-
What are the different containment actions available in CDR, and how do they behave?
Question: What are the different containment actions available in CDR, and how do they behave? Answer: Alert: This action simply sends an alert notification email to the configured recipient and does not restrict client traffic. Block: This blocks the client's traffic on both the Nebula AP and Firewall, and redirects the…
-
What are the licensing requirements and prerequisites to use CDR?
Question: Do I need a specific license to use the CDR feature on Nebula, and are there any other settings I need to enable first? Answer: License Requirement: Yes, this feature requires a license. You must have a Gold security pack to enable CDR. Prerequisites: Because CDR relies entirely on your security services to…
-
Why is a new client being blocked immediately by CDR when it connects to the network?
Question: Why is a new client being blocked immediately by CDR when it connects to the network? Answer: The firewall containment list references the client’s source IP. New devices might obtain an IP address that is still in the containment list if the DHCP lease of a contained client expires before the containment period…
-
How can I check whether a host has triggered CDR?
Question: How can I check whether a host has triggered CDR? Answer: You can check by the command "cmd _debug cdr show-containment-list" usgflex200h> cmd _debug cdr show-containment-list cdr-debug-show-containment-list data status " CDR Containment SummaryTotal Events: 1 [2026/04/15 09:28:30] IP: 192.168.168.38 MAC:…
-
How do I set up IP Spoofing Prevention on USG Flex H?
Question : How do I set up IP Spoofing Prevention on USG Flex H? Answer : The user can configure IP Spoofing Prevention in the GUI path: Security Policy > IP Spoofing Prevention. Once the firewall detects an illegitimate private IP on the LAN interfaces (ge3 and ge4), it will drop the packet from the client.
-
How do I whitelist a domain and an IP address in Nebula?
Question: How do I whitelist a domain and an IP address in Nebula? Answer: In Nebula, create allow rules in your security policy and profile settings: add the target domain to the Content Filter/Web Filter allowlist, and add the target IP address to an address object used by an allow rule (or policy exception). Then apply…
-
How can I resolve it if my DNS domain is categorized incorrectly in the Content Filter profile?
Question: How can I resolve it if my DNS domain is categorized incorrectly in the Content Filter profile? Answer: First, verify the domain classification by testing it in the firewall/Nebula content filtering lookup tool. If the category is incorrect, submit a URL/domain recategorization request to Zyxel (or the connected…
-
How can I check event logs for blocked websites on an H Series firewall through Nebula?
Question: How can I check event logs for blocked websites on an H Series firewall through Nebula? Answer: In Nebula, go to Site-wide > Monitor > Firewall > Event log. To review blocked website/security events, select categories such as URL Threat Filter, IP Reputation, Application Patrol, Content Filter, DNS Threat Filter,…
-
How can I block an application by using Content Filtering on H Series?
Question: How can I block an application by using Content Filtering on H Series? Answer: If the application uses specific domains/URLs, you can block it through Content Filtering by denying those domains/URL categories. However, this method is URL/domain-based (not app-signature-based). For stronger and more accurate app…
-
Why does the firewall show “Category Query Fail-Open” even after changing DNS?
Question: Why does the firewall show “Category Query Fail-Open” even after changing DNS? Answer: Please troubleshoot in this order: Check DNS settings: confirm the firewall can correctly resolve "gti-trellix.api.cloud.zyxel.com". Check server reachability: verify connectivity to "gti-trellix.api.cloud.zyxel.com". Check…
-
Why can recent logs download immediately, but older SecuReporter logs remain in “Preparing”?
Question: Why can recent logs download immediately, but older SecuReporter logs remain in “Preparing”? Answer: This is expected behavior. Recent logs are stored in hot storage for fast download, while older logs are moved to archival storage. When archived logs are requested, the system needs extra time to restore and…
-
How to clear ARP table on H Series firewall by CLI?
Question: How to clear ARP table on H Series firewall by CLI? Answer: > cmd arp-table flush
-
Does H Series support Standalone mode during setup?
Question: Does H Series support Standalone mode during setup? Answer: No. H Series does not provide a Standalone mode option during setup (NCC onboarding only). However, after onboarding, administrators can manage settings through both Nebula and the firewall local GUI/CLI, depending on feature scope and configuration type.
-
Zyxel VPN certificate requirements for third-party CA
Question: Can a Zyxel firewall establish certificate-based VPN using only Root CA and Intermediate CA certificates? Answer: No. Zyxel firewall requires a server certificate that includes a private key (such as .PFX/.P12) imported into My Certificates for VPN authentication. Root and Intermediate CA certificates (such as…
-
Does Zyxel H Series support Email Security?
Question: Does Zyxel H Series support Email Security? Answer: No. Email Security is not supported on any Zyxel H Series models.
-
How can I verify that the External Block List for IP Reputation has been fully updated?
Question : How can I verify that the External Block List for IP Reputation has been fully updated? Answer : Once the user clicks "Update Now" button to update the External Block List for IP Reputation. The message will show "Updating IP reputation external block list.". Once it is updated completely and will show "Update…
-
How do I set the block list in the IP Reputation Filter on the USG Flex H?
Question : How do I set the block list in the IP Reputation Filter on the USG Flex H? Answer: Navigate through Security Services > Reputation Filter > IP Reputation > Block List, and enter the IP you wish to block. Verification : To verify that the IP address can be blocked by the IP Reputation Filter.
-
How to check the URL if it's malicious?
Question: How to check the URL if it's malicious? Answer: You have two methods to check the URL. Go to Site-wide > Configure > Firewall > Security service > URL Threat Filter, input the URL to "Test Threat Category" and click Test. Go to this website https://threatintelligence.zyxel.com/checker, and navigate to URL…
-
Content filter is not working and show the log "Service in unavailable: query timeout"
Question: What can I do when content filter is not working and show the log "Service in unavailable: query timeout" Answer: It means the connection to McAfee server always times out. (Device cannot get some response from McAfee), resuting in browsing problem. Please domain zone forwarder 8.8.8.8 for two domain…
-
Why nude images still appearing in browser search results when using safesearch?
Question: Why nude images still appearing in browser search results when using safesearch? Answer: Please enable SSL inspection. SafeSearch needs to work with SSL Inspection, since all the search portal now is HTTPs.