-
How do I set up IP Spoofing Prevention on USG Flex H?
Question : How do I set up IP Spoofing Prevention on USG Flex H? Answer : The user can configure IP Spoofing Prevention in the GUI path: Security Policy > IP Spoofing Prevention. Once the firewall detects an illegitimate private IP on the LAN interfaces (ge3 and ge4), it will drop the packet from the client.
-
How do I whitelist a domain and an IP address in Nebula?
Question: How do I whitelist a domain and an IP address in Nebula? Answer: In Nebula, create allow rules in your security policy and profile settings: add the target domain to the Content Filter/Web Filter allowlist, and add the target IP address to an address object used by an allow rule (or policy exception). Then apply…
-
How can I resolve it if my DNS domain is categorized incorrectly in the Content Filter profile?
Question: How can I resolve it if my DNS domain is categorized incorrectly in the Content Filter profile? Answer: First, verify the domain classification by testing it in the firewall/Nebula content filtering lookup tool. If the category is incorrect, submit a URL/domain recategorization request to Zyxel (or the connected…
-
How can I check event logs for blocked websites on an H Series firewall through Nebula?
Question: How can I check event logs for blocked websites on an H Series firewall through Nebula? Answer: In Nebula, go to Site-wide > Monitor > Firewall > Event log. To review blocked website/security events, select categories such as URL Threat Filter, IP Reputation, Application Patrol, Content Filter, DNS Threat Filter,…
-
How can I block an application by using Content Filtering on H Series?
Question: How can I block an application by using Content Filtering on H Series? Answer: If the application uses specific domains/URLs, you can block it through Content Filtering by denying those domains/URL categories. However, this method is URL/domain-based (not app-signature-based). For stronger and more accurate app…
-
Why does the firewall show “Category Query Fail-Open” even after changing DNS?
Question: Why does the firewall show “Category Query Fail-Open” even after changing DNS? Answer: Please troubleshoot in this order: Check DNS settings: confirm the firewall can correctly resolve "gti-trellix.api.cloud.zyxel.com". Check server reachability: verify connectivity to "gti-trellix.api.cloud.zyxel.com". Check…
-
Why can recent logs download immediately, but older SecuReporter logs remain in “Preparing”?
Question: Why can recent logs download immediately, but older SecuReporter logs remain in “Preparing”? Answer: This is expected behavior. Recent logs are stored in hot storage for fast download, while older logs are moved to archival storage. When archived logs are requested, the system needs extra time to restore and…
-
How to clear ARP table on H Series firewall by CLI?
Question: How to clear ARP table on H Series firewall by CLI? Answer: > cmd arp-table flush
-
Does H Series support Standalone mode during setup?
Question: Does H Series support Standalone mode during setup? Answer: No. H Series does not provide a Standalone mode option during setup (NCC onboarding only). However, after onboarding, administrators can manage settings through both Nebula and the firewall local GUI/CLI, depending on feature scope and configuration type.
-
Zyxel VPN certificate requirements for third-party CA
Question: Can a Zyxel firewall establish certificate-based VPN using only Root CA and Intermediate CA certificates? Answer: No. Zyxel firewall requires a server certificate that includes a private key (such as .PFX/.P12) imported into My Certificates for VPN authentication. Root and Intermediate CA certificates (such as…
-
Does Zyxel H Series support Email Security?
Question: Does Zyxel H Series support Email Security? Answer: No. Email Security is not supported on any Zyxel H Series models.
-
How can I verify that the External Block List for IP Reputation has been fully updated?
Question : How can I verify that the External Block List for IP Reputation has been fully updated? Answer : Once the user clicks "Update Now" button to update the External Block List for IP Reputation. The message will show "Updating IP reputation external block list.". Once it is updated completely and will show "Update…
-
How do I set the block list in the IP Reputation Filter on the USG Flex H?
Question : How do I set the block list in the IP Reputation Filter on the USG Flex H? Answer: Navigate through Security Services > Reputation Filter > IP Reputation > Block List, and enter the IP you wish to block. Verification : To verify that the IP address can be blocked by the IP Reputation Filter.
-
How to check the URL if it's malicious?
Question: How to check the URL if it's malicious? Answer: You have two methods to check the URL. Go to Site-wide > Configure > Firewall > Security service > URL Threat Filter, input the URL to "Test Threat Category" and click Test. Go to this website https://threatintelligence.zyxel.com/checker, and navigate to URL…
-
Content filter is not working and show the log "Service in unavailable: query timeout"
Question: What can I do when content filter is not working and show the log "Service in unavailable: query timeout" Answer: It means the connection to McAfee server always times out. (Device cannot get some response from McAfee), resuting in browsing problem. Please domain zone forwarder 8.8.8.8 for two domain…
-
Why nude images still appearing in browser search results when using safesearch?
Question: Why nude images still appearing in browser search results when using safesearch? Answer: Please enable SSL inspection. SafeSearch needs to work with SSL Inspection, since all the search portal now is HTTPs.
-
How to check SSL inspection default port on USG FLEX H?
Question: How to check SSL inspection default port on USG FLEX H? Answer: Use the command to check inspection default port. usgflex500h> show state vrf main ssl-inspection default-port-state
-
How to bypass a site from malicious site on USG FLEX H?
Question: How to bypass a site from malicious site on USG FLEX H? Answer: To bypass a site from malicious site, go to Security Services > Reputation Filter > DNS Threat Filter/URL Threat Filter > Allow List. Click "+Add" and add the site to Allow List.
-
[Nebula USG FLEX H Series] Maximum Security Policy Rules per Model
Q: What is the maximum number of Rules allowed in the Security Policy in Nebula for each USG FLEX H Series Device? A: Max Firewall ACL Rule Number (= Secure Policy Number) 50H/HP = 500 100H/HP = 500 200H/HP = 2000 500H = 5000 700H = 10000 You may also refer to the user’s guide on pages 634 and 637 for this information.
-
Can I use USG FLEX H series as firewall router after Entry Defense Pack license expired?
Question: Can I use USG FLEX H series as firewall router after Entry Defense Pack license expired? Answer: Yes, even after the Entry Defense Pack license expires, your USG FLEX H series device can still function as a basic firewall and router. Here’s what remains functional: MONITOR System Statistics Network Status VPN…