---
# generated by https://github.com/hashicorp/terraform-plugin-docs
page_title: "unifi_setting_ips Resource - terraform-provider-unifi"
subcategory: ""
description: |-
  The unifi_setting_ips resource allows you to configure the Intrusion Prevention System (IPS) settings for your UniFi network. IPS provides network threat protection by monitoring, detecting, and preventing malicious traffic based on configured rules and policies. Requires controller version 7.4 or later
---

# unifi_setting_ips (Resource)

The `unifi_setting_ips` resource allows you to configure the Intrusion Prevention System (IPS) settings for your UniFi network. IPS provides network threat protection by monitoring, detecting, and preventing malicious traffic based on configured rules and policies. Requires controller version 7.4 or later

## Example Usage

```terraform
resource "unifi_network" "test" {
  name = "My Network"
  purpose = "corporate"
  subnet = "192.168.1.0/24"
  vlan_id = 10
}

resource "unifi_setting_ips" "example" {
  # Set IPS mode to "ips" (Intrusion Prevention System)
  # Other valid options: "ids" (Intrusion Detection System) or "disabled"
  ips_mode = "ips"
  
  # Networks on which IPS/IDS should be enabled
  enabled_networks = [unifi_network.test.id]
  
  # Advanced filtering preference
  # Valid options: "disabled", "manual", or "auto"
  advanced_filtering_preference = "manual"
  
  # Categories of threats to detect/prevent
  enabled_categories = [
    "emerging-dos",
    "emerging-exploit",
    "emerging-malware"
  ]
  
  # Ad blocking configuration
  ad_blocked_networks = [unifi_network.test.id]
  
  # Honeypot configuration
  honeypots = [
    {
      ip_address = "192.168.1.10"
      network_id = unifi_network.test.id
    }
  ]
  
  # DNS filtering configuration
  dns_filters = [
    {
      name        = "Work Filter"
      filter      = "work"
      description = "Block non-work related sites"
      
      # Sites that are always allowed
      allowed_sites = [
        "example.com",
        "company.com"
      ]
      
      # Sites that are always blocked
      blocked_sites = [
        "gaming.example.com",
        "social.example.com"
      ]
      
      # Top-level domains to block
      blocked_tld = [
        "xyz"
      ]
    }
  ]
  
  # Specify the site (optional, defaults to site configured in provider, otherwise "default")
  # site = "default"
}
```

<!-- schema generated by tfplugindocs -->
## Schema

### Optional

- `ad_blocked_networks` (List of String) List of network IDs to enable ad blocking for. If any networks are configured, ad blocking will be automatically enabled. Each entry should be a valid network ID from your UniFi configuration. Leave empty to disable ad blocking.
- `advanced_filtering_preference` (String) The advanced filtering preference for IPS. Valid values are:
  * `disabled` - Advanced filtering is disabled
  * `manual` - Advanced filtering is enabled and manually configured
- `dns_filters` (Attributes List) DNS filters configuration. If any filters are configured, DNS filtering will be automatically enabled. Each filter can be applied to a specific network and provides content filtering capabilities. (see [below for nested schema](#nestedatt--dns_filters))
- `enabled_categories` (List of String) List of enabled IPS threat categories. Each entry enables detection and prevention for a specific type of threat. The list of valid categories includes common threats like malware, exploits, scanning, and policy violations. See the validator for the complete list of available categories.
- `enabled_networks` (List of String) List of network IDs to enable IPS protection for. Each entry should be a valid network ID from your UniFi configuration. IPS will only monitor and protect traffic on these networks.
- `honeypots` (Attributes List) Honeypots configuration. Honeypots are decoy systems designed to detect, deflect, or study hacking attempts. They appear as legitimate parts of the network but are isolated and monitored. (see [below for nested schema](#nestedatt--honeypots))
- `ips_mode` (String) The IPS operation mode. Valid values are:
  * `ids` - Intrusion Detection System mode (detect and log threats only)
  * `ips` - Intrusion Prevention System mode (detect and block threats)
  * `ipsInline` - Inline Intrusion Prevention System mode (more aggressive blocking)
  * `disabled` - IPS functionality is completely disabled
- `memory_optimized` (Boolean) Whether memory optimization is enabled for IPS. When set to `true`, the system will use less memory at the cost of potentially reduced detection capabilities. Useful for devices with limited resources. Defaults to `false`. Requires controller version 9.0 or later.
- `restrict_torrents` (Boolean) Whether to restrict BitTorrent and other peer-to-peer file sharing traffic. When set to `true`, the system will block P2P traffic across the network. Defaults to `false`.
- `site` (String) The name of the UniFi site where this resource should be applied. If not specified, the default site will be used.
- `suppression` (Attributes) Suppression configuration for IPS. This allows you to customize which alerts are suppressed or tracked, and define whitelisted traffic that should never trigger IPS alerts. (see [below for nested schema](#nestedatt--suppression))

### Read-Only

- `id` (String) The unique identifier of this resource.

<a id="nestedatt--dns_filters"></a>
### Nested Schema for `dns_filters`

Required:

- `filter` (String) Filter type that determines the predefined filtering level. Valid values are:
  * `none` - No predefined filtering
  * `work` - Work-appropriate filtering that blocks adult content
  * `family` - Family-friendly filtering that blocks adult content and other inappropriate sites
- `name` (String) Name of the DNS filter. This is used to identify the filter in the UniFi interface.
- `network_id` (String) Network ID this filter applies to. This should be a valid network ID from your UniFi configuration.

Optional:

- `allowed_sites` (List of String) List of allowed sites for this DNS filter. These domains will always be accessible regardless of other filtering rules. Each entry should be a valid domain name (e.g., `example.com`).
- `blocked_sites` (List of String) List of blocked sites for this DNS filter. These domains will be blocked regardless of other filtering rules. Each entry should be a valid domain name (e.g., `example.com`).
- `blocked_tld` (List of String) List of blocked top-level domains (TLDs) for this DNS filter. All domains with these TLDs will be blocked. Each entry should be a valid TLD without the dot prefix (e.g., `xyz`, `info`).
- `description` (String) Description of the DNS filter. This is used for documentation purposes only and does not affect functionality.


<a id="nestedatt--honeypots"></a>
### Nested Schema for `honeypots`

Required:

- `ip_address` (String) IP address for the honeypot. This should be an unused IPv4 address within your network range that will be used as a decoy system.
- `network_id` (String) Network ID for the honeypot. This should be a valid network ID from your UniFi configuration where the honeypot will be deployed.


<a id="nestedatt--suppression"></a>
### Nested Schema for `suppression`

Optional:

- `alerts` (Attributes List) Alert suppressions. Each entry defines a specific IPS alert that should be suppressed or tracked differently from the default behavior. (see [below for nested schema](#nestedatt--suppression--alerts))
- `whitelist` (Attributes List) Whitelist configuration. Each entry defines traffic that should never trigger IPS alerts, regardless of other rules. (see [below for nested schema](#nestedatt--suppression--whitelist))

<a id="nestedatt--suppression--alerts"></a>
### Nested Schema for `suppression.alerts`

Required:

- `category` (String) Category of the alert to suppress. This should match one of the categories from the enabled_categories list.
- `signature` (String) Signature name of the alert to suppress. This is a human-readable identifier for the alert in the IPS ruleset.
- `type` (String) Type of suppression. Valid values are:
  * `all` - Suppress all occurrences of this alert
  * `track` - Only track this alert according to the tracking configuration

Optional:

- `tracking` (Attributes List) Tracking configuration for the alert. This defines how the system should track occurrences of this alert based on source/destination addresses. (see [below for nested schema](#nestedatt--suppression--alerts--tracking))

<a id="nestedatt--suppression--alerts--tracking"></a>
### Nested Schema for `suppression.alerts.tracking`

Required:

- `direction` (String) Direction for tracking. Valid values are:
  * `src` - Track by source address
  * `dest` - Track by destination address
  * `both` - Track by both source and destination addresses
- `mode` (String) Mode for tracking. Valid values are:
  * `ip` - Track by individual IP address
  * `subnet` - Track by subnet
  * `network` - Track by network ID
- `value` (String) Value for tracking. The meaning depends on the mode:
  * For `ip` mode: An IP address (e.g., `192.168.1.100`)
  * For `subnet` mode: A CIDR notation subnet (e.g., `192.168.1.0/24`)
  * For `network` mode: A network ID from your UniFi configuration



<a id="nestedatt--suppression--whitelist"></a>
### Nested Schema for `suppression.whitelist`

Required:

- `direction` (String) Direction for whitelist. Valid values are:
  * `src` - Whitelist by source address
  * `dst` - Whitelist by destination address
  * `both` - Whitelist by both source and destination addresses
- `mode` (String) Mode for whitelist. Valid values are:
  * `ip` - Whitelist by individual IP address
  * `subnet` - Whitelist by subnet
  * `network` - Whitelist by network ID
- `value` (String) Value for whitelist. The meaning depends on the mode:
  * For `ip` mode: An IP address (e.g., `192.168.1.100`)
  * For `subnet` mode: A CIDR notation subnet (e.g., `192.168.1.0/24`)
  * For `network` mode: A network ID from your UniFi configuration