nested within other folders (except for the level 1 folder which is our main section). The folder path that takes you from level 1 all the way down to the item you will be configuring must be present in the json file. See this example where we want to edit “close”, which has the following path: system > conntrack > timeout > tcp > close.
Notice that in level 3 “modules” is also present along with “timeout”, but we will not include it in the json file because it is not part of the path to “close”. Same with the other items in level 5 under “tcp”. They do not need to appear in the config.gateway.json file because they are not part of the path. A successful change then, in the configuration of “close” from 10 to 20 would look like this:
The following is an example of how a DNAT rule is created for DNS configured using EdgeOS formatting:
1. Connect to the USG via SSH, and issue the following commands:
configure set service nat rule 1 type destination set service nat rule 1 inbound-interface eth0 set service nat rule 1 protocol tcp_udp set service nat rule 1 destination port 53 set service nat rule 1 inside-address address 10.0.0.1 set service nat rule 1 inside-address port 53 commit;save;exit
2. Next is displaying the config. The following command displays the entire config in a JSON format:
mca-ctrl -t dump-cfg
The config can also be exported if preferred. The following example exports the output to the config.txt:
mca-ctrl -t dump-cfg > config.txt
3. Find the appropriate section with the custom changes in the config output, for our example above it would be the following:
4. Above is the custom rule, but it’s missing all the closing brackets (}) at the end to make it correct. If you look at the config output from the start, there is a certain format that is required for the file to be read correctly. Each node in a section must be separated by a comma (,), and it section must begin with an opening bracket ({) and finish with a closing one (}). Follow the existing format carefully. If the above rule is the only change in the config.gateway.json, you would edit it to look like so:
5. If there are multiple sections to add, say Firewall, Service, VPN, the closing bracket for that section would be followed by a comma (},), before starting the next section. You can see these formatting details in the example below.
The DNAT rule # ranges are from 1-4999, and the Source/Masquerade rule numbers are from 5000-9999. If you wanted to add a port forward (DNAT) in the config.gateway.json for WAN2 in a multiWAN (load-balance) setup, this is what the config.gateway.json would look like with only this particular NAT rule:
And if we were to add a VPN with hostnames to the file, the config.gateway.json would look like the one below. Notice the opening and closing brackets, as well as the bracket with comma before starting with the "vpn" section:
It’s recommended to validate the code once finished creating the config.gateway.json. There are a number of free options out there, jsonlint.com is used by the Ubiquiti support team quite often.
After adding the config.gateway.json to the UniFi Network site of your choosing, you can test it by running a “force provision” to the USG in UniFi Devices > select the USG > Config > Manage Device > Force provision. This will take a while to provision (30 seconds to 3 minutes), and if it stays in provisioning longer than that, there may be a formatting error in the config.gateway.json, and you are experiencing the provisioning loop that was mentioned earlier. You can check server.log in the application and search for commit error. You can usually find what went wrong with the provisioning of the newly customized configuration in the log files. Find information about that here.User Tip:An easy way to test the validity of the json file is: python -m json.tool config.gateway.json
Deleting Changes or Reverting to Previous State
To remove a certain advanced configuration, just delete the section pertinent to that configuration in the config.gateway.json file. To completely remove all advanced configurations created in the config.gateway.json file, delete the file or rename it. This will void all manual changes. The USG will be provisioned with the current config contained within the UniFi Network application.
A best practice when editing an already working config.gateway.json file is to create a backup. If you need to add additional changes to the config.gateway.json file, rename the current file to config.gateway.json.old, essentially creating a backup, and copy all the existing and new changes into a new file named config.gateway.json. This way, if there happens to be any mistakes resulting in a “commit” error or provisioning loop, you can delete config.gateway.json, and try again starting from config.gateway.json.old.
This article describes what the system.properties file is used for and how to edit it.NOTES & REQUIREMENTS:This article includes some advanced configurations that should only be performed by advanced users. Advanced configurations are not supported by our Support team. The Community is the best place to find experts to guide you with advanced configurations.
The system.propertiesfile, found within <unifi.base> in the data folder, is the file inside the UniFi server installation directory, which defines system-wide parameters for the UniFi Network application. Here are just a few notable examples of supported configuration changes for UniFi Network application made in the system.properties file:
Manual override of the Application IP Interface (the address to which Devices send inform packets).
Advanced Database adjustments.
Port Assignments, for purposes of the UniFi Network application communicating with Managed Devices, redirecting Guest Portal traffic, etc.
WARNING:Before editing the system.properties file, remember to create a backup of your system and download it to a safe place. It is also necessary to stop the application before performing any change in the file to avoid errors after changes are made.
Thesystem.properties file can be edited directly via any text editor. Keep in mind that lines preceded by hash-tags (#) exist as comments and are non-operational. Make edits at the bottom of the file. After changing this file, you’ll need to manually trigger provisioning on each site in order to make these effective.NOTE:The system.properties file is created when UniFi Network runs successfully. If you cannot find the file within the <unifi_base>, create it by running the UniFi Network application .
Manually Specify the IP Interface for UniFi Network Application Communication
If a UniFi OS Console (or device hosting the application) has multiple IP interfaces, the following configuration can manually set the exact IP interface that adopted APs should communicate to the Network application:
system_ip=a.b.c.d # the IP devices should be talking to for inform
Advanced Database Configuration
Below are advanced database configurations that most users will never need. Note: We do not perform tests on these configurations, they are enabled for the convenience of database experts. One possible usage scenario is where few people run their application on a NAS, which has a smaller footprint than a normal server, hence there’s a need to reduce the required resources.
The configuration below is used to facilitate UniFi Network application installation. Again, most users will never need to set this. When the is_default is set to true, the application will start with factory default configuration. For normal, everyday users, an uninstallation and then fresh re-installation is recommended over this.
is_default=true
From the UniFi Network application you can configure the autobackup frequency, amount of backups to store, time of backup, etc. At the time of writing this, you cannot change the storage location via the application. We do have a variable in the system.properties if you wish to change the storage location. Currently, the default points to:
1. For Cloud Key: /data/autobackup (where SD card is mounted as /data by default) 2. For software installs: {data.dir}/backup/autobackup
autobackup.dir=/some/path
The UAP-AC-EDU is recommended to be managed from a local application. The current communication from the EDU mobile app relays from app to Network application to EDU. If the mobile device is remote to the EDU, then you just need to open the appropriate ports. If the UniFi Network application is remote to the EDUs, then you need to add the following line to system.properties.
stream.playback.url.type=inform
(5.5.15+/5.6.7+) We’ve added HSTS support to the application. Do note that it is default disabled. This should only be enabled if you know what you’re doing with it. This will only ever be a system.properties value so it can be easily disabled in case of issues. If you run into issues, you likely will need to clear your browser’s cache after disabling this and restarting the service. To enable HSTS support add the following:
unifi.https.hsts=true
unifi.https.hsts.max_age=31536000
unifi.https.hsts.preload=false
unifi.https.hsts.subdomain=false
NOTE: Currently no characters after the custom line(s) are allowed. This includes spaces, pound/sharp signs/comments, etc.
SMTP Related Settings
By default, SMTPS validates certificates and will reject self-signed or untrusted certificates. If your mail server uses an untrusted certificate, you must disable certificate verification with the following: smtp.checkserveridentity=false
Starting with UniFi Network version 6.1, STARTTLS is opportunistically enabled by default; e.g. will be used if the server announces support for it, and will require a trusted certificate. If using a self-signed or untrusted certificate, you must disable STARTTLS by setting the following: smtp.starttls_enabled=false
This only controls whether STARTTLS will be used if the server supports it. To force its use, see: starttls_required
With UniFi Network version 6.1 and newer, STARTTLS is opportunistically enabled by default, but only required if using port 587. This behavior can be overridden by setting smtp.starttls_required=true to force the use of STARTTLS on ports other than 587, or to make STARTTLS optional on port 587, set it to false.
If smtp.starttls_enabled=false is set, the starttls_required value has no impact.
User Tips & Notes
If receiving error, it’s possible there are hash tags (#) present in front of commands. Hash tags indicate comments, and will make commands not work until hash tag is removed.
If you want to reduce the logging frequency on your RPi UniFi Network application, see this Community thread. ATTENTION:Without logs, it is impossible to receive appropriate support. Use this tip under your own discretion. See how to extract logs in our UniFi – How to View Log Files article.
If you cannot find the system.properties file, it might not have been created yet. This file is created once the UniFi app runs successfully. If you need to change port numbers because of a port clash, it doesn’t count as a successful launch and does not create the file, so you can’t alter the port numbers to avoid the clash.
This article shows what UDP and TCP ports are used by the UniFi Network application by default. The information applies to both Network applications hosted on UniFi OS Consoles, such as UniFi Cloud Key (UCK-G2, UCK-G2-PLUS, and UC-CK) or UniFi Dream Machine (UDM or UDM-Pro), as well as self-hosted Network applications.
Note: Make sure to always update your Network application to the latest version.
Port used for device and application communication.
TCP
443
Port used for application GUI/API as seen in a web browser.Applications hosted on a UniFi OS Console
TCP
8443
Port used for application GUI/API as seen in a web browser.Applications hosted on Windows/macOS/Linux
TCP
8880
Port used for HTTP portal redirection.
TCP
8843
Port used for HTTPS portal redirection.
TCP
6789
Port used for UniFi mobile speed test.
TCP
27117
Port used for local-bound database communication.
UDP
5656-5699
Ports used by AP-EDU broadcasting.
UDP
10001
Port used for device discovery.
UDP
1900
Port used for “Make application discoverable on L2 network” in the UniFi Network settings.
Note: Although TCP 22 is not one of the ports UniFi Network operates on by default, it is worth mentioning in this article since it is the port used when UniFi devices or the Network application is accessed via SSH.
Ingress Ports required for L3 management over the internet
Note: These ports need to be open at the gateway/firewall as well as on the UniFi Network application host. This would be achieved by creating port forwards on the gateway/firewall where the application is hosted.
Protocol
Port number
Usage
UDP
3478
Port used for STUN.
TCP
8080
Port used for device and application communication.
TCP
443
Port used for application GUI/API as seen in a web browser.Applications hosted on a UniFi OS Console
TCP
8443
Port used for application GUI/API as seen in a web browser.Applications hosted on Windows/macOS/Linux
TCP
8843
Port used for HTTPS portal redirection.
TCP
6789
Port used for UniFi mobile speed test.
Egress Ports required for UniFi Remote Access
Note: In most cases, these ports will be open and unrestricted by default.
Protocol
Port number
Usage
UDP
3478
Port used for STUN.
TCP/UDP
443
Port used for Remote Access service.
TCP
8883
Port used for Remote Access service.
Changing Default Ports
Changing default port assignments can only be done on self-hosted Network applications (Windows/macOS/Linux). This can be accomplished as follows:
1. Close any instances of the UniFi Network application.
2. Modify the system.properties file, which can be found in the directory <unifi_base>/data/system.properties.
For example, if port 8081 was in use and port 8089 was open, you could change it by modifying unifi.shutdown.port=8081 to unifi.shutdown.port=8089
3. Restart the UniFi Network application.
Note: Make sure there are no leading or trailing spaces, comments, or other characters like hash tags (#) on any custom lines. Otherwise, UniFi Network will ignore the customizations.
This article describes the different statuses a UniFi Access Point might be ascribed by the UniFi Network application within the UniFiDevices section.
Device Status
Description
Connected
The UAP is physically wired to the network by ethernet cable. The UAP is in a connected state, able to service WLAN stations. Currently, no updates/changes to configuration are being run on the UAP.
Connected (Wireless)
The UAP is wirelessly uplinked to a physically wired AP.
Connected (100 FDX)
The UAP is physically wired to the network at 100 Mbps in full-duplex mode. This will appear when a UAP is connected but not at the ideal connection rate. FDX stands for Full Duplex. It may appear as 10/100/1000, HDX or FDX.
Connected (Disabled)
The UAP has been disabled in the UniFi Network application. Properties > Manage Device > Disable this Device. It will be excluded from the dashboard status, and its LED and WLAN will be turned off.
Connected (Limited)
This will appear when a UAP is connected and can reach the UniFi Network application, but is unable to reach either the gateway or the custom IP defined for the uplink connectivity monitor. In this state downlink UAPs (wireless UAPs) will become Isolated.
Provisioning
The UAP is in a connected state, however it is applying updates/changes to the configuration, and will shortly reboot (temporarily disconnecting WLAN stations), and return back online.
Restarting
After clicking on the Restart button in the Actions column, the device will restart.
Adopting
Device is adopting normally.
Pending Adoption
The UAP has been detected by the UniFi Network application, but is not adopted yet. Click on the Adopt button to do so.
Pending Adoption (Update Required)
Devices with firmware that are too old for UniFi Network application will see this when attempting to adopt. Clicking Update will upgrade the Device to the latest stable firmware release and adopt the Device to the application.
Heartbeat Missed
The UniFi Network application did not receive a reply at the dynamically scheduled interval. This will appear before “Disconnected,” usually about 30-45 seconds after missing the interval. This is usually seen when configuring a wireless uplink, if state does not change to connected after a while something went wrong. See this article for wireless uplink instructions.
Disconnected
The adopted UAP is now in a disconnected state, meaning the UniFi Network application does not have connectivity to the access point (check cables, network settings, and changes to topology).
Isolated
The adopted UAP is unable to reach the gateway and is awaiting a nearby, wired UAP, which is already managed by the UniFi Network application in order to establish “wireless uplink.” See this article for wireless uplink instructions.
Managed by Other
A UAP is located on the same network as the UniFi Network application, but is already bound to another UniFi Network application. Providing the username/password to the UAP will unbind the UAP from the existing Network application and begin adoption in current application. See this article: UniFi – Advanced Adoption of a “Managed By Other” Device.
Upgrading
The UAP is upgrading and should not be disconnected. This should be accompanied by the AP’s LED flashing. (See what the different LED combinations mean in this article).
This article describes how to recover a bricked USW-Flex-Mini via recovery mode. The first step in the recovery process is to prepare a web server. See the subsections below on how to do that on each of the different operating systems: Windows, macOS and Ubuntu/Debian and then continue to the recovery instructions once that is done.
The first step in the recovery process is to prepare a web server. See the subsections below on how to do that on each of the different operating systems: Windows, macOS and Ubuntu/Debian.
How to Prepare a Web Server on Windows
1. Download Python for Windows (Executable Installer) here.
2. Open the downloaded file and make sure you select Add Python x.x to PATH during installation.
3. After the Python installation open Command Prompt as Administrator and confirm that Python is installed correctly with the command below:
python -V
4. Create a directory for the web server by running the commands below:
mkdir c:\webserver cd c:\webserver
5. Start the Python web server on port 80. Note that the version of Python can be found with the command from step 3:
3. Create a directory for the web server by running the commands below:
cd ~ mkdir webserver cd webserver
4. Start the Python web server on port 80. Note that the version of Python can be found with the command from step 2:
Python 3.x:
sudo "${python_version}" -m http.server 80
Python 2.x:
sudo "${python_version}" -m SimpleHTTPServer 80
How to Recover a USW Flex Mini
1. Prepare a web server as explained above, and set the server / computer’s IP to a static 192.168.1.99. The way to set a static IP on a computer will vary from platform to platform. Find instructions on how to do that in your product’s documentation (Windows, macOS or Ubuntu/Linux).
2. Download the latest firmware (found in Downloads), rename the binary to fwupdate.bin and place it in the directory that was created earlier (webserver).
3. Power down the switch by unplugging from the power source.
4. Press the switch’s reset button and hold it down as you provide power to the switch. Hold the reset button down for over 10 seconds during boot up. The LED pattern should be: blue-white-off blinking.
5. The USW-Flex-Mini should be updated after a while.
The method described in this article should help recover a “bricked” UniFi AP. This method will not void the device warranty, whereas opening the chassis for serial TTL will void your warranty. Most soft brick issues will be resolved via this procedure. If your issue continues unresolved, it might indicate a hardware issue that cannot be resolved via software. Feel free to contact support if you believe this to be the case.IMPORTANT:When Recovering UAP Gen1 Devices, The device itself will need approximately 5 minutes to finish recovering after the put command is entered.
TFTP for Windows
1. Prior to beginning the TFTP recovery, download the firmware for the device needed by visiting the UniFi Downloads section. Navigate to the UAP in question using the menu on the left, and find the latest firmware file. Confirm it is a .bin firmware file and not the UniFi Network application software file before downloading.
2. Once the correct firmware has been identified, download it and save it on your computer.
3. Unplug the ethernet cable from the UniFi AP.
4. Using a paperclip press and hold the UniFi AP’s reset button. Make sure you can feel it being depressed by the paperclip. Do not release the button until step 6.
5. While keeping the reset button pressed in, plug the ethernet cable back into the AP. Keep the reset button depressed until you see the device’s LED flashing in upgrade mode (read about LED patterns in this article). This may take up to 25 seconds. User Tip: The UAP will not respond to ping requests while in TFTP recovery mode, but will respond to ARP requests.
6. You may release the reset button. Now the device is in TFTP transfer mode.
7. Set a static IP on your Computer’s NIC. A static IP of 192.168.1.25, a subnet of 255.255.255.0 and gateway of 192.168.1.20 will work.
8. Plug the UniFi PoE injector’s LAN cable directly to your computer.
9. This example uses the Pumpkin TFTP software, which you can download here (clicking link will download the .exe file immediately) and disable the firewall or allow the Pumpkin connection. Click on “Put File”.
10. In “Local Files” browse for the firmware you downloaded and saved previously (in step 1).
11. In the “Remote host” field enter the gateway you had predetermined (192.168.1.20), then click OK.
12. At this point, the file should begin transferring. The firmware will upgrade now and the device will automatically reboot once it has finished. Do not reboot it yourself.
TFTP for Linux & macOS
1. Prior to beginning the TFTP recovery, download the firmware for the device needed by visiting the UniFi Downloads section. Navigate to the UAP in question using the menu on the left, and find the latest firmware file. Confirm it is a .bin firmware file and not the UniFi Network application software file before downloading.
2. Once the correct firmware has been identified, download it and save it on your computer. You will need to know the exact path to your file, so for this example, we are moving the downloaded firmware file to /Users/username/.
3. Go to System Preferences > Network and set your computer’s network IP address to 192.168.1.25, subnet 255.255.255.0 and gateway 192.168.1.20. User Tip: Take note of what your IP address is before changing it. You will have to revert back to the original IP address on step 12.
4. On macOS Open Applications > Utilities > Terminal and type:
tftp
On Linux, open the command line application of choice and type the following (substituting the bolded path and firmware name for the name of the file you downloaded in step 2 and the path to where it is saved):
5. A tftp> command prompt will appear. You are ready to reset the AP and connect it to your computer, while it’s in “upgrade mode”.
6. Unplug the ethernet cable from the UniFi AP.
7. Using a paperclip press and hold the UniFi AP’s reset button. Make sure you can feel it being depressed by the paperclip. Do not release the button until step 9.
8. While keeping the reset button pressed in, plug the ethernet cable back into the AP. Keep the reset button depressed until you see the device’s LED flashing in upgrade mode (read about LED patterns in this article). This may take up to 25 seconds. User Tip: The UAP will not respond to ping requests while in TFTP recovery mode, but will respond to ARP requests.
9. You may release the reset button. Now the device is in TFTP transfer mode.
10. On the TFTP command line in Terminal, paste these four lines and hit enter:
connect 192.168.1.20 binary rexmt 1 timeout 60
Click to copy
11. Type the command put followed by the path to the firmware downloaded in step 2 and hit enter. Following the example mentioned in step 2, something similar to this would be typed into the Terminal window:
put /Users/Alex/BZ.qca956x.v3.9.27.8537.180317.1235.bin
IMPORTANT:Remember you must substitute the bolded path and firmware file name with your own path and file name.
Once it is successful, you will see something like this in the Terminal window (bolded words will be different for each user):
tftp> connect 192.168.1.20 tftp> binary tftp> rexmt 1 tftp> timeout 60 tftp> put /path/firmware.bin Sent x bytes in y seconds
The file should begin transferring at this point. The firmware will upgrade and the device will automatically reboot once it has finished. Do not reboot it yourself.
12. Re-connect the PoE injector’s LAN cable into your router. Restore the network IP back to what it was before.User Tip: If your device is having trouble getting adopted by the UniFi Network application after this process, try forgetting the device by going to the UniFiDevices section, clicking on the UAP in question and then within the properties panel that pops up, go to Config (gear icon) > Manage Device > Forget this device. Click on the “Forget” button and try the process again.
This article explains best practices for configuring larger UniFi networks with AirPlay/Chromecast devices. For efficient and reliable channel utilization, networks with more than 100 WiFi clients will need the multicast block option to be enabled on each of their SSIDs. This guide is especially useful for schools, stadiums, public venues, or similar networks.
Note: This guide applies to a network with a UniFi Security Gateway, UDM, or UDM-Pro. If your network does not have one of these, the steps may need to be adapted.
Creating a ChromeCast/AirPlay Network
Once your UniFi Network scales beyond a certain number of WiFi clients, it is important to ensure that every AP’s WiFi channel continues to be used efficiently. The broadcast traffic from more than 100 clients is typically high enough that WiFi performance may start to degrade. We always recommend enabling the multicast block option setting for larger networks.
However, this option causes a problem with users that would like to use their ChromeCast/AirPlay devices on the same WiFi network, because those devices will no longer hear the MDNS broadcasts from other devices on the network. They will no longer be discoverable.
In order to gain the performance benefits of multicast block while still maintaining discoverability to these WiFi clients, please follow these steps:
Go to Settings > WiFi and select on the SSID to check that multicast block is enabled if it has more than 100 clients on it.
Create a separate SSID/VLAN for the ChromeCast/AirPlay clients.
Go to Settings > Networks, and add a New Network.
Go to Settings > WiFi, and add a new WiFi Network, ensuring that the Network from Step “a” is selected, instead of LAN.
Go to Settings > Advanced Features > Advanced Gateway Settings > Multicast DNS and enable Multicast DNS, then click Apply Changes.
Forget the old network on your ChromeCast/AirPlay clients and connect them to the new WiFi Network.
Test Discoverability from the appropriate mobile apps.
DNS tunneling is a technique that encodes data of other programs and protocols in DNS queries, including data payloads that can be used to control a remote server and applications. Because of this, DNS tunneling – and DNS exfiltration associated with it by threat actors – is of great concern to many IT and SecOps teams. Fortunately, new developments in the Cisco Umbrella DNS cache system allow for faster and more reliable detection of DNS tunneling and exfiltration events.
How Does DNS Tunneling Work?
DNS tunneling revolves around the transfer of data. So, if we have:
Input Data data – Name: Alice, Age: 25, SSN: 123-45-678
Using DNS exfiltration, we can encode and send this data placed in several subdomains of the domain under our control as a single entry:
Or, we can use multiple entries using multiple queries to large numbers of domains:
jzqw2.zj2if.my.tunnel.com
wgsy3.ffraw.my.tunnel.com
ozj2g.i2syu.my.tunnel.com
2tjy5.dcmrt.my.tunnel.com
Users can abuse this technique – as seen in Fig. 1 below – by installing a free DNS tunneling tool to bypass IT policies and/or monitoring. They can also use this technique to bypass network authorization to obtain free internet access in hotels and airports.
Fig. 1
Attackers can use outbound DNS requests to send encoded exfiltrated data to their infrastructure – as seen in Fig. 2 below – or use DNS responses to send commands to compromised systems and manage infected devices remotely.
Fig. 2
Improvements to DNS Tunneling Realtime Detection
Today, we’re thrilled to announce that organizations have a powerful new ally to protect against data exfiltration and unauthorized DNS tunnels in their networks. Cisco Umbrella has developed a new proprietary cache within our DNS resolvers to work alongside our machine learning modules. Our newest machine learning module is tuned to detect data exfiltration and DNS tunneling events.
This new module monitors DNS traffic for behavioral patterns and traffic exfiltrating data, efficiently building enough information to detect and block data exfiltration. And, in the event circumstances and domain reputations change, this module will correct itself and let traffic through.
We made this update because, over the past couple of years, we’ve seen organizations more productive and more connected amidst the new reality of working digitally during the pandemic. The explosion of logins and bandwidth, though, has at times come with reductions in digital security. Data exfiltration has become a new reality, and one hole attackers punch is in the DNS.
Powering Improvements With a Revolutionary DNS Cache
The technology stack powering Cisco Umbrella’s DNS resolvers handles blistering loads of DNS traffic from ISPs, global organizations, municipalities, schools, and homes. Building on this, we’ve hacked the heart of the DNS resolver – the cache. And while we dig into the details of this new functionality in our DNS tunneling solution brief, we also want to provide you with an overview here.
The cache of a DNS resolver enables serving the swell of global traffic without fault, outage, and ease. It also insulates the backbone of the internet from being overwhelmed with identical queries. Caches store data locally so that it can be served quicker.
Tunneling Cache
The tunneling cache enables us to glue together a sequence of queries that are otherwise distinct atomic events. With proprietary key and data fields, we seamlessly incorporate rapid cache updates unbeknownst to web surfers. We maintain lightning speed throughout by merging incoming data fields using tricks found in probabilistic algorithms. Gluing together each individual’s DNS queries provides access to a rich amount of information, otherwise hidden. Organizations can now get personalized DNS tunneling monitoring, detection, and enforcement in real time.
Encryption Payloads
We pair the new DNS cache with a lexical engine highly trained at identifying encrypted messages. Our researchers dug into various encryption protocols and created a stateful algorithm capable of churning through every character transition in a domain name and identifying encryption payloads with high fidelity.
Take DNS-Layer Security to the Next Level
Cisco Umbrella analyzes internet activity to uncover known and emergent threats in order to protect users anywhere they go. Together, these capabilities power Umbrella to predict and prevent DNS tunneling attacks before they happen. Enabling this security category reduces the risk of DNS tunneling and potential data loss. Organizations can choose to block users from using DNS tunneling VPN services, or they can monitor the results in reports, providing flexibility to determine what is suitable given their risk tolerance.
Address your DNS blind spot by enforcing security over port 53 both on and off the corporate network. Request a personalized demo of Cisco Umbrella today to explore how this exciting new feature can help protect your enterprise.
Last year threw a lot at cybersecurity teams, from the emergence of several high-profile cyberattacks to the revelation of widespread vulnerabilities. As we all move into 2022, odds are your team is re-thinking your cybersecurity strategy to help make your organization more resilient and flexible. This should involve an evaluation of your cybersecurity solutions, as they impact the implementation and effectiveness of any strategies your team creates.
In our ebook 7 ways to strengthen your security in 2022 and beyond, we discuss the different ways you can amplify and extend your cybersecurity stack this year using Cisco Umbrella. But if you’re looking for some tips to get you started, here are three things to keep in mind as you plot out your cybersecurity strategy:
1. Make Sure Your Cybersecurity Solutions Don’t Impact Network Speeds
The use of internet resources and cloud services was on the rise before the COVID-19 pandemic. Now that employees have spread out – collaborating with coworkers and performing business-critical tasks from anywhere they have internet access – cloud-based tools have become more critical than ever.
This means that an effective cybersecurity strategy needs to balance the implementation of strong protections against the need for minimal latency on the company network. From a business perspective, cyber safety can’t come at the expense of speed.
In order to maintain this balance, take a look at your cybersecurity solutions and evaluate the following:
Routing Algorithms – Frequently, having fast and secure internet access comes down to a cybersecurity vendor’s data center network and routing algorithms. Make sure your cybersecurity solutions come backed by a robust global data center network and transparent routing protocols with automated failover to the fastest available servers. This minimizes latency, regardless of where users on your network are located.
Peering Relationships – Peering relationships allow cybersecurity vendors to minimize latency without compromising on security. As you reevaluate your cybersecurity strategy in the coming year, make sure your vendors have peering relationships with large cloud service providers your organization relies on. This allows employees to easily access the tools they need without introducing added latency.
Keeping network speeds in mind while you refine your cybersecurity strategy for the upcoming year can improve employee satisfaction, affect executive buy-in, and have an impact on your organization’s bottom line.
2. Strengthen Cybersecurity Infrastructure to Reduce Disruptions
Last year, we all experienced more than our fair share of network disruptions, outages, and downtime. Several of these events were impactful enough to make it into the news cycle. And while an outage isn’t the same thing as a cyberattack, your cybersecurity strategy should include finding solutions that are designed to reduce downtime instead of causing it.
Take some time to review the track record of your vendors. For example, do they have a proven record of resiliency and uptime? Better yet, can they handle infrastructure disruptions without passing those disruptions onto your users? For example, the unique DNS logging features included in Cisco Umbrella DNS-layer security can be used during certain events – like the 2021 Akamai outage – to keep users connected to business-critical cloud tools despite provider outages.
3. Make Sure Your Cybersecurity Strategy Includes Guest WiFi Considerations
Between the move to a hybrid work model and the gradual reopening of public spaces, odds are you’ll find more employees and clients using your guest WiFi in the coming year. So, it’s essential to make sure that both your private and guest WiFi networks have the speed users desire and the protection you need.
Does your suite of cybersecurity solutions provide your team with the ability to filter content and enforce security protocols over your guest WiFi network? Does your security stack allow you to maintain a single IP address for your entire enterprise, streamlining the management of guest WiFi security policies? Finally, can your cybersecurity solutions handle the uptick in user traffic that guest WiFi causes without increasing latency? If the answer to any of these questions is “no,” it may be time to think about adjusting your security stack.
Looking for More Ways to Strengthen Your Cybersecurity Strategy?
The config can also be exported if preferred. The following example exports the output to the 
