We are always working to make our service catered
to your needs, so your thoughts are important to us! Your feedback helps us
decide which features to build and what enhancements should be made to Astra
Service. As a thank you for taking some time to answer these
questions, we will choose five winners at random from every participant who
completes the survey. Take our quick survey and you will be entered to win an
exclusive giveaway, now through Oct. 31st, 2021!
Get Started
Need tips on tying Astra?
We’ve got a Read Guide
Download Astra App before
taking survey! iOS/Android
Noted: Answers must
be provided before the survey-end date, Oct. 31st at 23:59 (UTC+0),
2021, and participants will be eligible to win the Zyxel special giveaway,
including 1-year FREE Astra Service for two winners (The Best Prize) and
etcetera. Zyxel will notify winners via email
individually. Please visit T&Cs for more information.
Best Of
Blastoff with New Nebula Together Launch
New Security Defenses Join Nebula Family
In the post-pandemic era, more employees are forced to work primarily at home. Now that the network perimeter is no longer fixed in the office, securing a distributed network to support a more fluid type of working flow has become important. Nebula Together can help you connect with your customers. Together, streamline and optimize the connectivity and protection with our comprehensive cloud networking solution.
Join us in our new coming live webinar to find out how to integrate stronger and better connection with our reinforced Nebula Together. See how to rev up your business' journey to the cloud and connect securely with the same security level of firewall policies.
In this session, you will discover:
- Same security across networks with our new Nebula Cloud family
- How we bolster cybersecurity defenses for SMBs, MSPs, and hybrid workers
- How to secure remote working with NCC & SecuExtender VPN Client
- How to bring all your licenses and services together in one single platform
Access the full recording here
TARA
5
Tell Us What You Think About Zyxel Astra Preview Edition
Hello there, welcome to our customer survey of new Zyxel Astra Service—a cloud-based engineless endpoint is designed to block the threats and secure mobile working for corporate and BYOD into your network.
TARA
5
Get up to $50 Amazon gift card with Accepted Answer!
Show your networking skills and get awards!
From now to August 31, 2021 (UTC-12), we want to thank the members who have contributed their knowledge on answering questions, we will be giving the top 3 members who have received the most “Accepted Answer” $50 Amazon gift cards!
We will also give the 3 members who gave out “Accepted Answer” $25 Amazon gift card to thank them for giving positive feedbacks and making it easier for other members to find solutions.
Do not forget to give positive feedback when you received a solution to your question, give positive feedback to the author by clicking “Yes”!
What are the rules?
- Top 3 most helpful member:
Answer the questions which are created from August 1, 2021 (UTC-12) to JAugust 31, 2021 (UTC-12) and the answer must be tagged with Accepted Answer.
- Top 3 most active members:
1. Ask questions from August 1, 2021 (UTC-12) to August 31, 2021 (UTC-12)
2. Accept the comments that answer your questions
Additional notice:
Zyxel community administrators will review answers, and reserve rights to make final decision and remove Accepted Answer from the comments.
Useful Information:
Please provide positive feedback to our members!Zyxel Community Guidelines
Sincerely,
Zyxel Community Team
TARA
5
What is Nebula Plus Pack and what's included?
This is one of the most frequently-asked questions from Nebula users since last April when we made a big change in Nebula's licensing. We've drafted a detailed article giving you information on our new Plus Pack, if you haven't read it, click here!
Guidance to help identify, remediate and defend against this security incident
We strongly
recommend to upgrade your device firmware to ZLD4.65/5.02 in order to mitigate the risk of this security
incident
After finish, system will auto create policy control rules.
Delete the unknown accounts
Note:
ZLD4.65 for ZyWALL USG Series/ZyWALL 110/310/1100
ZLD5.02 for ZyWALL ATP Series/USG FLEX Series/VPN Series
You can do cloud auto upgrade by clicking the cloud icon.
Or download firmware from Myzyxel.com server and upload firmware from local PC.
Password notification and security policy check are implemented in this release. Follow below steps to provide optimized protection to your device.
Password change notification
After upgrading firmware to 4.65/5.02, your first login attempt will pop-up a password change notification page that includes,
a. All admin-type user accounts
b. Date of the last password change
c. Password expiration date
We strongly recommend to change all admin-type password again and remove all unwanted admin account.
Security Policy Check
If there is any HTTPS/SSL VPN service port open from WAN to ZyWALL without any restriction on source address, a Security Check Notification page will pop up.
Follow the wizard to change service port for HTTPS/ SSL VPN with trusted Host and change 2FA authentication service port.
After finish, system will auto create policy control rules.
Note: If you changed Web management service port to others, then you have to enter correct service port in your browser to log back in
We also strongly recommend running a thorough configuration examination to see if your device has been compromised. From our field observation, the compromised device will add unwanted accounts and add Policy/Firewall rules to allow undesired traffic into your network.
Delete the unknown accounts
Remove the unknown firewall rules
If you are unable to immediately upgrade to the latest available firmware, please follow the Mitigation Steps to minimize the risk. However, the best solution is still to upgrade to the latest available firmware.
ZLD4.65 & 5.02 Firmware release
Zyxel has been tracking the recent activity of threat actors targeting Zyxel security appliances and has released firmware patches to defend against it. The patches also include additional security enhancements based on users’ feedback and security researchers’ advice, which we strongly recommend users install immediately. A guidance to help you identify, remediate, and defend against the incident is available on the Zyxel forum.
The new features include:
- CVE-2021-35029
Vulnerability fix for web-based management interface of Zyxel USG/ZyWALL, USG FLEX, ATP and VPN series
- Two-Factor Authentication Enhancement
Supports configurable 2FA service port
- Security Check Enhancement
Disables HTTP port automatically while allowing WAN management in security check wizard
- Password Change Reminder
- Log Enhancement
Enhances admin-type user change logs to alert level
Release Date: July 6th, 2021
Supported Models:
Firmware ZLD V4.65: ZyWALL USG Series/ ZyWALL 110/310/1100
Firmware ZLD V5.02: ZyWALL ATP Series/ ZyWALL USG FLEX Series/ ZyWALL VPN Series
Re: SSL VPN vulnerability of June 24th, 2021
Into "User Lockout Settings", "logon retry limit" is enabled. AFAIK this is default for devices, and i never disable that.
mMontana
5
ZLD4.64 & 5.01 Firmware release
Dear Customer,
We recently became aware of a sophisticated threat actor targeting a small subset of Zyxel security appliances that have remote management or SSL VPN enabled. This mitigation firmware will actively guide users to follow general security best practices to reduce the attack surface. The new features include:
- Initial Setup Wizard Enhancements
Helps users to enforce security policies against access to the web management interface and SSL VPN service from the Internet.
- Security Policy Check
Shows misconfiguration of security policies through a pop-up notification, along with firmware update and change password reminder.
- Configurable SSL VPN and WAN Access
Separates access options on SSL VPN and WAN Access service.
- Log Enhancement
Provides a log history when the user object has been changed.
- GeoIP Now a Complimentary Feature
Built-in GeoIP feature to strengthen security access-which is now available free of charge for the entire firewall range.
Release Date: June 28th, 2021
Firmware ZLD4.64: ZyWALL USG Series/ZyWALL 110/310/1100
Firmware ZLD5.01: ZyWALL ATP Series/USG FLEX Series/VPN Series
Best Practices to Secure a Distributed Network Infrastructure
Best Practices to Secure a Distributed Network Infrastructure
In the post-pandemic era, more and more employees are forced to work
primarily from home, thus the way people get connected and the way people
accessing corporate resources has changed forever. Now that the network
perimeter is no longer fixed in the office, securing a distributed network
infrastructure to support a more fluid type of working has become a challenge
for IT professionals.
A fundamental way to enhance network infrastructure security is to safeguard networking devices with secure configurations. Administrators should implement the following recommendations to secure your network infrastructure
1. Secure setup for restricted remote management
- When possible, disable the access from HTTP, HTTPS, PING, SSH, SSL VPN, and TELNET services to your firewall
Default_Allow_WAN_To_ZyWALL and remove all unnecessary services
- Restrict access from trusted host
If you allow the remote access for Web management and SSL VPN service, Zyxel firewall auto scans your current device settings and returns security warning windows after login if the security risk found. To reduce the attack surface:
- Restrict access to trusted hosts/geolocations only. Change the service's
listening port to a non-standard port number
- Configure 2FA authentication for your administrative login will add extra layer of security Zyxel firewalls support 2FA for VPN connection and admin access. Here it is the tutorial about how to implement 2FA feature Case 1: 2FA for SSL VPN connection Case 2: 2FA for admin access
2. Privilege account control, monitoring, and alerts
- Keep monitoring all the user accounts on your device.
- Be aware of built-in and user-defined users account:
Built-in user
account: created by device helps you get access the device
(admin account) or
easily manage the external and guest users
(ad-users/ldap-users/radius-user/
ua-users). These users can’t be deleted.
User-defined user
account: created by device administrator, and can be
modified or deleted.
- Privileged accounts should be monitored and reviewed continuously in order
to identify outsiders leveraging stolen credentials. Remove unused and
unauthorized accounts, and limit the administrative account to as few people as
possible.
Zyxel device separates local administrator and other users (local user, external user, limited administrator) into two tables for simple privileged access management. With local administrator, you can setup and monitor the password expiration date.
- Detect the suspicious account by scanning the user name or create date. If you found any unknown account on your device, review and adjust your security settings to keep your network secure.
- Keep an eye on login user
Zyxel device provides the login users page helps administrator easily discovers information of the current login users, like username, IP address, access type, and physical location
-Monitor > System Status > Login Users
- Setup email alert for suspicious login activity
Zyxel device also supports to send email alert if user account changes or suspicious login activities are detected.
- Go to Configuration > Log & Report > Log Settings, configure mail server,
sender and recipient email address
- Then enable alert for User log category
Here is an example of email alert device notifies user for a suspicious login activity
3. Periodical reminder for admin password change
It's
recommended to change administrator account passwords regularly. Not only
enforce local administrator to change their password periodically, but Zyxel
device also is able to check the new password must meet complexity requirements
- Configuration > Object > User/Group > Setting
Local administrator will get the notification about the last password change and expiration date when login
4. Firmware upgrade push and alert (patch, patch, patch)
An essential part of keeping your infrastructure safe from cyber threats is to ensure device firmware always up to date.
Zyxel device
shows notification icon on Web GUI once a new firmware is available. You can
click to the icon to read the new enhancements before deciding to upgrade
- Maintenance > File Manager > Firmware Management
5. Use Two-Factor Authentication (2FA)
2FA is an extra layer of security to the authentication process by making it harder for attackers to gain access your network, even if the victim's password is hacked. With 2FA, users must not only enter username/password but also submit the verification code to get the access. Zyxel devices provide 2FA for local administrator, local user and VPN access.
- Local administrator and users can select either Google Authenticator or
Email/SMS to retrieve their verification code
-Configuration > Object > User/Group > User
For administrator, you can apply 2FA for Web, SSH, and Telnet accesses
-Configuration > Object > Auth. Method > Two-factor Authentication
VPN users can get the authorized link URL with verification code via Email/SMS for SSL, IPSec, and L2TP/IPSec VPN accesses.
-Configuration > Object > Auth. Method > Two-factor Authentication
6. Back up the device configuration
We recommend that you schedule the device configuration backups for that period. With backups of the configuration file, you can quickly replace the functionality of a piece of network equipment after a failure.
Zyxel device offers fully automated configuration backup, it is able to send a backup of running configuration by mail at scheduled times. Device also can encrypt configuration file in a ZIP file with a user-defined password.
-Maintenance > File Manager > Configuration File > Schedule Backup
You also manually select specific configuration file to download or send
-Maintenance > File Manager > Configuration File > Configuration
4 steps to enjoy advanced ZYXEL services!
4 steps to enjoy advanced ZYXEL services!
1. Where can I purchase the licenses?
Buy online directly
For Clients- Zyxel Marketplace
For Partners- Zyxel Circle
Learn more about Zyxel E-Commerce platforms
P.S. You may also find the above links from the upper right corner of any ZYXEL portal.
Find a Store near you Here!
2. Where can I register the licenses?
For a Nebula service, just register it in Nebula Control Center.
Navigate to Organization-wide > Configure > License & Inventory, click on the Action.
Picture 1. Device related service in Nebula
Navigate to My device & services for MSP license, click on the Register.
Picture 2. For MSP license in Nebula
Other services just register it in myZyxel.
Picture 3. License registration in myZyxel
3. Link/Associate the license to the device
The following license(s) could skip the step:
✕ Nebula MSP license
Other licenses should be device-based; they need to link/associate to the device in myZyxel or Nebula as the following pictures show:
Picture 4. Link license in myZyxel
For Nebula, navigate to Organization-wide > Configure > License & Inventory > License, to select the licenses and click on the Action.
Picture 5. Link/Associate license in Nebula
Here is a wizard to help you assign the licenses into the devices.
Picture 6. Assign licenses wizard in Nebula
4. How to activate the license?
The license must be activated then you can start to use the service. Some licenses will automatically be activated once the payment is successful. If not,
A. For Nebula service, it could only be activated in Nebula Control Center.
- For NCC service, if all your devices in the organization have enough license (every device should have a least one NCC license), you may see the “Upgrade now” button. Once you upgrade the organization successfully, all license will be activated automatically.
Navigate to Organization-wide > Configure > License & Inventory, click on the Upgrade now.
Picture 7. Activate license in Nebula
- For UTM/Secure WiFi service, if you register a UTM license from NCC, it will be automatically activated in most cases. If not, you may also activate it from NCC as below:
Navigate to Organization-wide > Configure > License & Inventory, click on the Device tab and hover to the License info of the device.
Picture 8. Activate UTM/Secure WiFi license in Nebula
- For MSP license, you need to activate it manually.
Navigate to My device & services for MSP license, click on the Activate of license.
Picture 9. Activate MSP license in Nebula
B. Activate in the device web GUI (Only for on-premises mode of Security gateway)
Login your device’s Web GUI, go to Configuration > Licensing > Registration > Service, click the Activate button to initiate the license.
Picture 10. Activate license in Device
After the service has been activated, please click the Service License Refresh button to update the Status.
Picture 11. Refresh service after activate license in Device
C. Activate in myZyxel
- Navigate to Device Management > My Device, click on the MAC Address hyperlink of your device.
- In the Linked Services tab click on Details button of the license.
- You opt to initiate the services license by clicking on Activate button.
Picture 12. Activate license in myZyxel