fbda1b4beb
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands - CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround - CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check - NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere - MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates - LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference Co-authored-by: Cursor <cursoragent@cursor.com>
7.9 KiB
7.9 KiB
UDM Pro Firewall/ACL API Endpoints
Last Updated: 2025-01-20
Status: Active Documentation
API Documentation: UniFi Network API Documentation
Overview
The Official UniFi Network API provides comprehensive firewall and access control configuration through ACL Rules (Access Control List rules). These endpoints allow programmatic configuration of firewall policies, network segmentation, and traffic filtering.
Base URL: https://192.168.0.1/proxy/network/integration/v1/
Authentication: X-API-KEY header
Site ID: 88f7af54-98f8-306a-a1c7-c9349722b1f6
Available Firewall/ACL Endpoints
1. ACL Rules (Access Control List Rules)
ACL Rules are the primary mechanism for configuring firewall policies in UniFi Network API.
List ACL Rules
GET /v1/sites/{siteId}/acl-rules
Query Parameters:
offset(integer, default: 0)limit(integer, default: 25, max: 200)filter(string) - Filter expressions
Response: Paginated list of ACL rules
Get ACL Rule Details
GET /v1/sites/{siteId}/acl-rules/{aclRuleId}
Response: ACL rule object with:
type: "IPV4"enabled: booleanname: stringdescription: stringaction: "ALLOW" | "BLOCK"index: integer (lower index = higher priority)sourceFilter: object (traffic source filter)destinationFilter: object (traffic destination filter)protocolFilter: array of strings ("TCP", "UDP")enforcingDeviceFilter: object (device filter for enforcement)
Create ACL Rule
POST /v1/sites/{siteId}/acl-rules
Request Body:
{
"type": "IPV4",
"enabled": true,
"name": "Rule Name",
"description": "Rule description",
"action": "ALLOW|BLOCK",
"enforcingDeviceFilter": {
"type": "string"
},
"index": 0,
"sourceFilter": {
"type": "string"
},
"destinationFilter": {
"type": "string"
},
"protocolFilter": ["TCP", "UDP"]
}
Update ACL Rule
PUT /v1/sites/{siteId}/acl-rules/{aclRuleId}
Request Body: Same as Create ACL Rule
Delete ACL Rule
DELETE /v1/sites/{siteId}/acl-rules/{aclRuleId}
2. Firewall Zones
Firewall Zones group networks together for firewall policy configuration.
List Firewall Zones
GET /v1/sites/{siteId}/firewall/zones
Query Parameters:
offset(integer, default: 0)limit(integer, default: 25, max: 200)filter(string)
Response: List of firewall zones
Get Firewall Zone
GET /v1/sites/{siteId}/firewall/zones/{firewallZoneId}
Response: Firewall zone object with:
id: UUIDname: stringnetworkIds: array of network UUIDsmetadata: object
Create Custom Firewall Zone
POST /v1/sites/{siteId}/firewall/zones
Request Body:
{
"name": "Zone Name",
"networkIds": ["network-uuid-1", "network-uuid-2"]
}
Update Firewall Zone
PUT /v1/sites/{siteId}/firewall/zones/{firewallZoneId}
Delete Custom Firewall Zone
DELETE /v1/sites/{siteId}/firewall/zones/{firewallZoneId}
3. Traffic Matching Lists
Traffic Matching Lists define port and IP address lists used in firewall policies.
List Traffic Matching Lists
GET /v1/sites/{siteId}/traffic-matching-lists
Get Traffic Matching List
GET /v1/sites/{siteId}/traffic-matching-lists/{trafficMatchingListId}
Create Traffic Matching List
POST /v1/sites/{siteId}/traffic-matching-lists
Request Body:
{
"type": "PORTS",
"name": "List Name",
"items": []
}
Update Traffic Matching List
PUT /v1/sites/{siteId}/traffic-matching-lists/{trafficMatchingListId}
Delete Traffic Matching List
DELETE /v1/sites/{siteId}/traffic-matching-lists/{trafficMatchingListId}
ACL Rule Configuration Examples
Example 1: Block Inter-VLAN Traffic (Sovereign Tenant Isolation)
Block traffic between VLANs 200-203 (sovereign tenants):
{
"type": "IPV4",
"enabled": true,
"name": "Block Sovereign Tenant East-West",
"description": "Deny traffic between sovereign tenant VLANs (200-203)",
"action": "BLOCK",
"index": 100,
"sourceFilter": {
"type": "NETWORK",
"networkIds": [
"network-uuid-vlan-200",
"network-uuid-vlan-201",
"network-uuid-vlan-202",
"network-uuid-vlan-203"
]
},
"destinationFilter": {
"type": "NETWORK",
"networkIds": [
"network-uuid-vlan-200",
"network-uuid-vlan-201",
"network-uuid-vlan-202",
"network-uuid-vlan-203"
]
},
"protocolFilter": null
}
Example 2: Allow Management VLAN Access
Allow Management VLAN (11) to access Service VLANs on specific ports:
{
"type": "IPV4",
"enabled": true,
"name": "Allow Management to Service VLANs",
"description": "Allow VLAN 11 to access service VLANs (SSH, DB, Admin ports)",
"action": "ALLOW",
"index": 10,
"sourceFilter": {
"type": "NETWORK",
"networkIds": ["network-uuid-vlan-11"]
},
"destinationFilter": {
"type": "NETWORK",
"networkIds": [
"network-uuid-vlan-110",
"network-uuid-vlan-120",
"network-uuid-vlan-130"
]
},
"protocolFilter": ["TCP"],
"portFilter": {
"type": "PORTS",
"ports": [22, 5432, 8080, 443]
}
}
Example 3: Allow Monitoring Traffic
Allow Service VLANs to send monitoring data to Management VLAN:
{
"type": "IPV4",
"enabled": true,
"name": "Allow Monitoring to Management",
"description": "Allow service VLANs to send monitoring/logging to VLAN 11",
"action": "ALLOW",
"index": 20,
"sourceFilter": {
"type": "NETWORK",
"networkIds": [
"network-uuid-vlan-110",
"network-uuid-vlan-120",
"network-uuid-vlan-130"
]
},
"destinationFilter": {
"type": "NETWORK",
"networkIds": ["network-uuid-vlan-11"]
},
"protocolFilter": ["UDP", "TCP"],
"portFilter": {
"type": "PORTS",
"ports": [161, 9090, 9091]
}
}
Important Notes
ACL Rule Priority
- Index Field: Lower index values have higher priority
- Rules are evaluated in order of index (ascending)
- First matching rule applies
Filter Types
ACL Rules support various filter types for source and destination:
- Network Filters: Filter by network/VLAN IDs
- IP Address Filters: Filter by IP addresses or ranges
- Port Filters: Filter by port numbers or ranges
- Protocol Filters: TCP, UDP (or null for all protocols)
Device Enforcement
enforcingDeviceFilter: Specify which devices enforce the rule- If null, rule applies to all switches on the site
- Useful for device-specific policies
Network References
To use network IDs in filters:
- List networks:
GET /v1/sites/{siteId}/networks - Extract network IDs from the response
- Use network IDs in ACL rule filters
Implementation Strategy
Phase 1: List Current Configuration
- List existing ACL rules
- List firewall zones
- List networks (to get network IDs)
- Document current state
Phase 2: Create Firewall Rules
-
Sovereign Tenant Isolation:
- Create BLOCK rules for VLANs 200-203 inter-VLAN traffic
-
Management VLAN Access:
- Create ALLOW rules for VLAN 11 → Service VLANs
- Use appropriate port filters
-
Monitoring Access:
- Create ALLOW rules for Service VLANs → VLAN 11
- Use monitoring port filters
Phase 3: Verify and Test
- Verify rules are created correctly
- Test connectivity between VLANs
- Adjust priorities (index values) as needed
Related Documentation
- UDM_PRO_STATUS.md - Configuration status
- UDM_PRO_API_ENDPOINT_EXPLORATION.md - API endpoint exploration
- UniFi Network API Documentation - Official API documentation
Last Updated: 2025-01-20