Introduction
Overview
Zyxel Device refers to these models as outlined below.
• USG FLEX 50 (USG20-VPN)
• USG FLEX 50AX
• USG20W-VPN
Model Feature Differences
Note the following differences between these models:
FEATURE/model | usg flex 50 (USG20-VPN) | USG20W-VPN | USG FLEX 50ax |
|---|---|---|---|
Microsoft Azure | YES | YES | YES |
Amazon VPC | CLI only | CLI only | CLI only |
Anomaly Detection & Prevention | YES | YES | YES |
Anti-Spam | YES | YES | YES |
IPS (IDP) | NO | NO | NO |
Anti-Malware | NO | NO | NO |
App Patrol | NO | NO | NO |
Web Security (Content Filtering) | YES | YES | YES |
SecuReporter | YES | YES | YES |
Reputation Filter (IP & DNS) | NO | NO | NO |
URL Threat Filter | NO | NO | NO |
Sandboxing | NO | NO | NO |
IP Exception | NO | NO | NO |
AP Controller | NO | NO | NO |
Device HA Pro | NO | NO | NO |
Easy Mode | YES | YES | NO |
Hotspot Management | NO | NO | NO |
Concurrent Device Upgrade | NO | NO | NO |
LAG | NO | NO | NO |
Port Group | NO | NO | NO |
Port Role | YES | YES | YES |
SD-WAN Mode | NO | NO | NO |
SSL Application | YES | YES | YES |
SSL encrypted traffic inspection | YES | YES | YES |
Bundled UTM Feature License Validity | 1 year | 1 year | 1 year |
WiFi functionality (built-in) | NO | YES | YES |
Virtual Server Load Balancing | NO | NO | NO |
Built-in AP | NO | YES | YES |
Management by Nebula Control Center (NCC) | YES | YES | YES |
• Not all models support all features. See Model Feature Differences for the specific features that your model supports.
• Application Security (Application Patrol) | • Intrusion Prevention System (IPS) |
• Anomaly Detection & Prevention (ADP) | • Web Filtering (Content Filtering) |
• Malware Blocker (Anti-Virus) | • Email Security (Anti-Spam) |
• Secure Socket Layer (SSL) encrypted traffic Inspection |
The following security features work without a security license:
• Configuration > Content Filter > Trusted Web Sites
• Configuration > Anti-Spam/Email Security > Block/Allow List
For information on interface names by model, default port or interface name mapping, and default interface or zone mapping please see Default Zones, Interfaces, and Ports.
See the product’s datasheet for detailed information on a specific model.
On Premises Mode
When you log into the Web Configurator for the first time or when you reset the Zyxel Device to its default configuration, the Initial Setup Wizard screen displays. Choose On Premises Mode to manage your Zyxel Device directly using either the browser-based Web Configurator or the Command Line Interface (CLI).
Follow the wizard to configure the Zyxel Device network settings to manage your Zyxel Device directly. Note that once you complete the device registration step and register your Zyxel Device at portal.myzyxel.com, you cannot change to Nebula Mode unless you reset the Zyxel Device.
Monitor Mode
Select Monitor Mode in Configuration > Mgmt. & Analytics > Nebula > Monitor Mode to monitor your Zyxel Device using Nebula Control Center (NCC) but configure settings on the web configurator at the same time. You must have created an organization and a site on NCC first.
You cannot set the Zyxel Device to Monitor Mode if Device HA is enabled on the Zyxel Device.Nebula Mode
When you log into the Web Configurator for the first time or when you reset the Zyxel Device to its default configuration, the Initial Setup Wizard screen displays. Choose Nebula Mode to manage your Zyxel Device remotely using Nebula Control Center (NCC). Select this mode if you want to configure and monitor one or more Zyxel Devices through the cloud.
Follow the wizard to configure the Zyxel Device network settings to connect to NCC. Note that once you complete th WAN configuration step, you cannot change to On Premises Mode unless you reset the Zyxel Device.
Nebula Control Center (NCC) is an Internet portal that allows you to configure and monitor groups of Zyxel Devices in organizations. You cannot manage a Zyxel Device directly through the Web Configurator or Command Line Interface (CLI) when NCC is managing the Zyxel Device. See Model Feature Differences to see which Zyxel Devices can be managed by NCC.
Follow this procedure to have NCC manage your Zyxel Device.
NCC Portal
You should already have created an account at myZyxel.com. Follow these steps at the NCC portal.
1 Log into NCC (https://nebula.zyxel.com) with your Zyxel account. If you do not have a Zyxel account, you will be redirected to another screen to create one.
2 After you log in, click Go under Nebula Control Center and then Let’s Start to run the NCC setup wizard. Create an organization and a site or select an existing site.
3 Add the Zyxel Device to this site by entering its MAC address and serial number. You’ll find the MAC address and serial number of the Zyxel Device on its label or scan the QR code using the Nebula Mobile app.
4 Configure the WAN interface that the Zyxel Device will use to connect to NCC through the Internet.
5 If you’re given a choice, select Native Mode. If you cannot select Native Mode, configure the email address of the person who will configure the Zyxel Device for management by NCC. An email will be sent to this person containing an activation link that allows management of the Zyxel Device by NCC.
Your Zyxel Device
The person who will configure the Zyxel Device for management by NCC should follow this procedure.
1 Use an Ethernet cable to connect the WAN port of the Zyxel Device (P1 or P2) to the Ethernet port of a device that will provide Internet access.
2 Use another Ethernet cable to connect the LAN port of the Zyxel Device (P3 or P4) to your computer. Make sure your computer can receive an IP address automatically. This is the default for all computers, so the computer should be fine unless you changed it.
3 Connect the power port to an appropriate power source and turn on the Zyxel Device. Wait for the SYS LED to turn solid green.
4 Back up your current configuration before passing management to NCC. Log into the web configurator, and go to Maintenance > File Manager > Configuration File. Select startup-config.conf, then click Download.
5 If you cannot select Native Mode, reset the Zyxel Device to the factory defaults. Push the Reset button until the port connection LEDs turn off (after about 5 seconds). Your Zyxel Device will reboot to the factory defaults and all previous configurations will be erased.
Skip this step if you did not configure your Zyxel Device before (including just logging in and changing the default password.). You must reset the Zyxel Device if it does not have the factory default configuration.
Activation Email
If you cannot select Native Mode in the NCC setup wizard, do the following after the Zyxel Device is on:
1 Check your mailbox for an email from NCC. You may need to check your spam folder
2 Follow the instructions in the email if you did not complete the instructions above. Look for an activation link in the email. Click the activation link or copy the link to your web browser. You will see a screen saying NCC registration is in process. Please wait.
3 When you see a screen saying NCC registration has succeeded, management of your Zyxel Device has passed to Nebula Control Center. The NCC administrator can now configure and manage your device.
ZTP is supported in firmware version 5.37 or earlier.Changing the Mode
Follow the steps below to change your Zyxel Device from On Premises Mode to Nebula Mode or from Nebula Mode to On Premises Mode.
From Nebula Mode to On Premises Mode
Follow this procedure if you want to manage the Zyxel Device directly using the web configurator or CLI.
1 Log into NCC (https://nebula.zyxel.com) with your Zyxel account. Go to Organization-wide > License & Inventory > Devices.
2 Select the Zyxel Device you want to remove from NCC. You must know the MAC address and serial number.
3 Click Remove from organization.
4 If the Zyxel Device is connected to NCC, the Zyxel Device will automatically reset after you remove the Zyxel Device from the organization and site.
If the Zyxel Device is not connected to NCC, press the reset button. The Zyxel Device will reboot to the factory defaults.
All NCC configurations for the Zyxel Device will be erased.
5 Log into the Zyxel Device. Run the wizard and choose On Premises Mode.
6 To restore your previous configuration, log into the web configurator, and go to Maintenance > File Manager > Configuration File.
7 Under Upload Configuration File, click Browse, select the startup-config.conf on your computer that you backed up previously and click Upload. The Zyxel Device will then return to the previous settings.
From On Premises Mode to Nebula Mode
1 Back up your current configuration in Maintenance > File Manager > Configuration File.
2 Reset the Zyxel Device to the factory default by pushing the Reset button until the port connection LEDs turn off (after about 5 seconds). Your Zyxel Device will reboot to the factory defaults.
3 Log into the Zyxel Device. Run the wizard and choose Nebula Mode.
4 If you have a choice of Native Mode or ZTP, select Native Mode.
From Nebula Mode to Cloud Monitoring Mode
See Cloud Monitoring Mode to Nebula Mode if you want to monitor the Zyxel Device using Nebula Control Center (NCC) while configuring settings on the web configurator at the same time.
Registration at Zyxel
portal.myZyxel.com is Zyxel’s online services center where you can register your Zyxel Device and manage subscription services available for your Zyxel Device (see Configuration > Licensing > Registration > Service for services available for your Zyxel Device).
• For Zyxel Devices that already have firmware version 4.25 or later, you have to register your Zyxel Device and activate the corresponding service at Zyxel (through your Zyxel Device).
• For Zyxel Devices upgrading to firmware version 4.25 or later, you may skip registering your Zyxel Device and activating the corresponding service at Zyxel (through your Zyxel Device). However, it is highly recommended to at least register your Zyxel Device. At the time of writing, the Firmware Upgrade license providing Cloud Helper new firmware notifications, is free when you register your Zyxel Device.
You need to create a Zyxel account at http://portal.myZyxel.com before you can register your device and activate the services at Zyxel.You may need your Zyxel Device’s serial number and LAN MAC address to register it at Zyxel. See the label at the back of the Zyxel Device’s for details.
Applications
These are some Zyxel Device application scenarios.
Security Router
Security includes a Stateful Packet Inspection (SPI) firewall.
IPv6 Routing
The Zyxel Device supports IPv6 Ethernet, PPP, VLAN, and bridge routing. You may also create IPv6 policy routes and IPv6 objects. The Zyxel Device can also route IPv6 packets through IPv4 networks using different tunneling methods.
VPN Connectivity
Set up VPN tunnels with other companies, branch offices, telecommuters, and business travelers to provide secure access to your network. AS is an Authentication Server in the below figure.
SSL VPN Network Access
SSL VPN lets remote users use their web browsers for a very easy-to-use VPN solution. A user just browses to the Zyxel Device’s web address and enters his user name and password to securely connect to the Zyxel Device’s network. Here full tunnel mode creates a virtual connection for a remote user and gives him a private IP address in the same subnet as the local network so he can access network resources in the same way as if he were part of the internal network.
User-Authentication Access Control
Set up security policies to restrict access to sensitive information and shared resources based on the user who is trying to access it.
Load Balancing
Set up multiple connections to the Internet on the same port, or different ports, including cellular interfaces. In either case, you can balance the traffic loads between them.
Management Overview
Web Configurator
The Web Configurator allows easy Zyxel Device setup and management using an Internet browser.
Command-Line Interface (CLI)
The CLI allows you to use text-based commands to configure the Zyxel Device. Access it using remote management (for example, SSH or Telnet) or through the physical or Web Configurator console port. See the Command Reference Guide for CLI details. The default settings for the console port are:
Setting | Value |
|---|---|
Speed | 115200 bps |
Data Bits | 8 |
Parity | None |
Stop Bit | 1 |
Flow Control | Off |
Remote Access to the Zyxel Device Networks
Your Zyxel Device keeps your networks safe while allowing external access by applying the security measures below:
• Two-Factor Authentication: Use two-factor authentication to have double-layer security to access the Zyxel Device. The first layer is the VPN client/Zyxel Device’s login user name / password. The second layer is an authorized SMS (through mobile phone number) or email address. See Two-Factor Authentication for more information on two-factor authentication.
• Device Insight: The Zyxel Device can identify and display the basic information and status of clients that are connected to the Zyxel Device networks in Monitor > Network Status > Device Insight. See Device Insight for more information on viewing the device insight.
Create device insight profiles in Configuration > Object > Device Insight to block specified clients from accessing the Internet or the Zyxel Device. See Device Insight for more information on creating and using the device insight profiles.
• IPSec VPN: You can create highly secure connections with IKEv2 or EAP authentication to access networks behind the Zyxel Device. For example, home workers can securely access company resources if they have proper authentication. See IPSec VPN for more information on IPSec VPN.
• Upload Bandwidth Limit: Zyxel subscription-based SecuExtender IPSec VPN clients with Windows version 5.6.80.007 or later or macOS version 1.2.0.7 or later support upload bandwidth limit. Use this to set the maximum bandwidth for uploading traffic from IPSec VPN clients over IPSec VPN tunnels. See Zyxel Device IPSec VPN Client Configuration Provisioning for more information on upload bandwidth limit.