UniFi Enterprise Firewall Core for MSPs: Change Window Math
UniFi Enterprise Firewall Core is going to make some client conversations sound easy.
A client sees a 100 Gbps cloud gateway, a $3,499 store price, and Ubiquiti's familiar license-free story. Then they ask why the firewall refresh quote has discovery, design, after-hours cutover, high availability testing, a rollback plan, spares, and documentation in it.
That is the MSP trap.
The hardware may be cheaper than the firewall stack your client expected. The work around it is still real. If your team treats Enterprise Firewall Core like a line item instead of a scoped network change, the client gets the appliance and you inherit the weekend.
Quick answer
UniFi Enterprise Firewall Core is Ubiquiti's enterprise-scale UniFi Cloud Gateway for large network environments. For MSPs, the question is not whether the appliance is impressive. It is whether the quote includes discovery, HA design, change approvals, rollback criteria, spares, firmware ownership, and support boundaries.
What Ubiquiti actually shipped
Ubiquiti introduced Enterprise Firewall Core on June 11, 2026 as a large-scale UniFi Cloud Gateway built around 24 Neoverse N2 cores. The official launch post says it supports up to 22,000 active devices, 10 million concurrent sessions, 79 Gbps threat detection, 61 Gbps SSL inspection, and more than 5,000 concurrent IPsec or WireGuard tunnels.
The tech specs page lists a rack-mount 1U device with 100G QSFP28, 25G SFP28, 10 GbE RJ45, management, and console ports. It also lists Shadow Mode VRRP gateway failover, hot-swappable power supplies, IDS/IPS, SSL inspection, content filtering, SD-WAN, BGP, OSPF, policy-based routing, and multi-WAN support.
That is a serious box. It is also not a magic wand.
Ubiquiti's launch post ties the device to Site Manager, SD-WAN, orchestration, and identity-aware policy with Entra, Google Workspace, and LDAP. Its UniFi Network 10.4 announcement also pushed enterprise routing, eBGP, IPv6 VPN support, infrastructure visibility, and Site Manager blueprint synchronization.
So this is not just a firewall refresh. It can become a standardization decision across sites, users, identity, routing, support, and client reporting. That is where the quote gets bigger than the hardware.
License-free does not mean cost-free
The store page lists Enterprise Firewall Core at $3,499. That price will look refreshing next to some firewall quotes.
Do not let it flatten the conversation. The same page lists UI Care five-year coverage at $699 per unit and CyberSecure Enterprise at $499 per unit billed annually. It also says 90 days of professional phone support is included for UI Store purchases in the US, Canada, Europe, and the UK.
Those details matter because a client will hear "no license" and assume "less to manage." MSPs know better.
A real quote still needs to answer:
| Quote area | What the client thinks they bought | What the MSP still owns |
|---|---|---|
| Hardware | A cheaper enterprise firewall | Sizing, ordering, staging, spares, warranty, and replacement path |
| High availability | Two boxes, less downtime | VRRP design, failover testing, cabling, power, switch dependency, and acceptance criteria |
| Security services | Threat protection is included | Signature choice, CyberSecure Enterprise cost, tuning, alert ownership, and reporting |
| SD-WAN | Site-to-site connectivity | Tunnel design, routing policy, client approval, and outage runbooks |
| Identity policy | Entra-aware access | Group design, exception handling, offboarding, and audit trail |
| Change window | Plug it in after hours | Pre-checks, rollback, onsite hands, client comms, validation, and support coverage |
The appliance may reduce licensing pain. It does not remove project scope.
The change window is the product
For an MSP, the highest-risk part of Enterprise Firewall Core is not the spec sheet. It is the cutover.
A firewall change touches internet access, VPNs, routing, security policy, voice, cameras, payment terminals, line-of-business apps, remote workers, and Monday-morning confidence.
Before the quote goes out, define the change window like a deliverable:
- Pre-change discovery: current WAN links, IPs, VLANs, routing, VPN tunnels, DNS, DHCP, firewall rules, vendor exceptions, and undocumented bypasses.
- Design review: target topology, HA pair layout, uplinks, switch dependencies, power, cooling, rack space, and management access.
- Client approvals: who can approve outage timing, rollback, scope change, after-hours labor, and business risk.
- Rollback criteria: how long you troubleshoot before reverting, what counts as a failed cutover, and who gets to make that call.
- Validation list: internet, VPN, voice, printing, payment systems, camera access, remote access, monitoring, and critical apps.
- Support handoff: what is included the next business day, what becomes a project change, and what is monthly managed service work.
This is basic MSP project scoping. It just gets expensive when skipped.
If your firewall quote says "install EF-Core" and not "complete network cutover with documented rollback," your team is donating risk.
What MSPs should quote separately
Do not hide the hard parts inside the hardware margin. Put them where the client can see them.
Quote these as separate work packages when they apply:
- Network discovery and config capture. Export current firewall rules, VPNs, routes, NAT, VLANs, DHCP scopes, DNS forwarding, and management access. If the existing environment is undocumented, say so.
- HA design and failover testing. Shadow Mode and VRRP sound clean in a product post. The MSP still has to test power, links, switch paths, ISP failover, and what happens when the primary device comes back.
- Routing and SD-WAN planning. BGP, OSPF, policy-based routing, Site Magic, WireGuard, and IPsec are useful only when someone owns the design and monitoring.
- Security policy review. IDS/IPS, SSL inspection, content filtering, app filtering, and CyberSecure Enterprise need a service promise. Who tunes it? Who reviews alerts? Who explains false positives?
- Identity policy setup. Entra or Google Workspace policy sounds tidy until group membership, exceptions, break-glass access, and offboarding are messy.
- Spares and replacement path. If the client wants business-class uptime, price the spare, UI Care decision, RMA process, onsite response, and shipping reality.
- Documentation and handoff. Update diagrams, admin roles, monitoring notes, client-facing support boundaries, and escalation instructions.
This should show up in the scope of work, not as tribal knowledge in an engineer's head.
When Enterprise Firewall Core makes sense
Enterprise Firewall Core makes the most sense when the client has real scale or real consequences: multi-site clients, larger campuses, hospitality, education, warehouses, healthcare groups, high-throughput environments, or clients where the MSP is already standardizing around UniFi Network and Site Manager.
It can also fit when the client hates recurring firewall licensing but is willing to pay for design, support, and governance. If they only want the cheaper box, they are not buying the service model that keeps it boring.
Good-fit signals:
- The client has enough sites, users, VPNs, or throughput to justify enterprise-scale hardware.
- The MSP supports UniFi competently and has a documented network standard.
- HA, spares, and after-hours labor are priced instead of wished into existence.
- Network changes are part of the client's roadmap, not a surprise purchase.
If those are true, Enterprise Firewall Core can be part of a clean client standard. If not, slow down.
It may be overkill for a small single-site office with boring internet needs, limited change tolerance, no budget for design, or no appetite for a real support model. A smaller UniFi gateway, a different firewall platform, or a phased roadmap may protect margin better. If the quote wins but the support model loses, you did not win.
A practical pre-quote checklist
Use this before putting Enterprise Firewall Core into a client proposal.
- Who owns the current firewall, account, backups, passwords, and recovery path?
- Are there hidden VPNs, vendor tunnels, camera networks, payment systems, or line-of-business exceptions?
- Does the client need HA, and has the MSP priced actual failover testing?
- Is UI Care needed, and who owns the replacement workflow?
- Will CyberSecure Enterprise be used, and who reviews security events?
- Are Entra, Google Workspace, or LDAP groups clean enough for identity-aware policy?
- What is the rollback trigger during the change window?
- Who will be onsite, remote, and available after hours?
- Which validation tests must pass before the client signs off?
- What becomes monthly support versus billable follow-up work?
If those answers are vague, the quote is not ready.
Bottom line
UniFi Enterprise Firewall Core is interesting because it makes enterprise-scale networking feel more accessible. That is exactly why MSPs need to be careful.
The client sees the box. You own the outcome.
Scope the discovery. Price the change window. Test HA. Name the rollback plan. Define support ownership. Put the work in the roadmap before the client turns a license-free appliance into free labor.
Scopable is not a network appliance tool. It helps MSPs turn audits, standards, client priorities, and risk into roadmaps, budgets, quotes, and projects. If Enterprise Firewall Core belongs in your client standard, it should show up before the client asks why the "cheap firewall" has a real project attached. Join Scopable early access if you want the roadmap-to-quote path in one place.
