Active Response

Active Response lets Sentinel Nerd take automated action when threats are detected — blocking IPs, isolating devices to quarantine VLANs, or rate-limiting traffic through your UniFi controller.

Caution

Active response actions modify your network configuration. Always test rules in dry-run mode first and maintain an allow-list of critical IPs that should never be blocked.

Overview

Active response actions execute through the UniFi controller API. When a detection rule triggers, the configured response action is sent to your controller to enforce immediately. Pro

Available Actions

Block IP

Add an IP to the UniFi firewall blocklist for a specified duration.

Block IP Action 
active_response:
  action: block_ip
  target: "{{ event.src_ip }}"
  duration: 1h
  direction: both
  log: true
  • duration — How long the block persists (e.g., 1h, 24h, 7d, or permanent)
  • directioninbound, outbound, or both
  • log — Log all blocked connection attempts

VLAN Isolation

Move a device to a quarantine VLAN for investigation. Enterprise

VLAN Isolation Action 
active_response:
  action: vlan_isolate
  target: "{{ event.client_mac }}"
  quarantine_vlan: 999
  duration: 4h
  notify: true

VLAN isolation moves the client to the specified VLAN by updating the port profile or RADIUS assignment. The device retains limited network access (e.g., a captive portal explaining the quarantine).

Rate Limit

Apply bandwidth rate limiting to a device or IP.

Rate Limit Action 
active_response:
  action: rate_limit
  target: "{{ event.client_mac }}"
  download_kbps: 1024
  upload_kbps: 512
  duration: 2h

Block Client

Block a wireless client from the network entirely.

Block Client Action 
active_response:
  action: block_client
  target: "{{ event.client_mac }}"
  duration: 24h
  reason: "Automated: suspicious activity detected"

Disable Port

Administratively disable a switch port. Enterprise

Disable Port Action 
active_response:
  action: disable_port
  target:
    switch: "{{ event.device_mac }}"
    port: "{{ event.port_idx }}"
  duration: 1h

Safety Controls

Active response includes several safety mechanisms to prevent accidental network disruption:

Allow List

IPs and MACs on the allow list are never affected by active response actions, even if a detection rule matches.

Allow List Configuration 

active_response:
      allow_list:
        ips:
          - 192.168.1.1        # Gateway
          - 192.168.1.2        # DNS Server
          - 10.0.0.0/8         # Internal range
        macs:
          - "00:1A:2B:3C:4D:5E"  # Admin workstation

Dry Run Mode

Enable dry-run to see what actions would be taken without actually executing them:

Dry Run Configuration 

active_response:
      dry_run: true
      log_actions: true

Rate Limits

Global limits prevent runaway automation:

  • Max blocks per hour — Default: 50 (configurable)
  • Max VLAN isolations per hour — Default: 10
  • Cooldown period — Same action on same target within cooldown is skipped
  • Manual approval threshold — Actions exceeding thresholds require manual confirmation

Audit Log

Every active response action is logged with full context:

  • Which rule triggered the action
  • What event matched
  • What action was taken (or would have been, in dry-run)
  • When the action was applied and when it expires
  • Whether the action succeeded or failed

Getting started

Start with dry_run: true and review the audit log for a week before enabling live responses. This gives you confidence that your rules are tuned correctly.

Undo and Manual Override

All active response actions can be manually reversed from the dashboard or API:

  • Unblock an IP before the duration expires
  • Move a device back from quarantine VLAN
  • Re-enable a disabled switch port
  • Remove rate limits immediately