Introduction
Overview
Zyxel Device refers to these models as outlined below.
• USG FLEX 50H | • USG FLEX 50HP |
• USG FLEX 100H | • USG FLEX 100HP |
• USG FLEX 200H | • USG FLEX 200HP |
• USG FLEX 500H | • USG FLEX 700H |
Major Model Features
The following table lists the key features these models support:
FEATURE/model | USG FLEX 50h | USG FLEX 50hP | USG FLEX 100h | USG FLEX 100hp | USG flex 200h | USG flex 200hp | USG flex 500h | USG flex 700h |
|---|---|---|---|---|---|---|---|---|
DoS Prevention | YES | YES | YES | YES | YES | YES | YES | YES |
IPS | YES | YES | YES | YES | YES | YES | YES | YES |
Anti-Malware | YES | YES | YES | YES | YES | YES | YES | YES |
App Patrol | YES | YES | YES | YES | YES | YES | YES | YES |
Content Filtering | YES | YES | YES | YES | YES | YES | YES | YES |
SecuReporter | YES | YES | YES | YES | YES | YES | YES | YES |
Reputation Filter | YES | YES | YES | YES | YES | YES | YES | YES |
Sandboxing | YES | YES | YES | YES | YES | YES | YES | YES |
Device Insight | YES | YES | YES | YES | YES | YES | YES | YES |
IP Exception | YES | YES | YES | YES | YES | YES | YES | YES |
SSL encrypted traffic inspection | YES | YES | YES | YES | YES | YES | YES | YES |
Bundled Security Feature License Validity | 1 year | 1 year | 1 year | 1 year | 1 year | 1 year | 1 year | 1 year |
Management by Nebula Cloud Center | YES | YES | YES | YES | YES | YES | YES | YES |
Device HA | NO | NO | NO | NO | YES | YES | YES | YES |
• See USG FLEX Series Port Comparison Table for a comparison of hardware ports.
• See the Product Features appendix for a more detailed comparison of features.
• See the product’s datasheet for detailed information on a specific model.
• For information on interface names by model, default port or interface name mapping, and default interface or zone mapping please see Default Physical Port – Interface Mapping.
• You can configure these features indirectly using the Nebula Control Center or directly using the Web Configurator.
Fast-path Acceleration
Fast-path Acceleration is a way to speed up certain traffic such as NAT, IPSec VPN, Security policies through the Zyxel Device by bypassing the kernel. SSL VPN traffic does not use fast-path acceleration.
Registration at Nebula Control Center (NCC)
Nebula Control Center (NCC) is an Internet portal that allows you to configure and monitor groups of Zyxel Devices in organizations. You must register your Zyxel Device at NCC to use security services and upgrade firmware. See Licensing > Licenses for security services available for your Zyxel Device.
Use NCC to monitor and manage your Zyxel Device. Use the web configurator to configure the Zyxel Device settings.
Run the initial setup wizard to register your Zyxel Device at NCC. Or you can follow the steps below to register your Zyxel Device at NCC.
1 Log into NCC (https://nebula.zyxel.com) with your Zyxel Account. If you do not have a Zyxel Account, you should click Create an account to create one.
2 After you log in, click Go under NCC and then Let’s Start to run the NCC setup wizard. Create an organization and a site or select an existing site.
3 Add the Zyxel Device to this site by entering its MAC address and serial number. You’ll find the Zyxel Device MAC address and serial number on its label or scan the QR code using the Nebula Mobile app.
4 Configure the WAN interface that the Zyxel Device will use to connect to NCC through the Internet.
If you did not register your Zyxel Device at NCC, you will see a reminder to register every time you log into the Zyxel Device web configurator with an admin account.
Licenses
When you purchase a new Zyxel Device, it comes with the Gold Security Pack license. This license is valid for one year.
The Gold Security Pack license consists of the following services at the time of writing. See Licensing > Licenses for the latest services available for your Zyxel Device.
• Anti -Malware
• Application Patrol
• Device Insight
• IPS (Intrusion Prevention System).
• Nebula Professional Pack
• Reputation Filter, including IP Reputation, URL Threat Filter, DNS Threat Filter services and External Blocking Lists (EBL) for these services
• Sandboxing
• Security Profile Sync - Use NCC to apply the same security settings to all Firewalls in the same organization
• SecuReporter
• Web Filtering (Content Filtering)
License Priority
New licenses queue until existing licenses expire. If you buy a new Gold Security Pack, these licenses will be used only after licenses in the existing Gold Security Pack expire.
Grace Period
Service licenses have a 15-day grace period after a license expires. Services will continue to work in this period during which you will receive notifications to renew your licenses. New licenses are valid for 1 year from the date of purchase.
Please note that a trial license does not have a grace period.
Applications
These are some Zyxel Device application scenarios.
Security Router
Security includes a Stateful Packet Inspection (SPI) firewall.
VPN Connectivity
Set up VPN tunnels with other companies, branch offices, telecommuters, and business travelers to provide secure access to your network. AS is an Authentication Server in the below figure.
User-Aware Access Control
Set up security policies to restrict access to sensitive information and shared resources based on the user who is trying to access it. In the following figure user A can access both the Internet and an internal file server. User B has a lower level of access and can only access the Internet. User C is not even logged in, so and cannot access either the Internet or the file server.
Load Balancing
Set up multiple connections to the Internet on the same port, or different ports. In either case, you can balance the traffic loads between them.
Management Overview
You can manage the Zyxel Device in the following ways.
Web Configurator
The Web Configurator allows easy Zyxel Device setup and management using an Internet browser. This User’s Guide provides information about the Web Configurator.
Command-Line Interface (CLI)
The CLI allows you to use text-based commands to configure the Zyxel Device. Access it using remote management (for example, SSH) or via the physical port. See the Command Reference Guide for CLI details. The default settings for the console port are:
Setting | Value |
|---|---|
Speed | 115200 bps |
Data Bits | 8 |
Parity | None |
Stop Bit | 1 |
Flow Control | Off |
FTP
Use File Transfer Protocol for firmware upgrades and configuration backup or restore.
SNMP
The device can be monitored and/or managed by an SNMP manager. See SNMP.
Management Authentication
Managers must be authenticated with a username and password, using one of:
• Local Zyxel Device authentication
• An external RADIUS server
• Certificates
Web Configurator
The Web Configurator is an HTML-based management interface that allows easy system setup and management through Internet browser. Use a browser that supports HTML5, such as Microsoft Edge, Mozilla Firefox, or Google Chrome.
In order to use the Web Configurator you need to allow:
• Web browser pop-up windows from your device.
• JavaScript (enabled by default).
The recommended minimum screen resolution is 1366 x 768 pixels.
Screenshots and graphics in this book may differ slightly from your product due to differences in product features.Web Configurator Access
1 Make sure your Zyxel Device hardware is properly connected. See the Quick Start Guide.
2 In your browser go to https://192.168.168.1. By default, the Zyxel Device automatically routes this request to its HTTPS server, and it is recommended to keep this setting. The Login screen appears.
3 Select a display language for the Zyxel Device’s web configurator screens in the upper right of the screen. The following are the languages supported at the time of writing.
4 Type the user name (default: “admin”) and password (default: “1234” or see the label on the back of the Zyxel Device).
5 Click Login. After you log in for the first time using the default user name and password, you must change the default admin password in the Update Admin Info screen. Enter a new password of from 1 to 64 characters.
Make a note of your new password, enter it in the following screen, then click Apply. The Login screen appears again. Log in with your new password.
Remote Access to the Zyxel Device Networks
Your Zyxel Device keeps your networks safe while allowing external access by applying the security measures below:
• Two-Factor Authentication: Use two-factor authentication to have double-layer security to access a secured network behind the Zyxel Device. The first layer is the VPN client/Zyxel Device’s login user name / password. The second layer is an authorized SMS (via mobile phone number) or email address. See Two-Factor Authentication Overview for more information on two-factor authentication.
• IPSec VPN: You can create highly secure connections with IKEv2 or EAP authentication to access networks behind the Zyxel Device. For example, home workers can securely access company resources if they have proper authentication. See IPSec VPN for more information on IPSec VPN.
Web Configurator Screens Overview
The Web Configurator screen is divided into these parts:
Title Bar
The title bar icons in the upper right corner provide the following functions.
Label | Description |
|---|---|
Language | Select a display language for the Zyxel Device’s web configurator screens. |
Web Console | Select this to display a Command Line Interface (CLI) in your browser. See the Command Line Interface Reference Guide for information on commands. |
More | About: Click this to display basic information about the Zyxel Device. Nebula: Click this to go to https://nebula.zyxel.com/ to monitor or manage your Zyxel Device using Nebula. SecuReporter: Click this to go to https://secureporter.cloudcnm.zyxel.com/ for security analytics. |
Help | Online Help: Click this to open the help page for the current screen. Tutorial Video: Click this to go to YouTube to see related Zyxel Device configuration videos. Community: Click this to go to https://community.zyxel.com/en/categories/security for security product line discussions. Priority Support: The Nebula Pro license includes this to get direct assistance from the Nebula technical support team within 24 hours, and access to web chat during Taiwan office hours. |
Notification | What’s New: Click this to open a PDF file to display what’s new in the Zyxel Device firmware. New Features: Click this to display new features with new GUI screens. Click the link to be directed to the new GUI screens. |
User | Change Password: This is for an admin account type only. Click this to change the account password. You will need to log in again using the new password. Logout: Click this log out of the Web Configurator. |
About
Click About to display basic information about the Zyxel Device.
This table describes the fields in this screen.
Label | Description |
|---|---|
Current Version | This shows the firmware version of the Zyxel Device. |
Release Date | This shows the date (yyyy-mm-dd) and time (hh:mm:ss) when the firmware is released. |
System Protection Signature | This shows the system protection signature version of the Zyxel Device. These signatures do not require a license. The Zyxel Device will synch with the Cloud Helper Server every day to update these signatures automatically. System protection signatures protect your Zyxel Device and local networks from web attacks, such as command injection, cross-site scripting and path traversal. Command injection: This is an attack in which an attacker uses the Zyxel Device vulnerabilities to execute commands to control your Zyxel Device. Cross-site scripting: This is an attack in which an attacker implants malicious scripts in a website. When you visit this website, the malicious scripts are sent and executed on your web browser. Path traversal: This is an attack that allows an attacker to access files you store in the web root folder. |
Navigation Panel
Use the navigation panel menu items to open status and configuration screens. Click the arrow of the navigation panel to hide the panel. Type an entry in the Search box to find a menu item containing that entry. The following sections introduce the Zyxel Device’s navigation panel menus and their screens.
Dashboard Screens
The dashboard displays general device information, system status, system resource usage, licensed service status, and interface status in widgets that you can re-arrange to suit your needs.
folder or link | tab | function |
|---|---|---|
System | Collect and display the Zyxel Device system information, such as serial number, MAC address and CPU usage. | |
Security | Collect and display security event statistics. |
Monitoring Screens
The monitoring screens display status and statistics information.
Folder or Link | Tab | Function |
|---|---|---|
Traffic Statistics | ||
Application Usage | Application Usage | Collect and display application statistics. |
Port | Port | Collect and display port statistics. |
Interface | Interface | Collect and display interface statistics. |
Session Monitor | Session Monitor | Collect and display session statistics. |
Security Statistics | ||
Content Filter | Content Filter | Collect and display content filter statistics |
Reputation Filter | IP Reputation | Collect and display IP reputation statistics. |
DNS Threat Filter | Collect and display DNS threat filter statistics. | |
URL Threat Filter | Collect and display URL threat filter statistics. | |
IPS | IPS | Collect and display statistics on the intrusions that the Zyxel Device has detected. |
Anti-Malware | Anti-Malware | Collect and display anti-malware statistics. |
Sandbox | Sandbox | Displays the sandbox statistics. |
SSL Inspection | Summary | Collect and display SSL Inspection statistics. |
Certificate Cache List | Display traffic to destination servers using certificates. | |
Network Status | ||
Interface | Interface | Display the status of Zyxel Device interfaces. |
Device Insight | Device Insight | Displays a list of WiFi and wired clients connected to the Zyxel Device local networks. |
Login Users | Login Users | List the users currently logged into the Zyxel Device. |
Lockout IPs | View and unlock IP addresses blocked from logging in to the Zyxel Device. | |
DHCP Table | DHCP Table | Display a list of interfaces and their DHCP-assigned IP addresses. |
VPN Status | ||
IPSec VPN | Site to Site VPN | Display and manage the Zyxel Device IPSec VPN connections with remote IPSec VPN routers that have static IP addresses or a domain names. |
Remote Access VPN | Display and manage IPSec VPN connections from external users who want to access the networks behind the Zyxel Device. | |
SSL VPN | Remote Access VPN | Display and manage SSL VPN connections from external users who want to access the networks behind the Zyxel Device. |
Tailscale | Tailscale | Display Tailscale mesh VPN connections across different networks. |
Configuration Screens
Use the configuration screens to configure the Zyxel Device’s features.
Folder or Link | Tab | Function |
|---|---|---|
Licensing | Licenses | Displays if the Zyxel Device is registered and licenses purchased. |
Signature Update | Use this screen to update signatures immediately or by a schedule. | |
Network | ||
Interface | Interface | Use this screen to: • Create and manage Ethernet interfaces. • Create and manage VLAN interfaces. • Create and manage bridge interfaces. • Configure IP address assignment and interface parameters for VTI (Virtual Tunnel Interface). |
Trunk | Create and manage trunks (groups of interfaces) for load balancing. | |
Port | Use this screen to configure the Zyxel Device port settings. | |
Routing | Policy Route | Create and manage routing policies. |
Static Route | Create and manage IP static routing information. | |
NAT | NAT | Set up and manage port forwarding rules. |
BWM | BWM | Control bandwidth for services passing through the Zyxel Device, and identify the conditions for bandwidth control. |
ALG | ALG | Configure FTP pass-through settings. |
Multicast | IGMP Proxy | Configure IGMP Proxy settings. |
VPN | ||
IPSec VPN | Site to Site VPN | Configure Zyxel Device IPSec VPN connections with remote IPSec VPN routers that have static IP addresses or a domain names. |
Remote Access VPN | Configure IPSec VPN connections for external users who want to access the networks behind the Zyxel Device. | |
SSL VPN | General | Configure SSL VPN connections for external users who want to access the networks behind the Zyxel Device. |
Tailscale | Tailscale | Configure the Zyxel Device in a Tailscale mesh VPN network. |
Security Policy | ||
Policy Control | Policy Control | Create and manage level-3 traffic rules and apply Security Service profiles. |
DoS Prevention | DoS Prevention Policy | Display and manage ADP bindings. |
Profile | Create and manage DoS prevention profiles. | |
IP Spoofing Prevention | IP Spoofing Prevention | Bind IP addresses to MAC addresses. |
Session Control | Session Control | Limit the number of concurrent client NAT/security policy sessions. |
Captive Portal | Authentication Policy | Configure client authentication for network access through the Zyxel Device. |
Object | ||
Address | Address | Create and manage host, range, and network (subnet) addresses. |
Address Group | Create and manage groups of addresses to apply to policies as a single objects. | |
Geo IP | Update the database of country-to-IP address mappings and manually configure country-to-IP address mappings for geographic address objects that can be used in security policies. | |
Service | Service | Create and manage TCP and UDP services. |
Service Group | Create and manage groups of services to apply to policies as a single object. | |
Zone | Zone | Configure zone templates used to define various policies. |
Schedule | Schedule | Create one-time and recurring schedules. |
Schedule Group | Create and manage groups of schedules to apply to policies as a single object. | |
Security Service | ||
App Patrol | App Patrol | Manage different types of traffic in this screen. Create App Patrol template(s) of settings to apply to a traffic flow using a security policy. |
Content Filtering | Content Filtering | Use this screen to: • Create and manage the detailed filtering rules for HTTP(S) traffic scan and DNS domain scan. • Create a list of allowed web sites that bypass HTTP(S) traffic scan and DNS domain scan. • Create a list of web sites to block regardless of content filtering policies. |
Reputation Filter | IP Reputation | Enable IP reputation and specify what action the Zyxel Device takes when any IP address with bad reputation is detected. You can also set up an allow list to identify which IPv4 addresses should be allowed, and a block list to identify which IPv4 addresses should be blocked. |
DNS Threat Filter | Enable DNS threat filtering and specify what action the Zyxel Device takes when a access attempt to a blocked Fully Qualified Domain Name (FQDN) is detected. You can also set up an allow list to identify which FQDNs should be allowed, and a block list to identify which FQDNs should be blocked. | |
URL Threat Filter | Enable URL filtering and specify what action the Zyxel Device takes when a access attempt to a blocked website is detected. You can also set up an allow list to identify which IPv4 addresses and/or URLs should be allowed, and a block list to identify which IPv4 addresses and/or URLs should be blocked. | |
Anti-Malware | Anti-Malware | Enable, specify actions to take when encountering malware or compressed files, and set up a block list to identify files with malware file patterns and an allow list to identify files that should not be checked for malware. |
Sandbox | Sandbox | Enable sandbox, and specify the actions the Zyxel Device takes when files with unknown or untrusted programs are detected. |
IPS | IPS | Enable and configure IPS settings. Create, import, or export custom signatures. |
Allow List | Configure signatures that will be exempted from IPS inspection. | |
IP Exception | IP Exception | Use this screen to view the IP exception list for the anti-malware, reputation filter and IPS (Intrusion Prevention System) features. The Zyxel Device will not intercept nor inspect the incoming packets that match the rules in the IP exception list for the anti-malware and/or IPS (Intrusion Prevention System) features. |
SSL Inspection | Profile | Decrypt HTTPS traffic for Security Service inspection. Create SSL Inspection templates of settings to apply to a traffic flow using a security policy. |
Exclude List | Configure services to be excluded from SSL Inspection. | |
Certificate Update | Use this screen to update the latest certificates of servers using SSL connections to the Zyxel Device network. | |
External Block List | IP Reputation | Set up an external block list which uses block list entries of IP addresses with bad reputations stored in a file on a web server that supports HTTP or HTTPS and is reachable from the Zyxel Device. The Zyxel Device will block incoming and outgoing packets from the black list entries in this file. |
DNS Threat Filter/URL Threat Filter | Set up an external block list which uses block list entries of blocked Fully Qualified Domain Names (FQDN) or blocked URLs stored in a file on a web server that supports HTTP or HTTPS and is reachable from the Zyxel Device. The Zyxel Device will block incoming and outgoing packets from the black list entries in this file. | |
User & Authentication | ||
User/Group | User | Create and manage users. |
Group | Create and manage groups of users. | |
Setting | Manage default settings for all users, general settings for user sessions, and rules to force user authentication. | |
User Authentication | AAA Server | Configure the default authentication server (Local/LDAP/AD/RADIUS) to use for user authentication. |
Two-factor Authentication | Configure Google Authenticator to access a secured network behind the Zyxel Device via the web configurator or SSH connection. | |
Wireless | ||
AP Control Service | AP Management Service | Set the password for the admin accounts of APs connected to the Zyxel Device. |
Access Points | AP List | Manage all of the APs connected to the Zyxel Device |
Policy | Configure the AP controller’s IP address on the managed APs and determine the action the managed APs take if the current AP controller fails. | |
AP Firmware | Check for and download new AP firmware when it becomes available on the firmware server. | |
WLAN Clients | All Clients | View a list of WiFi clients connected to APs. |
Policy Clients | Configure a policy to block a specific MAC address. | |
WLAN Settings | SSID Settings | Configure SSID profiles for each AP group. |
Radio Settings | Configure global radio settings for all managed APs. | |
AP Settings | Configure general AP settings and enable or disable a port on the managed AP and configure the port’s VLAN settings. | |
AP Group Settings | Configure AP group settings and remove an AP group. | |
Wireless Health | Wireless Health Configuration | Monitor the health of WiFi networks for your APs and connected WiFi clients. |
System | ||
Settings | Settings | Use this screen to configure: • The Zyxel Device host name. • System time settings. • Remote access to the Zyxel Device settings. • The web configurator language display settings. |
Device HA | HA Status | See the license status for Device HA, and see the status of the active and passive devices. |
HA Configuration | Configure Device HA global settings, monitored interfaces and synchronization settings. | |
HA Log | See logs of the active and passive devices. | |
DNS & DDNS | DNS | Configure the DNS server and address records for the Zyxel Device. |
DDNS | Define and manage the Zyxel Device’s DDNS domain names. | |
SNMP | SNMP | Configure SNMP communities and services. |
Notification | Mail Server | Configure a mail server with authentication to send reports and password expiration notification emails. |
Alert | Enable to have the Zyxel Device send events notification mails and alert logs. | |
Certificate | My Certificates | Create and manage the Zyxel Device’s certificates. |
Trusted Certificates | Import and manage certificates from trusted sources. | |
Advanced | System Parameters | Edit default Zyxel Device parameters such as UDP/ICMP timeout, ARP spoofing, device insight and LLDP. |
External Integration | Endpoint | Integrate the Zyxel Device with other cloud-based security platforms such as the Avast Business Hub. |
Log & Report | ||
Log / Events | System | View the Zyxel Device log messages. |
APC | View AP Controller (APC) related logs. | |
AP | View connected AP related logs. | |
Log Setting | Log Category Setting | Configure the system log, email logs, and remote syslog servers. |
SecuReporter | SecuReporter | Enable SecuReporter logging and access the SecuReporter security analytics portal that collects and analyzes logs from your Zyxel Device in order to identify anomalies, alert on potential internal or external threats, and report on network usage. |
Email Daily Report | Email Daily Report | Select statistics to email in a daily report. |
Maintenance Screens
Use the maintenance screens to manage configuration and firmware files, run diagnostics, and reboot or shut down the Zyxel Device.
Folder or Link | Tab | Function |
|---|---|---|
Maintenance | ||
Firmware/File Manager | Configuration File | Manage and upload configuration files for the Zyxel Device. |
Firmware Management | View the current firmware version and upload firmware. | |
Diagnostics | Diagnostics | Collect diagnostic information. |
Packet Capture | Capture packets for analysis. | |
CPU/Memory Status | View CPU and memory usage statistics. | |
System Log | View the files of diagnostic information the Zyxel Device has collected and stored on a connected USB storage device. | |
Network Tool | Identify problems with the connections. You can use Ping or Traceroute to help you identify problems. | |
Packet Flow Explore | Routing Status | Check how the Zyxel Device determines where to route a packet. |
SNAT Status | View the overall source IP address conversion (SNAT) flow and each SNAT function’s settings. | |
Route Traces | Configure traceroute to identify where packets are dropped for troubleshooting. | |
Reboot/Shutdown | Reboot/Shutdown | Restart or turn off the Zyxel Device. |
Tables and Lists
Web Configurator tables and lists are flexible with several options for how to display their entries.
Click a column heading to sort the table’s entries according to that column’s criteria.
Click the Resize icon (
) to adjust how to display column entries. If you manually adjusted the width of the columns, click Reset to return them to the original widths. If you have a big monitor and want to see complete information in each column field, click Fit Content. If your monitor is not so big and you want to see all columns in the screen, click Fit View.
) to adjust how to display column entries. If you manually adjusted the width of the columns, click Reset to return them to the original widths. If you have a big monitor and want to see complete information in each column field, click Fit Content. If your monitor is not so big and you want to see all columns in the screen, click Fit View. Click the column icon (
) for more options about how to display the entries. The options available vary depending on the type of fields in the column. You can select which columns to display by selecting or clearing the check box.The tables have icons for working with table entries.
) for more options about how to display the entries. The options available vary depending on the type of fields in the column. You can select which columns to display by selecting or clearing the check box.The tables have icons for working with table entries.Error /Warning Messages
The following are some error or warning messages that may appear on your Zyxel Device.
Parsing/Timeout Error
Some screens may display an error message if there is a parsing or time-out error. Use Test in Maintenance > Firmware/File Manager > Configuration to see if the currently running configuration file has an error.
Desynchronize from Nebula Security Profile Warning
Security profile sync in the Nebula Control Center (NCC) allows you to share the same Zyxel Device security service feature across multiple sites within an organization. If you enable Security profile sync in the NCC, and then add, edit or remove the security service feature in the web configurator, you will then see one of the following warnings.
Click Cancel to not apply or remove the security service feature and keep it synchronized with other sites on the NCC, or click OK to apply or remove the security service feature. The Security profile sync will then be disabled on the NCC.