-
Why Does DDNS Fail on USG FLEX When Using a No-IP DDNS Key?
Question: DDNS on USG FLEX devices fails when configuring No-IP for WAN redundancy. The DDNS key is entered in the configuration but the update still does not work. What is the cause, and how can this issue be resolved? Answer: The issue occurs because the USG FLEX firewall does not support No-IP DDNS key authentication.…
-
Why Does the USG FLEX H Series Not Allow Configure Multiple WAN Interfaces in the Same Subnet?
Question: Why does the USG FLEX H series show the error “Duplicate static IP or subnet detected” when assigning multiple WAN interfaces within the same subnet, and is there a way to make this configuration work? Answer: The USG FLEX H series is designed to prohibit assigning multiple WAN interfaces within the same subnet.…
-
Why DDNS service can not auto-update public IP address when firewall is behind NAT router?
Question: Why does my firewall use its WAN interface IP instead of the actual public IP for DDNS, and is there a way to make it use the public IP when the firewall is behind a NAT router? Answer: When the firewall is installed behind a NAT router, its WAN interface receives a private IP address, not the real public IP. As…
-
How to make sure the AD (AAA Server) settings are correct?
Question: How to make sure the AD (AAA Server) settings are correct? Answer: There is a Configuration Validation function that verifies your domain name and AD username. If validation still fails, try specifying the full Search Base. Example: Search Base: dc=cso,dc=com
-
How to extend the SIP session timeout on the firewall?
Question: How to extend the SIP session timeout on the firewall? Answer: By default, the UDP session timeout is 300 seconds. You can enable the SIP Pinhole feature to keep your SIP sessions active on the firewall longer than the default UDP timeout.
-
What does the "Restrict Peer to Peer Media / Signaling Connection" function do?
Question: What does the "Restrict Peer to Peer Media / Signaling Connection" function do? Answer: The “Restrict Peer to Peer Media / Signaling Connection” setting is a security feature. When enabled, it prevents unauthorized or malicious traffic from the Internet from entering an active SIP session. It ensures that only…
-
What is the “Media / Signaling Inactivity Timeout” setting in the SIP Pinhole menu?
Question: What is the “Media / Signaling Inactivity Timeout” setting in the SIP Pinhole menu? Answer: This setting determines how long the firewall keeps SIP Media or Signaling sessions open after the traffic stops. For example, if Media Inactivity Timeout is set to 120 seconds, the firewall will keep the media session…
-
What is SIP Signaling port setting do?
Question: What is SIP Signaling port setting do? Answer: The SIP Signaling port is for VOIP phone communtiy with SIP server. The service port is defined by SIP server. The signaling incuding register, ringing….etc. If configured in wrong service port, SIP pinhole can not help to keeping the session.
-
Can the SIP Pinhole function support SIP transformation?
Question: Can the SIP Pinhole function support SIP transformation? Answer: No. The SIP Pinhole function does not support SIP transformation. This means that any SIP IP address or SIP header transformation must be handled by the SIP server, not by the firewall.
-
What is SIP pinhole setting?
Question: What is the SIP pinhole setting? Answer: The SIP pinhole setting is used to maintain SIP signaling and SIP media sessions on the firewall. It automatically keeps the required ports temporarily open (“pinhole”) so that SIP traffic—such as VoIP calls—can pass through the firewall correctly without being dropped.
-
How to show interface throughput by CLI ?
Question: How to show interface throughput by CLI ? Answer: 1)Log in SSH 2)Perform the CLI show interface throughput name {interface}, and use Ctrl + C to stop
-
Troubleshooting LLDP Neighbor Discovery on USG FLEX 500H with VLANs
Question: What is the cause of LLDP neighbor information not appearing on USG FLEX 500H devices, and how can it be resolved? Answer: The primary reason LLDP neighbor information may not be visible on a USG FLEX 500H, especially when using VLANs, is how the device handles untagged LLDP frames. Root Cause: LLDP traffic is…
-
What's the behavior of "Change to a Different ISP" in WAN interface?
Question: What is the behavior of “Change to a Different ISP” in the WAN interface advanced settings? Answer: The H Series firewall automatically synchronizes its configuration with the Nebula server. Normally, if you modify the interface settings and the new configuration causes the firewall to lose connectivity with…
-
Why under the USG FLEX H, my e-commerce site will redirect to login page when switch pages?
This issue is not related to the firewall, but rather to your network topology. The redirect to the login page is usually because your server logs you out. Most cases are that you use a different IP to access it if you have dual WAN. The firewall has a WAN trunk rule or policy for you to use the dual WAN. In this case, you…
-
Why I access our e-commerce site management platform, it redirects to the login page?
The redirect to login page could be because: Your PC can't save the cookie/cache that cause your server can't recognize your login session. Your firewall is using dual WAN. For the firewall part, you can set a policy route with fixed outgoing interface.
-
How to add "Static ARP" in arp-table to fulfill WoL scansion ?
Question: I would like to setup WoL over VPN tunnel to wake up PC from peer firewall. But there is no ARP record in firewall so WoL can not work even traffic arrived to peer firewall. How t add "Static ARP" in firewall? Answer: > edit running # / vrf main interface ethernet ge3 ipv4 neighbor 192.168.168.100…
-
What are the failed and successful log messages of the Connectivity Check?
Question : This article explains the meaning of 'Check Fail Tolerance' in the Connectivity Check. It shows that if the device reaches the specified number of consecutive failures, the firewall will stop routing through the GE interface. What do the failed and successful log messages of the Connectivity Check look like,…
-
What is the meaning of 'Check Fail Tolerance' in the Connectivity Check?
Question : What is the meaning of 'Check Fail Tolerance' in the Connectivity Check? Answer : It means that if the device reaches the specified number of consecutive failures, the firewall will stop routing through this GE interface. As shown below, the firewall performed five connectivity check failures and then stopped…
-
How can I add a static DHCP IP from the GUI on the USG Flex H model?
Question : How can I add a static DHCP IP from the GUI on the USG Flex H model? Answer : The user can navigate to Network Status > DHCP Table, select the interface, and add a static DHCP IP entry. Once the static DHCP IP entry is created successfully, its status will show as Reserved.
-
How to capture packets for a specific port number via CLI on the USG FLEX H model?
Question : How to capture packets for a specific port number via CLI on the USG FLEX H model? Answer : The user can use the CLI command traffic-capture interface <interface-name> filter 'port <number>' to capture packets for a specific port number. For instance, the user can use the CLI command show interface to list the…