-
Will signature downgrade after switching partition?
Question: Will signature downgrade after switching partition? Answer: After switching partition, the signatrue will update in 15 mintues after boot up.
-
Why do content filter block/warn pages fail to display on HSTS-enabled websites?
Question: Why do content filter block/warn pages fail to display on HSTS-enabled websites? Answer: This behavior is an expected limitation caused by HSTS (HTTP Strict Transport Security) enforcement, not a product defect. HSTS requires that the certificate be valid for the exact domain being accessed. It is not sufficient…
-
How to unblock website when it's being blocked by a DNS or Content Filter?
Question: How to unblock website when it's being blocked by a DNS or Content Filter? Answer: The event logs may show the webiste (example: apps.apple.com) is being blocked by the Content Filter. To prevent apps.apple.com from being blocked, you should add *.apps.apple.com to your allow list in the Content Filter settings.…
-
What's the difference between Content Filter and the DNS/URL Threat Filter?
Question: What's the difference between Content Filter and the DNS/URL Threat Filter? Answer: Web Content Filter checks the website category based on the Server Name Indication (SNI) in the HTTPS Client Hello. DNS Content Filter checks the server name category based on the DNS query. If the client is still able to access…
-
Is it possible to block websites when accessed by IP address, while allowing access by domain name?
Question: Is it possible to block websites when accessed by IP address, while allowing access to the same website but by domain name? Answer: This scenario cannot be achieved. Because the block is triggered by L3/4 (IP/Port) instead of L7(domain/URL)
-
What are the different containment actions available in CDR, and how do they behave?
Question: What are the different containment actions available in CDR, and how do they behave? Answer: Alert: This action simply sends an alert notification email to the configured recipient and does not restrict client traffic. Block: This blocks the client's traffic on both the Nebula AP and Firewall, and redirects the…
-
What are the licensing requirements and prerequisites to use CDR?
Question: Do I need a specific license to use the CDR feature on Nebula, and are there any other settings I need to enable first? Answer: License Requirement: Yes, this feature requires a license. You must have a Gold security pack to enable CDR. Prerequisites: Because CDR relies entirely on your security services to…
-
Why is a new client being blocked immediately by CDR when it connects to the network?
Question: Why is a new client being blocked immediately by CDR when it connects to the network? Answer: The firewall containment list references the client’s source IP. New devices might obtain an IP address that is still in the containment list if the DHCP lease of a contained client expires before the containment period…
-
How can I check whether a host has triggered CDR?
Question: How can I check whether a host has triggered CDR? Answer: You can check by the command "cmd _debug cdr show-containment-list" usgflex200h> cmd _debug cdr show-containment-list cdr-debug-show-containment-list data status " CDR Containment SummaryTotal Events: 1 [2026/04/15 09:28:30] IP: 192.168.168.38 MAC:…
-
How do I set up IP Spoofing Prevention on USG Flex H?
Question : How do I set up IP Spoofing Prevention on USG Flex H? Answer : The user can configure IP Spoofing Prevention in the GUI path: Security Policy > IP Spoofing Prevention. Once the firewall detects an illegitimate private IP on the LAN interfaces (ge3 and ge4), it will drop the packet from the client.
-
How do I whitelist a domain and an IP address in Nebula?
Question: How do I whitelist a domain and an IP address in Nebula? Answer: In Nebula, create allow rules in your security policy and profile settings: add the target domain to the Content Filter/Web Filter allowlist, and add the target IP address to an address object used by an allow rule (or policy exception). Then apply…
-
How can I resolve it if my DNS domain is categorized incorrectly in the Content Filter profile?
Question: How can I resolve it if my DNS domain is categorized incorrectly in the Content Filter profile? Answer: First, verify the domain classification by testing it in the firewall/Nebula content filtering lookup tool. If the category is incorrect, submit a URL/domain recategorization request to Zyxel (or the connected…
-
How can I check event logs for blocked websites on an H Series firewall through Nebula?
Question: How can I check event logs for blocked websites on an H Series firewall through Nebula? Answer: In Nebula, go to Site-wide > Monitor > Firewall > Event log. To review blocked website/security events, select categories such as URL Threat Filter, IP Reputation, Application Patrol, Content Filter, DNS Threat Filter,…
-
How can I block an application by using Content Filtering on H Series?
Question: How can I block an application by using Content Filtering on H Series? Answer: If the application uses specific domains/URLs, you can block it through Content Filtering by denying those domains/URL categories. However, this method is URL/domain-based (not app-signature-based). For stronger and more accurate app…
-
Why does the firewall show “Category Query Fail-Open” even after changing DNS?
Question: Why does the firewall show “Category Query Fail-Open” even after changing DNS? Answer: Please troubleshoot in this order: Check DNS settings: confirm the firewall can correctly resolve "gti-trellix.api.cloud.zyxel.com". Check server reachability: verify connectivity to "gti-trellix.api.cloud.zyxel.com". Check…
-
Why can recent logs download immediately, but older SecuReporter logs remain in “Preparing”?
Question: Why can recent logs download immediately, but older SecuReporter logs remain in “Preparing”? Answer: This is expected behavior. Recent logs are stored in hot storage for fast download, while older logs are moved to archival storage. When archived logs are requested, the system needs extra time to restore and…
-
How to clear ARP table on H Series firewall by CLI?
Question: How to clear ARP table on H Series firewall by CLI? Answer: > cmd arp-table flush
-
Does H Series support Standalone mode during setup?
Question: Does H Series support Standalone mode during setup? Answer: No. H Series does not provide a Standalone mode option during setup (NCC onboarding only). However, after onboarding, administrators can manage settings through both Nebula and the firewall local GUI/CLI, depending on feature scope and configuration type.
-
Zyxel VPN certificate requirements for third-party CA
Question: Can a Zyxel firewall establish certificate-based VPN using only Root CA and Intermediate CA certificates? Answer: No. Zyxel firewall requires a server certificate that includes a private key (such as .PFX/.P12) imported into My Certificates for VPN authentication. Root and Intermediate CA certificates (such as…
-
Does Zyxel H Series support Email Security?
Question: Does Zyxel H Series support Email Security? Answer: No. Email Security is not supported on any Zyxel H Series models.