The keys to the network — and almost nobody is watching them
A UniFi controller holds every VLAN, firewall rule, VPN, and remote tunnel on the network. Yet most RMMs never look at it. An attacker who reaches the controller doesn’t need malware — they just add an admin, flip on remote access, and walk out with a configuration backup.Two years after a forgotten Plex server seeded the LastPass breach, the tools MSPs rely on still ignore the edge appliances running the network. The Lavawall® UniFi monitor closes that gap: it polls each controller on your schedule, diffs the admin roster, backup set, and event stream against the last known-good snapshot, and raises a severity-ranked notification routed to your console, email, or PSA.
- Agentless — nothing is installed on the controller. Lavawall connects with a scoped admin account you control.
- Multi-tenant — every controller is scoped to one client, surfaced in the same console as your endpoint, cloud, and identity signals.
- Quiet until it matters — the first poll baselines silently, so you don’t get an alert flood. After that, only real changes fire.
- Supports UniFi OS (UDM, UDM Pro, Cloud Key Gen2+) and legacy self-hosted Network controllers.
Every change becomes a notification
Lavawall ranks each finding by severity so your queue reflects risk, not noise. De-duplication means a single ongoing condition is one item, and indicators close themselves automatically when the condition is reversed.
- ✓ New admin added
- ✓ Admin promoted to super-admin
- ✓ Access / permission change
- ✓ Admin login from a new IP
- ✓ Remote / cloud access enabled
- ✓ Firmware downgrade
- ✓ Admin removed
- ✓ New configuration backup
- ✓ Controller unreachable / auth failed
- ✓ Other indicator of compromise
Severity bands: Critical High Medium Operational. A permission change that creates a new super-admin is escalated to Critical automatically.
How it works
1. Connect
Point Lavawall at a UniFi OS or legacy controller with a scoped, limited admin account. The credential is encrypted at rest (AES-256-GCM) and kept off the web tier.
2. Baseline & diff
The first poll records admins, backups, and events without firing alerts. Every cycle after that compares live state to the snapshot and isolates exactly what changed.
3. Rank, route, resolve
Findings become severity-scored, de-duplicated indicators routed to the console, email, and your PSA — and they self-close when reversed.
Security first — least privilege, encrypted, on-box
- Encrypted credentials. Controller passwords are stored with AES-256-GCM. The key lives outside the web root and is never returned to the browser.
- Loopback-only daemon. The monitor binds to 127.0.0.1 — nothing it exposes is reachable off the box.
- Per-tenant isolation. Every query is scoped to the validated active company, so one client’s controllers can never be read or touched from another tenant.
- Use a limited account. A read-only or limited admin on the controller is enough for monitoring — no super-admin required.
What this shows you that your RMM and UniFi’s own alerts don’t
| Capability | Lavawall® UniFi Monitor | Typical RMM | UniFi built-in alerts |
|---|---|---|---|
| Detects a newly added controller admin | ✓ Roster diff every poll | ✗ | Limited / email only |
| Flags admin promoted to super-admin | ✓ Auto-escalated to Critical | ✗ | ✗ |
| Surprise configuration backup created | ✓ Treated as possible exfil staging | ✗ | ✗ |
| Remote / cloud access silently enabled | ✓ | ✗ | ✗ |
| Firmware downgrade to a vulnerable build | ✓ | ✗ | ✗ |
| Admin login from an unfamiliar IP | ✓ Per-account new-IP detection | ✗ | Partial |
| Severity ranking & de-duplication | ✓ | ✗ | ✗ |
| Multi-tenant MSP console | ✓ Native | Varies | ✗ Per-site |
| Routes to PSA / ticketing | ✓ Integrated notifications | Varies | ✗ |
| Correlated with endpoint, cloud & identity signals | ✓ One console | ✗ | ✗ |
Part of the bigger picture
UniFi monitoring sits alongside the rest of Lavawall®, so a rogue network admin shows up next to your endpoint, cloud, and identity signals — not in yet another portal.
- LAN scan & asset management — pair controller monitoring with active network discovery and mapping.
- Microsoft 365 & Azure breach detection — correlate edge changes with cloud identity signals.
- GRC & compliance — turn change-monitoring into audit-ready evidence across 15+ frameworks.
- Smart notifications — ranked, de-duplicated, routed where your team already works.
Frequently asked questions
- Do I need to install anything on the UniFi controller?
No. Monitoring is fully agentless. Lavawall connects to the controller’s API with an admin account you provide — a read-only or limited admin is enough.
- Does it work with a UDM / UDM Pro / Cloud Key, or only self-hosted controllers?
Both. UniFi OS devices (UDM, UDM Pro, Cloud Key Gen2+) and legacy self-hosted Network controllers are supported. You pick the type when adding the controller; the default port is 443 for UniFi OS and 8443 for legacy.
- Will I get flooded with alerts when I first connect a controller?
No. The first poll records the current admins, backups, and events as a silent baseline. Notifications only fire on changes after that.
- How are the controller credentials protected?
They’re encrypted at rest with AES-256-GCM. The encryption key is stored outside the web root, and the password is never sent back to the browser. The monitoring service itself listens only on the local loopback interface.
- How quickly are changes detected?
You set the poll interval per controller (minimum 60 seconds; 5 minutes is a sensible default). Each poll diffs live state against the stored snapshot.
If you have any questions or need further assistance, feel free to reach out through our chat, phone, or email on our contact page!