info_i_25x25.png See important information about Ubiquiti Devices and KRACK Vulnerability in this article. We will update this document as more information becomes available.

UniFi - How to make persistent changes to UAP(s) system.cfg

warning_25x25.png  Warning: All configurations in this document are advanced configurations and should be used by advanced users only. Particular precautions should be taken as incorrectly applying these settings can disable critical functions. Prior to contacting support, all unsupported manual configurations should be removed from your environment. 


Recent versions of the UniFi controller (2.4.5 or later, or 3.1.6 or later) have enabled a method of making changes to UAP configuration that are persistent across reboots.


Using the file, you can implement site-wide changes, or make changes specific to individual UAP(s). Any variable in the system.cfg can be customized. The settings are applied just like any other setting in, once you have made your customizations you need to trigger a re-provision of the AP (or site). The easiest and quickest way to do this is to toggle the SNMP. Go to Settings > Site and check the box for Enable SNMP, then Apply Changes.

To make site-wide changes, start with: config.system_cfg.1= 

To make changes to a specific UAP you would also include it's MAC (without : or .): config.system_cfg.24a43c010203.1=

Note that each line has it's own number just before the equals sign, so for a second customization you would enter 2, etc.

So for example, you could do something like this to change the ebtables rules (these are defaults, just provided for example):

config.system_cfg.1=ebtables.1.cmd=-t nat -A PREROUTING --in-interface eth2 -d BGA -j DROP
config.system_cfg.2=ebtables.2.cmd=-t nat -A POSTROUTING --out-interface eth2 -d BGA -j DROP
config.system_cfg.3=ebtables.3.cmd=-t nat -A PREROUTING --in-interface eth2 --proto 0x888e -j ACCEPT
config.system_cfg.4=ebtables.4.cmd=-t nat -A PREROUTING --in-interface eth2 --proto 0x886c -j ACCEPT
config.system_cfg.5=ebtables.5.cmd=-t nat -A PREROUTING --in-interface eth2 --proto LENGTH -j ACCEPT
config.system_cfg.6=ebtables.6.cmd=-t nat -A PREROUTING --in-interface eth1 -d BGA -j DROP
config.system_cfg.7=ebtables.7.cmd=-t nat -A POSTROUTING --out-interface eth1 -d BGA -j DROP
config.system_cfg.8=ebtables.8.cmd=-t nat -A PREROUTING --in-interface eth1 --proto 0x888e -j ACCEPT
config.system_cfg.9=ebtables.9.cmd=-t nat -A PREROUTING --in-interface eth1 --proto 0x886c -j ACCEPT
config.system_cfg.10=ebtables.10.cmd=-t nat -A PREROUTING --in-interface eth1 --proto LENGTH -j ACCEPT
config.system_cfg.11=ebtables.11.cmd=-t broute -A BROUTING -i eth2 -p 802_1Q -j DROP


Another example, to change the TX power on a UAP. Make sure that TX power is set to custom in the UI. Place the following in


Here I will detail an example of the same, but how to apply it to a specific UAP:


Note, we set a minimum TX power for stability reasons. If you set TX power too low you may introduce instability. This is also an example, there are hard limits set in the firmware. 

One limitation of this is that you can only ADD to the system.cfg, it will not replace existing lines. You currently cannot remove existing lines either, so it's possible that you could create conflicts and/or introduce instability into the AP configuration. Use at your own risk.