---
project:
  name: UniFi Rollback 2026-03-17
  status: active
  category: infrastructure
  source: homelabagentroot
  created: 2026-03-17
  updated: 2026-03-17
  description: Rollback notes for the first UniFi zone and policy changes applied on 2026-03-17
  goals:
    - Restore pre-change zone membership if needed
    - Record new policy IDs created during the first change wave
    - Provide a safe reference before the next production network cutover
  priority: high
  tags: [unifi, rollback, firewall, zones, change-management]
---

# UniFi Rollback 2026-03-17

## Backups

Pre-change snapshots were saved to:

- `/private/tmp/unifi-change-backups-20260317/zones-before.json`
- `/private/tmp/unifi-change-backups-20260317/policies-before.json`

## Changes Applied

### Zone Changes

Before:

- `Management` -> `Default`, `Family of D.`
- `Internal` -> empty

After:

- `Management` -> `Default`
- `Internal` -> `Family of D.`

### New User-Defined Policies Created

| ID | Name |
|----|------|
| `ccc50b02-81ee-4e85-a994-87228b28d6ef` | `Internal to Servers HTTPS` |
| `07e03549-c022-4e90-981d-154269dc0471` | `Internal to Servers HTTP` |
| `6a7c0209-3d75-4826-bc61-ab98d9fe3ce3` | `Internal to IoT` |
| `977017d1-7600-48b1-9f04-e76eed01ca2c` | `Internal to Staging` |

### Existing Policies Modified

Logging enabled on:

- `89de6586-d284-4ce0-8e1f-8fea428c4af4` `Allow External to Web Proxy`
- `b13ad681-3d4c-4cb0-b186-70678087ddc9` `Vpn to Management`
- `92c1b619-ef7e-4b74-aaca-e57851abe962` `MBA VPN to Management`
- `5e6f26c2-1487-4e92-b682-6bcbb987b913` `Vpn to Servers`
- `3b64e36a-a452-4ab0-96b5-6088efb2330c` `Vpn to IoT`

## Rollback Steps

If the `Family of D.` cutover needs to be reversed before the next maintenance window:

1. Move `Family of D.` back into `Management`
2. Remove `Family of D.` from `Internal`
3. Keep the new `Internal` user-defined rules disabled or delete them if they are no longer needed
4. Re-test access from a `192.168.10.x` client to `Servers`, `IoT`, and `Staging`

## Rollback Zone State

Desired rollback state:

- `Management` -> `bcf0598f-9361-4306-9024-9817fd841836`, `fb44c9bf-1534-4a98-9c7e-6aee4bf4069a`
- `Internal` -> no networks assigned

## Notes

- `policies-before.json` is only a `200/236` visible slice from the original tool output; use live API reads plus the saved zone snapshot for the most accurate rollback reference.
- System-defined edge rules such as `Allow Port Forward HTTP` and `Allow Port Forward HTTPS` were not modified.