-
Does the USG FLEX or ATP model in Nebula mode support the Reserve IP feature in the client list?
Question : Does the USG FLEX or ATP model in Nebula mode support the Reserve IP feature in the client list? Answer : Yes, please navigate to Site-wide > Clients, select Firewall clients, then select the specific client and click the "Policy" button. After that, select "Reserve IP" and click "Apply policy".
-
Why I can't select VPN traffic in Policy route next hop?
This is because your Nebula VPN type is SD-VPN, which is a route-based VPN. You can follow the below topic to setup your policy route rule: How to set Nebula Policy Route with next hop to VPN when using Nebula SD-VPN? — Zyxel Community
-
How to set Nebula Policy Route with next hop to VPN when using Nebula SD-VPN?
Nebula SD-VPN is not selectable in Nebula Policy Route next hop option. If you want to direct the traffic to SD-VPN, here is the method: Please navigate to the Site-wide > Monitor > Firewall > VPN connection to find the remote site's VTI interface IP from the SD-VPN status. Set the Policy Route with Intranet traffic, and…
-
How can I verify that the static IP function is working properly on a Nebula firewall (ATP / USG FLE
Question : How can I verify that the static IP function is working properly on a Nebula firewall (ATP / USG FLEX series model)? Answer : Once the user configures a static DHCP IP entry under Site-wide > Configure > Firewall >LAN Interface—for example, assigning the PC a static DHCP IP of 192.168.100.142. The user can…
-
Is ATP/FLEX Firewall Supported SNAT a Specific IP Address for an Internal PC in Nebula Mode?
Question: Does Nebula support assigning a specific external IP address (non-WAN IP) for an internal PC’s outbound traffic? Answer: Nebula currently does not support assigning a specific outgoing IP address for an internal PC when operating in Nebula mode. If this functionality is required, the recommended approach is to…
-
Why Does RDP Over an SSH Tunnel Not Work on ZyWALL Devices?
Question: Why does RDP fail to connect when using an SSH tunnel on a ZyWALL device, even though the same RDP connection works through an IPsec VPN? Answer: On ZyWALL devices, the SSH service no longer supports TCP Forwarding due to security considerations. This feature has been disabled to prevent potential…
-
Why one of firewall client encounters slow Internet speed? The firewall livetool traffic seems good.
In this scenario, the firewall live tool traffic shows good throughput, event log shows normal, your network doesn't have any broadcast or multicast storm. We can have some check like: Check the client's public IP. This is to check which WAN interface is the client accessing the Internet. If the result is one of your…
-
[ATP/FLEX] How to configure and enable Cloud Monitor mode on device HA?
Prerequisites Reset two ATP/USG FLEX firewalls to factory default settings before deploying device HA. Deploy two ATP/USG FLEX firewalls with device HA. Two devices must be the same model. The running firmware partition must the same position on two devices. For example, The running partition of the Active device is…
-
Why the host can not get an IP from DHCP?
Question: Why the host can not get an IP from DHCP? Answer: you can check the dhcpd process is running. Login to firewall via SSH > debug system ps | match "dhcp" Capture packet and check if the firewall reply to the DHCP request.
-
Can I modify implicit allow rules?
Question: Can I modify implicit allow rules? Anwer: No, you cannot directly modify or disable implicit allow rules in Security policy. However, you can create new deny rules with higher priority to block traffic as needed. The firewall evaluates traffic based on the order of the rules: custom policies are checked first,…
-
How to properly use Layer2 Isolation on USG ATP/FlEX
Question How can I effectively use Layer2 Isolation on the USG ATP/FLEX to ensure some clients communicate while others remain isolated? Answer: Layer2 Isolation on the USG ATP/FLEX is designed to allow or block communication between clients on the same subnet. If you think it's not working as expected * Try flushing the…
-
How can I find the mac address of nebula firewall?
Question: How can I find the mac address of nebula firewall? Answer: Please log in SSH and perform following command: Router# debug system ip addr
-
How to configure two LAN IPs on a Nebula firewall?
Question: How to configure two LAN IPs on a Nebula firewall? Answer: We are unable to configure the secondary IP on Nebula Firewall
-
How to check Policy Route on Nebula Firewall
Question: How to check policy route on Nebula Firewall? Answer: Log in Firewall by SSH and perform "debug sdwan show bpolicy running-config" The policy route will be present as following format
-
How to check static route on Nebula Firewall
Question: How to check routing on Nebula Firewall? Answer: Log in Firewall by SSH and perform "debug sdwan show route running-config " The static route will be present as following format
-
How to Create a Guest Network on Nebula firewall?
Question: How do I create a guest network on Nebula? Answer: To create a guest network on Nebula: Navigate to Site-wide > Configure > Firewall > Interface. Enable the Guest option. Once the guest network is enabled, clients connected to this interface will only have Internet access and will be restricted from accessing…
-
[ATP/FLEX] When WAN1 comes back online, why does the traffic continue to stay on WAN2?
Question: I have configured Weight Round Robin setting from Nebula firewall and also setup WAN2 interface as Backup interface. But why the traffic still keep on WAN2 interface even the WAN1 interface has fallback completely? Answer: The firewall will keep the old session on WAN2 interface until it has transmitted…
-
How to Configure NAT 1:1 Firewall on Nebula?
Question: How can I configure a NAT 1:1 firewall on Nebula? Answer: Go to Site-Wide > Configure > Firewall > NAT, and click Add to create a 1:1 NAT rule. Public IP: Wan interface IP LAN IP: The IP address of the LAN host Uplink : Wan1 or Wan2 Note: The public IP address used for NAT cannot be the same as the WAN interface…
-
How to Route Traffic from One LAN to the Internet via a Specific WAN?
Question: How can I route traffic from one LAN to the internet via a specific WAN? Answer: Navigate to Site-Wide > Configure > Firewall > Routing. Click Add to create a policy route. Source: Internal subnet or interface Destination: Any Type: Internet Traffic Next-Hop: External WAN interface
-
[ATP/FLEX] Why is Guest network on lan2 interface grayed out?
Question: I would like to turn on Guest network on lan2 interface but it is grayed out. How to turn it on? Answer: This is because this interface is using VPN in the site-to-site VPN. If you need to turn on Guest on the interface, disable VPN usage on this interface and you can turn on Guest on the interface.