Best Of

What is the Diagnostic info of AP?

The Diagnostic info is a file generated via the Diagnostics screen on the Zyxel AP's interface. It contains both configuration and diagnostic data about the AP which can be instrumental during troubleshooting.

If you encounter issues with the AP, you can provide this file to customer support to aid in resolving the problems more efficiently.

Zyxel_Nami

Re: Don't send new login activity emails if the public IP is the same of a nebula device

Hi @matteosaitta,

Regarding your request, you may adjust notifications by going to Manage Account > Notifications and enabling only the Unusual GeoIP Login notification.

Zyxel_Tina

Re: USG LITE60AX V2.30(ACIP.0)C0 Firmware release

I also have this problem. After upgrading USG LITE 60AX to version V2.30(ACIP.0) communication between LAN ports does not work.

Tricatel

[2026 January Spotlight] Integrate Secure Cloud Authentication with the USG FLEX H series

As organizations adopt cloud services and support remote and hybrid work models, identity has become a critical foundation of modern security. Traditional authentication methods based on locally managed accounts are increasingly difficult to scale and protect against today’s threats, including credential theft and unauthorized access.

To meet these challenges, businesses are shifting toward centralized, cloud-based authentication models that enhance security while simplifying user access. This approach helps organizations reduce administrative overhead, support multi-factor authentication, and deliver a more consistent and secure login experience across users and locations.

This evolution reflects a broader move toward identity-driven security at the network edge.

🛡️Secure Cloud Identity on the USG FLEX H Series

The USG FLEX H Series brings modern cloud-based authentication to Captive Portal and SSL VPN, delivering enterprise-grade identity security for network access. With built-in support for OpenID Connect (OIDC), organizations can authenticate users through trusted identity providers such as Microsoft Entra ID and Google, without relying on locally managed firewall accounts.

This capability simplifies identity management, strengthens security through centralized authentication and multi-factor authentication, and delivers a smoother login experience across both remote access and network onboarding scenarios.

Available in uOS 1.37

To start using secure cloud authentication for Captive Portal and SSL VPN, make sure your USG FLEX H Series is updated to uOS 1.37 or later.

💡How Secure Cloud Authentication Works

The USG FLEX H Series extends secure cloud authentication directly to the network edge, enabling users to authenticate through trusted cloud identity providers without creating or managing local firewall accounts. When users access network services such as SSL VPN or Captive Portal, authentication is delegated to existing cloud identity platforms, allowing the firewall to verify identity without handling user credentials.

This approach centralizes identity verification, keeps credentials outside the gateway, and enables consistent access control across both remote and on-site access scenarios.

🔑Seamless and Secure Authentication Flow

User access request: A user tries to access a service (SSL VPN, Captive Portal) through a configured OIDC-enabled gateway.
Redirect to Identity Provider: The H series Gateway redirects the user to a trusted IdP (Microsoft Entra ID or Google)
User authentication: The user completes the login process on the IdP's page.
Obtain authentication token: Upon successful authentication, the IdP issues an authentication token to the user.
Gateway token validation: The user returns to the gateway with the authentication token, and the gateway validates the token's validity and determines the user's access permissions.
Grant access: Once validation is successful, the gateway allows the user to access.

This approach keeps credentials out of the firewall, reduces attack surfaces, and aligns with modern Zero Trust principles.

⚙️Configure Secure Cloud Authentication

The USG FLEX H Series supports secure cloud authentication across key access scenarios:

Using Microsoft Entra ID

Using Google

Step-by-step configuration guides with real-world examples and screenshots are available to help organizations get started quickly.

🛡️A Future-Ready Access Experience

By integrating secure cloud authentication directly into Captive Portal and SSL VPN, the USG FLEX H Series delivers a more secure, scalable, and future-ready access experience for modern workplaces and hybrid environments.

💭Already using the USG FLEX H Series?

We invite you to explore this new authentication capability and share your experience with us. What features or improvements would you like to see next? Your feedback plays a key role in shaping what comes next.

Zyxel_Emily

Re: usg flex h new firmware 1.37

hi, sorry for the delay; we have found the problem : the arp table of the device of our provider was dirty the access to our perimetral firewall was blocked/allowed and after cleaning the arp table all is gone ok. thnak you.

MassimoRiva

Re: SCR50AXE V1.20(ACGN.0)C0 Firmware release

frjonatan

Re: Multy X WSQ50 Firmware

Hi @ChrisNas

Sent. Please check the private message I sent.

Zyxel_Melen

Re: Multy X WSQ50 Firmware

Hi @ChrisNas,

It sounds like you're experiencing setup issues with your Multy X devices, and a firmware update could indeed be a key step in resolving them. Many users have reported similar problems that were fixed by updating the firmware.

Here's some guidance based on common solutions:

Latest Firmware Version: The latest firmware version for the Multy X (WSQ50) is V2.20(ABKJ.8)C0.
Multy App Version: Ensure your Multy app is updated to the latest version available on your device's app store. For Android, recent versions are often around 2.6.2.240202 or 2.6.3.240201, and for iOS, version 2.6.1 is commonly cited.
Bluetooth: Make sure that Bluetooth is enabled on your phone during the setup process.

To help you further and provide the specific firmware file and a detailed how-to guide, please provide the following information:

Multy App Version: The exact version number of the Multy app you are currently using.
Current Multy X Firmware Version: If you are able to check it, please provide the current firmware version installed on your Multy X WSQ50 units.
Error Message Screenshots: Screenshots of any error messages you encounter during the setup process.
Device Model: Multy X (WSQ50) is already provided, thank you.

Since direct links to firmware files are often sent via private message for security and version control, once we have the above details, we can arrange for the firmware and detailed instructions to be sent to you.

Zyxel_Barry

Re: Access to the GS2220 switch with radius authentication

I don't have a GS2220, but I checked the help page from other switches describing that the login privilege is up to 14.

This post also mentions privilege 14, so apparently there is no 15.
How to allow RADIUS admin to login the switch? (by Windows Server) — Zyxel Community

XiLeiHaLo

USG FLEX H Series - V1.37 Patch 0 Firmware Release

Zywall USG FLEX H Series Release Note

January 2026

Firmware Version on all models

Please use the cloud firmware upgrade function to upgrade USG FLEX H Series

USG FLEX H Series	Firmware Version
FLEX50H	V1.37(ACLO.0)C0
FLEX50HP	V1.37(ACLP.0)C0
FLEX100H	V1.37(ABXF.0)C0
FLEX100HP	V1.37(ACII.0)C0
FLEX200H	V1.37(ABWV.0)C0
FLEX200HP	V1.37(ABXE.0)C0
FLEX500H	V1.37(ABZH.0)C0
FLEX700H	V1.37(ABZI.0)C0

New Feature and Enhancements

1. [Enhancement] SSL VPN / Captive Portal authentication with Microsoft Entra ID/Google (OIDC).

2. [Enhancement] Application‑Aware Policy Routing. [eITS#250800760]

3. [Enhancement] Policy Route Next hop support dynamic VPN tunnel.

4. [Enhancement] Anti-Malware allow/block list supports SHA-256 hash value.

5. [Enhancement] Support # and ; as a comment symbol in External Block List (EBL) entry. [eITS#250901370]

6. [Enhancement] Support Anomaly Detection and Prevention. [eITS#250200680]

7. [Enhancement] IPsec VPN (S2S and Remote Access) IKEv2 support AES-GCM.

8. [Enhancement] IPsec VPN (S2S and Remote Access) support DH31-32 group.

9. [Enhancement] IPsec VPN Phase2 policy object supports Interface subnet type.

10. [Enhancement] The IPsec VPN Tunnel zone can be directly matched in Security Policy.

11. [Enhancement] SSL VPN page add Certification expiry information. [eITS#250101430]

12. [Enhancement] mDNS Proxy support AirPlay, AirDrop and Chromecast cross subnets. [eITS#210601927]

13. [Enhancement] BWM: Support for IEEE 802.1p marking. [eITS#250601378, 250600442]

14. [Enhancement] Interface Ingress & Egress Rate Limiting Support. [eITS#250600089]

15. [Enhancement] DHCP table support Import function. [eITS#240101697, 250401083, 250401189]

16. [Enhancement] DHCP: Added validation to prevent the DHCP address pool from exceeding the interface subnet mask range. [eITS#250501381]

17. [Enhancement] Add a validation check in the DHCP pool configuration to prevent the pool from exceeding the interface subnet mask range. [eITS#250501381]

18. [Enhancement] Captive Portal Active Directory integration with “User Principal Name” attribute. [eITS#241101233, 241100761]

19. [Enhancement] (CLI only) Support GARP interval in NAT virtual server rule. [eITS#250800621]

20. [Enhancement] Troubleshooting: Diagnostics add an option to include the running configuration.

21. [Enhancement] Troubleshooting: An event log is now generated when applying an NCC provision configuration fails.

22. [Enhancement] CLI to support device provide Client information (host name) to SecuReporter.

23. [Enhancement] Support custom SecuExtender configuration provisioning port.

24. [Enhancement] User Experience and GUI enhancement:

a. Dark Mode: Added support for Dark Mode.
b. Packet Explorer: Tooltip information is now displayed only for local users and local user groups when the flow changes.
c. Remote Access VPN (IPsec/SSL): Added user object validation in the Authentication section. (User field cannot be empty.) [eITS#250800306]
d. Change to a Different ISP: Updated the informational note (i-note) for improved clarity.
e. Application Patrol: Added a Cancel option when renaming a profile.
f. IGMP Proxy: Added an i-note explaining the processing order between Multicast Address Reception and Security Policy.
g. Captive Portal: The Service Type field in the exempt list now supports the +Add Group function.
h. Security Policy: Log filter now supports protocol-based filtering. [eITS#251100597]
i. Policy Control: Security rule wildcard source address warning message correction. [eITS#251200261]

25. [Enhancement] [Web Configuration Onboarding]: When Web Configuration onboarding (Nebula Cloud) is selected, the device does not perform a reset during site assignment.

26. [Enhancement] [Specific Project – Taiwan]: Added support for SecuManager (v3) under System > Advanced.

27. [Feature Change] [Packet Flow Explorer]: Dynamic/Site-to-Site VPN moved back to the first priority in the routing flow. [eITS#251100706]

28. [Feature Change] [Packet Flow Explorer]: Tooltip information is not displayed for AD/LDAP/RADIUS users or when the user type is set to Group with all members logged in.

29. [Feature Change] [SSL Inspection Statistic]: Removed Maximum Concurrent Session from the GUI. The concurrent session count now turns red when the limit is reached.

30. [Feature Change] [Alert Mail]: Updated memory usage display to focus on system memory usage only, excluding FastPath backend usage.

31. [Feature Change] [Tailscale] Upgrade Tailscale to v1.90.8

32. [Feature Change] [SNMP] SNMP is disabled by default.

33. [Feature Change] [GUI/Captive Portal]: Renamed Authentication Policy > Advance tab to Settings.

34. [Feature Change] [Captive Portal]: When a Redirect FQDN is configured, a DNS A record must be manually added to map the FQDN to the Captive Portal server address (default: 6.6.6.6). [AP Controller] *Local only

1. [Enhancement] Support to manage IAP500BE

2. [Enhancement] Support individual AP radio settings.

3. [Enhancement] Support client policy by wildcard.

4. [Enhancement] Support proxy by controller directly.

5. [Enhancement] Support wireless diagnostic features.

6. [Enhancement] Support SSID view client information.

7. [Enhancement] Support WLAN Top-N information.

8. [Enhancement] Support internal authentication server certificate selection. [eITS#250701412, 251000304]

9. [Enhancement] Email daily report contains WLAN information

Bug Fix

1. [eITS#250800314] ESP replies to the wrong interface if both ge1 and ge2 are selected in the WAN trunk

2. [eITS#250800936] SSL VPN: Fixed an issue where authentication could fail if a user group contained nested user groups.

3. [eITS#250900060] The VLAN interface cannot assign a DHCP IP address because the interface fails to initialize.

4. [eITS#250900483] Unable to fall back to the primary VTI interface in a route-based VPN scenario

5. [eITS#250900846] SecuReporter missing AD Users display

6. [eITS#250900890] SSL Inspection session was unable to be released automatically

7. [eITS#250901103] Accessing an uninitialized list in the conntrack destroy callback causes undefined behavior and leads to a fastpath daemon deadlock.

8. [eITS#251000114] If AD user exists in multiple groups, it may affect AD auth. failed.

9. [eITS#251000357] There is a spelling error in the email notification.

10. [eITS#251000497] abnormal DDNS update status

11. [eITS#251000842] VPN authentication fails for AD users with multiple group memberships

12. [eITS#251001202] The DoS prevention rule is configured for traffic from the WAN interface, but it is also filtering traffic coming from the IPsec tunnel.

13. [eITS#251001621] Connected SSL client will get disconnected when adding a new object.

14. [eITS#251100269] The Nebula Cloud Authentication of IPsec Remote VPN is failed due to the USG Flex H firewall is behind NAT.

15. [eITS#251100344] Fixed reserved IP issue with empty hostname devices.

16. [eITS#251100931] Empty VLAN members

17. [eITS#251100995] High CPU usage leads to stability issues.

18. [eITS#251101213] SNMP daemon causes device to freeze.

19. [eITS#251101734] Pushing settings from NCC causes the PPPoE redial. 20.[eITS#251101885] SNMP daemon core dump in some cases.

21. [eITS#251101960] German Translation Issue – "All" and "Any" Options displayed the same

22. [eITS#251200277] No-IP DDNS cannot sync with server successfully due to the server side has support new value, and firewall shows unknown.

23. [eITS#251200748] VPN config not initialized during boot up.

24. [eITS#251201002] Remove the "remove startup" CLI command.

25. [eITS#251201016] The VPN user traffic of "Ext-User" is unable to be managed by Security policy rule.

26. [eITS#251201198] Adjust Content Filter Denied Access Message field limitation: Cannot saved as blank

27. [eITS#251201358] Adding or modifying a schedule object causes the device web GUI time out.

28. [eITS#251200907] Adjust BWM Source IP address limitation to no more than 1024

29. [ZNGA-8744] [Monitor][VPN Connection] Cannot show Android Strongswan client connection on Client to site login account table.

30. [ZNGA-5688] Policy-based IPSec VPN doesn't bypass the direct route to other subnets.

31. [ZNGA-8815] The local user object cannot be deleted because multiple “provision” references remain with the user. [AP Controller]

1. [eITS#251001634] Secure WiFi- AP managed amount decreases to default 8 when FLEX H Internet access/synced failed.

2. [eITS#251101963] AP List displays a status of “VLAN Conflict” after USG reboot.

Please refer to the Download Link for more details.

Zyxel_Melen