🛒
On January 7, when everyone was busy with CES 2025, Ubiquiti, without attending the show, officially rolled out a significant software upgrade for its hardware: UniFi Network 9. This upgrade includes improvements for large-scale networks and many small things for general users.
The update was first available in late December 2024 with Ubiquiti’s Early Access.
The new update is quite exciting!
UniFi Network 9: Major improvement in firewall and management
For those who don’t know, Network is one of many “applications” available to Ubiquiti’s UniFi console, running within the UniFi OS. It’s the app that makes these consoles work like routers and handles all networking-related functions.
Other “apps”—such as Talk (IP phones) or Protect (IP cameras)—handle additional features that run on top of or alongside the networking portion.
The new Network update is available for all UniFi consoles, including the top-tier UDM-SE, UDM-Pro Max, and the latest Cloud Gateway Max.
Like previous releases, this update is not mandatory, but you’ll likely want to have it anyway. It’s part of the general evolution of the entire UniFi ecosystem, which doesn’t allow for downgrading.
You can perform the update via the console’s web user interface or the UniFi mobile app, which would notify you of the available update. If you have opted for auto-update, the app might have already updated itself.
There are no specific requirements for updating UnFi apps, but it’s a good idea to update the console’s UniFi OS to the latest version first, which is currently at build 4.1.13.
Ubiquiti says UniFi Network 9 “is packed with powerful features that enhance your deployment—whether you’re managing a single site or thousands of locations.” And that wasn’t an exaggeration.
Zone-Based Firewall Rules
The first and most noteworthy is the new Zone-Based Firewall Rules, which group devices and services into different “zones”—such as Internal, External, Gateway, and VPN— to simplify traffic management.
Before this, network administrators needed to manage many rules for individual devices or VLANs, which can become quite tedious and prone to oversight.
With the new zone-based approach, new policies can be quickly deployed to a large number of devices and services with a few clicks. This approach has slowly become the industry standard because it combines countless potential rules into manageable sets.
With UniFi Network 9, each rule features detailed descriptions for purpose documentation. This ability helps streamline large and complex networks managed by a team of individuals.
Still, if you prefer to manage individual devices, you can choose from applicable options such as IP serving, port forwarding, web and app filtering, etc.
Better SiteMagic SD-WAN and new UniFi Network API
Ubiquiti’s SiteMagic SD-WAN is a license-free peer-to-peer connection feature (managed via the Site Manager section) that allows users to easily connect to multiple sites.
Ubiquiti says UniFi Network 9 introduces a new “hub-and-spoke topology” that supports up to 1,000 locations and is designed for organizations with a large footprint. Most users don’t need that and can stick to the good old Mesh SiteMagic approach, which allows for connecting up to 20 remote sites via simple setups.
UniFi Network API is a new local network application programming interface based on Ubiquiti’s cloud-based Site Manager API. It allows for direct and in-depth access to a UniFi deployment independently from Ubiquiti—it doesn’t route the traffic through the cloud-based account. Users can use it to build custom tools with integrated UniFi data to monitor activities and analyze connected clients’ performance.
According to Ubiquiti, key features of UniFi Network 9’s local Network API include:
- Device Control and Insights: Admin users can reboot devices, retrieve device lists, and view status details. Future releases will add even more device actions.
- Real-Time Monitoring: Access CPU, memory, and uptime data, plus live stats for Wi-Fi, wired, and VPN clients.
- Multi-Site Oversight: List, track, and manage data from multiple sites, making complex environments more manageable.
- Streamlined Integration: Pull UniFi data into your existing IT workflows to automate updates and configure devices (where available).
- Efficient Data Handling: Pagination keeps performance smooth in large-scale networks.
- Deeper Visibility: Diagnose and troubleshoot connectivity issues by pulling UniFi Network data into your workflow, backed by real-time stats and granular client data.
Optional UniFi CyberSecure subscription
Finally, UniFi Network 9 includes an optional UniFi CyberSecure subscription powered by Proofpoint that includes two service tiers: CyberSecure and CyberSecure Enterprise. Specifically:
- CyberSecure: Designed for mid-size businesses, this tier covers over 55,000 threat signatures and includes a Memory Optimized Mode for resource-constrained gateways. It costs $99/year and can work with any existing UniFi console.
- CyberSecure Enterprise: This tier increases the threat signature to more than 95,000 with additional threat categories. It is built for large-scale networks and is only available on high-end gateways, such as the Enterprise Fortress Gateway (EFG) and UXG Enterprise. This tier costs $499/year.
This new subscription is not necessary for most general users. Like the previous version, UniFi Network 9 has built-in Intrusion detection systems (IDS) and intrusion prevention systems (IPS) that protect most home and small business networks.
Should you upgrade?
Even if you don’t need the new features mentioned above, UniFi Network 9 has other management improvements and a more streamlined interface that improves the network management experience. I personally like the detailed notifications about what’s going on with the network, especially when it comes to security. It’s also free, so there’s no reason not to upgrade.
It’s worth noting, though, that the upgrade will migrate your existing Firewall settings to the new zone-based approach. However, the process will also automatically back up your data, giving you the option to return to the old firewall.
The gist is that upgrading the app has no drawbacks. You can do that via the web user interface or the mobile app. So, do it manually today! For those who have opted for their console for auto-updates, the update might have already been done, which can be a pleasant surprise.
I would like to note that the for some settings to be available like the Traffic & Firewall Rules, the console must be on at least the 4.1.1.3. I manage a few UDMPros and I have one on 4.1.1.3 and Network 9.0.108 and I see the option to upgrade to the Zone-based firewall. On another one that has the Network 9.0.108, but the console is on 4.0.21 and I do not have that option.
Good article, glad to see the things changing in the UniFi system.
That would make sense. Thanks for the input, Fletcher. It’s interesting that you can update the Network to the latest without updating the UniFi OS first. Never thought of that.
correction to the article:
the unifi network application does not make or allow the cloud key hardware/console/server it’s installed on to act like a router. That still requires a router hardware
the network application gives access to a single-pane-of-glass interface for controlling and managing the unifi equipment on your network
Read the paragraph again! The quantification is limited to the UniFi Console hardware. In no way that suggests you can use the app on *any* hardware to get the same effect. Appreciate the enthusiasm, tho. 😎
Well on 2 occasions, I’ve had my UDM-SE act in that capacity…
1. Bypassing my Starlink Router a while ago.
2. Connecting another ISPs SFP connection directly to the SFP+ port b’cos their own router was having DNS/NAT issues…I took their IP off their router and configured my UDM-SE with it…