Best Of

USG FLEX with ZLD5.0 Frequently Asked Questions

The following sections covers the new concept same security across networks, product, license service and more.

Part 1 Same Security Across Networks

Q1: Why would I need “same security across networks”?

Due to the pandemic, businesses now need to ensure their networks can be accessed securely outside of the office by their employees working remotely, while still providing the same level of corporate security. The SMB(s) are now faced with an impending issue as to how to ensure a secure connection from a remote workplace back to the corporate network, as a myriad of dangers related to security can occur in a home network or employees' devices, so ensuring the same level of security is implemented at remote workplaces as if it were in the office is essential.

Q2: What are the additional licenses required for same security across networks deployment?

There are Nebula solutions and new security licenses for you to complete“same security across networks”:

Q3. What is Secure WiFi? Are all APs supporting Secure WiFi service?

With Secure WiFi service in the Nebula solution, remote access point is deployed in the remote workplace, such as a home. The RAP could build up secure tunnel (L2 network connection) back to main office and achieve best productivity. The L2 connection is secured by de facto encryption technology, plus strong two-factor authentication is enforced. In Zyxel’s AP portfolio, these products fully support the Secure WiFi service:

Q4. Why would I need secure tunnel?

During these pandemic time, working from home or remote work is becoming the norm. As such for security professionals, how to balance productivity and security is a real challenge. In the Zyxel solution, with the NVGRE tunnel in place, a transparent L2 network connection established in between main office and remote workplace – you could access resources just like sitting in the office using the same wireless network accessing the same application. On the other hand, to increase the security level, we have to tunnel the L2 traffic into a secure tunnel with strong cipher. With combination of both, we could ensure productivity in a secured manner.

Q5. What is 2FA? What is the benefit of implementing 2FA?

2FA (Two-factor Authentication) is the technology to add an extra layer of user identity verification against network access attempts across all premises. With 2FA in place, it simply delivers stronger security. Having a second form of identification greatly decreasing the chance of a hacker gaining access to corporate asset or sensitive information.

Q6. Why would I need Collaborative Detection & Response, when I already enabled UTM services?

Bring Your Own Device (BYOD) is now a trend, and it is here to stay. Personal device access to an organization’s network can present serious security challenges. Unknown risks from drop-in increases, making it hard to manage. On top of the Zyxel Security Fabric, the CDR (Collaborative Detection & Response) feature not only just sending alarm against security breaches, but it takes a step further to stop threat events at the network edge – all these decisions and actions are automatic and unattended.

Q7. What options do I got to enforce corporate security policy in remote workplaces?

In Zyxel Security solution, there are few options of your choice – it depends on the scenario where:

Scenario 1: Single employee/mobility: SecuExtender endpoint software is the best solution. It provides the best available security protection for road warriors.

Scenario 2: Work From Home: To balance productivity and security, Remote AP (located in the remote workplace), plus USG FLEX (located in the main office) are the combination. A L2 tunnel secured by strong cipher delivers streamlined working experience accessing same SSID/VLAN/application in the main office securely. With enforcement of 2FA, it greatly decreases the chance of a hacker gaining access to corporate asset or sensitive information.

Scenario 3: Branch office: Deployed with USG FLEX, it delivers full-blown UTM protection powered by Zyxel Security Fabric. Moreover, VPN Tunnel with IKEv2 provides highest security to inter connect remote networks.

Part 2 Product & Service

Q1: Will the USG FLEX's security services also be available in Nebula?

The UTM Security Pack license is designed for both on premises and on Nebula Cloud. The UTM Security Pack license will be activated automatically once you have the device registered. The UTM Security Pack bundled with USG FLEX including the following services:

Q2: Can I use the ATP series in Nebula Cloud?

No, the ATP series does not support Nebula Cloud. However, Zyxel does plan to bring the ATP to the Nebula Cloud by Q4/2021.

Q3: What is the relationship between SecuReporter and Nebula? What do they integrate today and in the future?

SecuReporter is a cloud-based security analytics tool, which works with ATP/USG FLEX/USG series to deliver comprehensive security insight in your network. When using the USG FLEX in Nebula, we leverage the advantage from both NCC and SecuReporter, so you can access to traffic usage report and event log within NCC while you get in-depth security analytics from SecuReporter with seamless integration (from NCC single-sign-on to SecuReporter, plus redirect to the SecuReporter dashboard landing exactly on the same device)

Q4: Will the USG FLEX come with 1 year of Nebula Pro Pack license?

Yes, the USG FLEX default bundled with 1 year UTM Security Pack license will receive the Nebula Pro Pack license. The UTM Security Pack and the Nebula Pro Pack are aligned with the same expiration date.

However, the device-only USG FLEX will come with 30 days trial UTM Security Pack and Nebula Pro Pack license.

Q5: What license migration plan is available from USG to USG FLEX?

We offer easy migration plan for you to seamlessly migrate to USG FLEX series. We will pick your existing USG license with the longest remaining time as a benchmark and extend other USG licenses to that benchmark for free, and then migrate it to an 8-in-1 USG FLEX license pack. This is a one-time offer for every USG you own. Learn more here.

Q6: Is there a return grace period for licenses converted from USG FLEX back to USG?

No, once the license is converted from a USG to a USG FLEX, the license on the USG will be revoked and the process cannot be reversed.

Q7: Where do I purchase a license?

You can purchase from our local resellers or go directly to our new E-commerce platform Marketplace.

Part 3. Technical in-depth

Q1: Is there a way to convert a Next-Gen USG configuration file and apply it to Nebula?

No, Zyxel’s USG Configuration Converter supports on premises USG Series only. It converts the configuration file of the USG/ZyWALL Series into the format of the USG FLEX/ATP Series.

Q2: What functions will you be losing when moving the USG FLEX appliance from on-premises to Nebula Cloud?

The experience in management will be more in line with Nebula user experience, so some feature configuration may differ but generally the same functionality will remain the same. In Nebula the USG FLEX actually leverages from the cloud and include additional features not found in on-premises mode, such as: 2FA Network Access and Security Profile Sync.

Q3: Will there be any limitations in terms of running a Site-to-Site VPN between a USG FLEX managed in Nebula and any of our other firewalls that are operating in on-premises mode?

Nebula does support VPNs interconnecting with non Nebula-managed gateways, which include on-premises USG FLEX/ATP/USG, and even VPN-capable firewalls from major brands from Fortinet, SonicWALL, and many more.

Q4: Will this be supported – having the flexibility to only apply Application Patrol and Content Filter to specific policy control rules, when a USG FLEX is managed in Nebula Cloud?

Yes, the USG FLEX in Nebula Cloud does support the flexibility to only apply Application Patrol and Content Filter to specific policy control rules. This enables the clients to whitelist devices from these services. In addition to this, they also have the ability to create several profiles to apply to specific sets of clients.

Q5: If I moved my USG FLEX from on-premises to the Nebula Cloud, what features or policy routing changes would there be?

When manage the USG FLEX in Nebula Cloud, there will be less flexibility and granularity of the policy route. As a result, these scenarios won’t be supported:

- The environment has L3 switch and the interface subnet needs going through VPN tunnel.

- Some USG FLEX LAN subnets need going through with specific WAN interface, when the first WAN failed, they need to use the other WAN to go through (failover).

- Having two policy routes and when the primary policy route connectivity check failed, the traffic is expected to go through the secondary policy route.

- Outgoing traffic needs to add the DSCP mark.

- Outgoing traffic needs SNAT with specific IP (current design is: only “SANT to the WAN interface IP” supported)

- The policy route criteria by user/user group or schedule.

- The initiation packet from USG FLEX can't be configured in policy route (current design: only configuring the pass-through traffic is supported)

- These functions are not supported: User/User Group, DSCP, Schedule, Healthy Check, and SNAT with specific IP.

zyxel_Lin

How to set up Configuration Templates

A configuration template is a virtual site. The settings you configured in a template will apply to the real sites which are bound to the template. All sites, which are bound to a template follows settings of the template.

Location path: Organization-wide > Organization-wide manage > Configuration templates

Create a template and bind a site directly

When a site is bound, it will be shown in your template

Bind additional site, unbind site, and revert to template setting

Click your template name

There are 3 buttons can be utilized.

Bind additional site: To bind more site in this template.
Unbind: If you do not want to apply any new settings from the template to a site, then select the site and click unbind button.
Revert to template settings: If you've changed configuration of a site, use this button will be able to make your site configuration back to template settings.

If you want to configure some specific settings directly in a site after the site is bound to a template, select the local override function on top right.

Image: https://us.v-cdn.net/6029482/uploads/editor/tt/wrjz04ubau50.png

After confirming the pop out message, the page select local override function will be configurable.

You can also check which page is enabled local override function in your template.

Note1: You can use a template to configure site-wide settings, switch settings, and access point settings.

Note2: A site can only be bound to one template. The same template can be used by multiple sites. The site(s) and the template should belong to the same organization for binding.

Note3: If the NCC service is downgraded from Nebula Professional Pack to Nebula Basic, all the sites will be unbound from the template(s) but retain the settings already applied from the template.

Zyxel_Adam

Please provide positive feedback to our members!

When you receive a helpful response to your question, click “Yes” to provide the author with positive feedback!

The accepted response will be tagged “Accepted Answer.”

The accepted answer will also be pinned to the top of the comment list so that users who have the same question can easily locate the best answer.

In addition, the author of the accepted answer will receive points that will go toward the author’s promotion on the monthly Most Helpful Member list!

In the coming months, we will also present an activity to encourage members to select accepted answers and promote the most helpful member!

Let’s all provide positive feedback to thank the authors who answer and resolve your questions!

TARA

Free to get 3 months Secure WiFi License!

Image: https://us.v-cdn.net/6029793/uploads/editor/b5/gini7ou8t1u5.jpg

What is Secure WiFi?

Secure WiFi subscription service gives customers the ability to create a “drop-in” Access Point that can be configured to replicate the SSID of your office and automatically create a secure tunnel, creating seamless accessibility to the corporate network. This simplifies the deployment by creating a plug-n-play option while maintaining a high level of control over the security of remote workplaces.

We are excited to invite all of our USG FLEX customers to have a 3-Month license to experience the enhanced support for remote working in an increased security environment.

How to get a 3-Month Secure WiFi license?

All USG FLEX devices registered before 6/30/2021 (UTC-12) is ELIGIBLE to receive the license, regardless of bundled/unbundled version of USG FLEX.

To activate 3-month Secure WiFi license, please refer to How to Activate 3-Month Secure WiFi License.

Summary of the Activity

Promotion period: starts now until 6/30, 2021 (UTC-12)
Giveaway of the event: 3-Month Secure WiFi license and it’s a one-time offer.
The 3-Month Secure WiFi is not transferable

Which ZyWALL gateway/AP is eligible for this event?

Supporting Gateway

USG FLEX Series: USG FLEX100(W)/ USG FLEX200/ USG FLEX500/ USG FLEX700

Supporting Remote AP (RAP)

Secure WiFi license is required to enable RAP functionality. Remote AP supporting the secure tunnel to HQ gateway:

802.11ax (WiFi 6): WAX650S/ WAX610D/ WAX510D

802.11ac Wave 2 (WiFi 5): WAC500/ WAC500H

Useful information:

How to Configure Secure WiFi to Secure the Wireless Environment?
How to Activate 3-Month Secure WiFi License
Deliver Corporate-level Network Security to Anywhere in the World

TARA

Strengthen your networking capability with Zyxel Education Center

Hello Zyxel Community members,

Did you know that you can access the Zyxel Education Center from our Community page? By simply clicking the school icon on the right side of the web page, you can begin learning about networking!

Our Education Center provides multiple online training courses across different product lines, including APs, Switches, Security Gateways, and Cloud Management.

Each of our product line includes a variety of training courses that range from fundamental networking knowledge to basic functions and product operation. Complete our courses and become a Zyxel-certified engineer!

Introductory level courses:

ZCNP – Foundation: This course introduces network structure and commonly used network protocols. Students gain a basic understanding of network communication that can be leveraged to study advanced functions in later courses.

ZCNP – WLAN/SWT/GW/Nebula: These courses provide a basic overview of each networking domain while introducing students to Zyxel products. You begin by learning about various networking standards across both wireless and Ethernet, as well as how to protect enterprise networks from external threats.

ZCNE Level 1 and Level 2: These courses include a detailed instruction to Zyxel products. Level 1 courses focus on basic configuration of products and commonly used functions. Level 2 courses introduce more complex application scenarios and accompanying functions. Through ZCNE, we utilize several real-life scenarios to teach students how to meet the full range of our customers’ product needs. Students learn to plan, design, deploy, and troubleshoot their network with Zyxel products.

* Please contact [[email protected]] to enroll ZCNE courses.

After completing the training course, you can take an online certification exam to evaluate your understanding of all course objectives. Students who pass the exam receive their exclusive Certificates and Community Points.

ZCNP > 5 Points
ZCNE Level 1 > 10 Points
ZCNE Level 2 > 15 Points

In addition to the above awards, Community members earn a Badge that will accompany each of their community posts.

We highly recommend our students regularly review our materials for updates and retake exams to ensure their networking knowledge is up to date and knows those latest functions of Zyxel products. Additional community points will be awarded as they pass the exam again.

Click the hyperlink below to start your learning journey. Gain more points to show your expertise in Zyxel Products!

https://education.zyxel.com/

Zyxel_Richard

Seriously, your ideas could be new feature for Zyxel products!

Hello Members,

Do you have moments that if your own thoughts or ideas can make better experience when using Zyxel products?

We can make your wish come true!

Access Idea on each product category,

simply start a new post here describing your fabulous ideas or voting Active ideas for features or services you wish to have!

Once the ideas get lots of vote , we will give it to our product developers to have them evaluated and tell you the feedback!

Sounds cool?

Give Likes and Try it Now!

TARA

Announcing the winners of our Spring Issue of Appreciation Week!

We have our winners!

13 of you have qualified for at least one entry to win a 30% discount.

Congratulations to our 3 winners:

@OWB

@RichP

@jayd691

Thanks again to all those who have participated. Stay tune for the latest Zyxel news and other upcoming events.

TARA

Why can't I access my Nebula device with my password after it gets online on NCC

All Nebula devices are full-controlled by Nebula Control Center(NCC).
Therefore, Nebula devices will apply the site-wide password after they get online on NCC.
If you want to check or change the password, you may go to Site-wide > Configure > Site settings.

Image: https://us.v-cdn.net/6029482/uploads/editor/ck/argql29pn3wa.png

Zyxel_Jason

Community Appreciation Week – Get a 30% discount for license purchase!

Image: https://us.v-cdn.net/6029793/uploads/editor/ma/9n02xl6ok7w2.jpg

Which of the following impresses you the most with USG FLEX on Nebula

What are the rules?
1. Everyone can only leave one comment.
=> New and duplicate comments from the same user will be removed.
2. The content in the comment needs to follow the guideline of the Community.
=> Please refer the Link for more details.

Additional rule to get an additional chance:
Whenever you get another Like on your comment, you will get an additional chance on winning. That is, the more Likes you get, the more opportunity you will win the prize. Share the link of this page to your friends to have more Likes. Remember to register an account on Zyxel community before clicking the like button.

Prize:
Zyxel Market Place 30% discount code x 3
*1 : Discount code is not valid with other promotions or discounts.
*2 : Coupon code is only valid for orders placed online at Zyxel Marketplace & Marketplace Express.

Carter

[Release Note] Nebula Control Center - Phase 11 software Release!

Zyxel Nebula Control Center Release Note

Common NCC (Organization, Site-wide …etc.) enhancements:

Introduced the per-device licensing model that simplifies the license management and retired the co-termination licensing model.
Added new Nebula Plus Pack license option.
Added new per-account Nebula MSP Pack license option for accessing the cross-org MSP features such as MSP Portal (used to be Free Base Pack feature) and MSP branding (used to be Pro Pack feature).
For MSP menu and MSP Pack licensed features, added new 'Admins and teams' and cross-org synchronization feature sets.
Added Group-wide feature sets for easily manage two or more Pro orgs by a group. (Pro-Pack feature)
Base (Free) org data length for monitoring is now 24 hours; cloud authentication server entry for user/MAC is now 50 authorized entries.
Base org will enter cloud saving mode if admin has not accessed the org for over 1 month.
Cloud authentication is redesigned. User type account can control the access more easily.
Added Two-Factor Authentication (2FA) to nebula cloud authentication. 2FA can be enabled individually on network premises, like a SSID.
Added Cloud Intelligent Log to show the actions generated from the Nebula Cloud itself.
Added Site-wide Clients for managing clients connected to different device types at one single page.
Alert settings are enhanced for many USG FLEX related options.

Wireless LAN (WLAN) enhancements:

Jointly supports Collaborative Detection & Response (CDR) from USG FLEX Security Firewall to block or quarantine malicious wireless AP clients. Supported model: WAX650S, WAX610D, WAX510D, WAC500 and WAC500H (Pro-Pack feature) (UTM Security Pack feature of USG FLEX)
Added Remote AP function which builds secured L2 tunnel to USG FLEX Security Firewall in the office network providing the same working experience for Work-From-Home users. Supported model: WAX650S, WAX610D, WAX510D, WAC500 and WAC500H (SecureWiFi feature of USG FLEX)
Supports Two-Factor Authentication (2FA) for WiFi connections. Supported model: WAX650S, WAX610D, WAX510D, WAC500 and WAC500H
Supports programmable SSID to fulfill unique SSID per Access Point scenario like hotel, dormitory and classroom etc. (Pro-Pack feature)
Added SSID Simple mode in SSID overview that simplifies the SSID configuration.
Authentication configuration is renamed to SSID settings and rearrange the settings to be better structured.
WAX650S now supports zero-wait DFS to provide a non-stop Wi-Fi service for better user experience.
Supports Rate control to optimize Wi-Fi network.
Supports IEEE802.11d configuration to minimize wireless client Interoperability issue.
Added Qatar country code.
Supports 160MHz channel width for Russia(RU), Ukraine(UA) and Belarus(BY).
Supports 80MHz channel width for Ukraine(UA).
Supports channel 144 for Russia(RU) and Japan(JP).

Switching enhancements:

Supports creating IP interfaces. (for Static Route, Auto PD recovery, ONVIF, SNMP and syslog monitoring etc.) (Pro-Pack feature)
Supports Static Route settings. (Pro-Pack feature)
Live tools now support real-time MAC table, ARP table and Routing table statistics.
Supports ONVIF configuration for IPCAM discovery on GS1350 series. (Pro-Pack feature)
Surveillance monitoring supports detection of device types by ONVIF and provides clear summary. (Pro-Pack feature)
Supports to block clients from NCC Clients pages.
Switch now keeps management interface settings when it is removed from a site.
Switch name will apply to firmware and be used in various protocols such as syslog.
Supports DAC media type.

Security Firewall enhancements:

USG FLEX series with v.5.0 firmware starts being manageable by Nebula Control Center.
Added Secure profile sync to configure security service settings in the org level and apply to the member sites. (UTM Security Pack feature)
The VPN membership with site connectivity information is evolved to Smart VPN configuration with software-defined design to easily build scalable VPN networks (areas) among HQ and branches. (Pro-Pack feature, free beta until end of 2021)
Added Collaborative Detection & Response which can alert, block or quarantine malicious wired and wireless AP clients. (UTM Security Pack feature) (block and quarantine actions of USG FLEX and AP are Pro-Pack feature)
Supports Remote AP’s secured L2 tunnel connectivity. (SecureWiFi feature)
Added Site-wide Applications that categorizes applications for better controls and summaries. (UTM Security Pack & NSS Security Pack feature)
Added DNS-based Content filtering. (UTM Security Pack feature)
Supports SecuReporter for security services insights and reports for USG FLEX series. (UTM Security Pack feature)

*NOTE: When USG FLEX 100W is managed by Nebula Cloud, the built-in radio is not supported, that customer cannot configure the built-in radio within Nebula Control Center. This will be fixed soon.

Zyxel_Jonas