Requirements

• A Unifi Cloud Gateway device
  • Refer to Unifi Cloud Gateways for further reference
• Have admin access to the device via the Unifi Site Manager Portal to create a new Forwarding configuration.
• The most recent version of the Lumu Virtual Appliance installed.

Deploy and Set Up Lumu VA

• Deploy Virtual Appliances
• Configure Virtual Appliances and set up collectors.

Set up a Lumu VA Firewall Log Collector

• Protocol type: Select the UDP option. Ubiquiti Unifi devices use UDP protocol to send Syslog data.
• Port number: Provide a number between 1024 and 65535, inclusive.
• Timezone: The timezone for VA setup. Use the canonical ID (e.g. America/Chicago). You can use this external article for reference.

Configure Ubiquiti Unifi to Send Metadata to Lumu VA

You will need to configure your Ubiquiti Unifi device to send logs to the Virtual Appliance. This requires the following:

• A SIEM Server destination
• A Firewall Action Logging rule

Configure a SIEM Server destination

1. First, login to the Unifi Site Manager portal

2. Head to the left side panel. Click on the Sites icon to open the Sites menu. Then, click on the Site where your Unifi device is enrolled.

3. In the Network panel, head to the left side panel. Click on the Settings (Gear) icon.

4. In the Settings panel, you must do the following:

a. First, click on the System(1) menu.

b. Select the SIEM server(2) option under the Activity Logging section.

c. In the Contents(3) section, select the following : Devices, and Firewall Default Policy. Make sure you click on the Save button when done.

d. Input the address of the Virtual Appliance you want to send logs to under the Server Address(4) field

e. Input the corresponding port for the remote address of the Virtual Appliance you want to send logs to under the Port(5) field.

f. Once you’re done, click on the Apply Changes(6) button.

Configure Firewall Logging rule

We recommend enabling logging for all your custom rules to have full visibility

1. You must configure specific rules to be logged. To do so, you must configure each rule to generate a Syslog entry when matched. From the window accessed in Step 3 of the Configure a SIEM Server destination section, do the following:

a. Click on the Security(1) menu

b. Click on the Traffic & Firewall Rules(2) tab.

c. Select one of the listed rules(3).

d. In the panel that opens, enable the Logging toggle at the end of the configuration window, and save your changes by clicking on the Apply Changes button.