Security Ideas - Zyxel Community

Flex H configure 'source port is zero DROP' logging
Hello, I have an USG Flex H 50 and I get a huge number of alert messages of the type: abnormal tcp traffic detected, source port is zero DROP I have not found any way to disable these logs and they are drowning the important stuff, as you can see on the screenshot. The firewall is already blocking this traffic and that's…
So much missing
having taken delivery of a 500H am surprised how much is missing that I had on my Flex 50. This is a very underwhelming piece of kit - especially given its cost. I read of a two year roadmap - Zyxel you need to accelerate this! I have used your products for years and rated them - am struggling to do that My two cents on…
Built-in ACME Client
As you know, CA/B Forum has voted to shorten validity period for SSL/TLS certificates. Current: Public SSL/TLS certificates currently have a maximum validity of 13 months (approximately 398 days). Upcoming Changes: 2026: Maximum validity will be reduced to 200 days. 2027: Maximum validity will be further reduced to 100…
Wireguard?
WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography.It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running…
USG Lite 60AX DHCP Option 61
User @too_many_accounts need USG Lite 60AX to support DHCP Option 61 for his ISP in the UK (SKY). Anyone who also needs this option, please leave your comment and give it a vote. Original post
Automatic Firewall config save to Nebula
Nowadays if I change something, I manually save roms of my clients(41 FLEX 200 models, 34 FLEX 100, 10 FLEX 50). I can choose to regurly send roms to an emailadress, but that will be a mess. Why no automatic save to Nebula of it's connected with Nebula? Even better would be that it automatically downloads the rom if…
Actual ZyWall, WLan Password can not be seen (anymore) => Please add checkbox "unmask"
On older ZyWalls it was easy to see / check the wireless password. Now the admin has NO WAY to "recover/find" the wireless password. ⇒ Please add a checkbox unmask, as it exists for the PSK in VPN-Configs.
Support the use of VTI interfaces in the scenario when using a dynamic peer.
Currently, using VTI interfaces in conjunction with a route bases IPSEC VPN outside is a scenario what is supported. Please add this capability in a future release of the firmware for the FLEX H series.
Feature Request: Add Syntax Separators in ACL (Security Rules)
Hello to the team and the community, First, I'd like to thank the developers for their continuous work on Zyxel firewalls, which provide a robust and flexible solution for network security management. However, after several years of intensive use, I would like to suggest an improvement that I believe could greatly enhance…
Ability to rename / delete primary administrator account
I'd love to be able to create my own primary admin account username with something different to "admin" At present, a hacker only has to be able to guess a password, as the username "admin" cannot be removed or disabled. I'd prefer to make unauthorised access harder, by forcing would-be hackers to also having to guess my…
ATP100 - Allow "admin" to be renamed and/or deleted
When installing a Windows Server OS I always rename the Administrator account to an individual name. "Admin", "admin" and "Administrator" are well-known user names that hackers use first when trying to attack a system. My ATP100 does not allow me to rename or delete the standard "admin" account. I can just change the…
ATP 200: Multicast and broadcast routing across VLANs to enable media sharing protocols.
I have created several segments (VLANS) in my network to increase security of my home network. One VLAN is for computers and mobile phones, another VLAN is for data servers (e.g. NAS), another VLAN is for media players (e.g. TVs, SONOS audio players or printers) and another VLAN for IOT devices like Philips Hue.…
In WRR Trunk Load Balancing, add "Bind all sessions from one IP" option on H series Zywall
WRR distributes sessions among available WAN interfaces/lines. However, this may have an adverse effect if multiple sessions from the SAME client are spread among WAN interfaces, effectively showing different IP addresses from the different interfaces. Some sites/apps/services require more than one session to be open, and…
DHCP and Secondary IP
It CAN be possible older models do it! when you do a routing rule incoming LAN next hop WAN 2 SNAT outgoing-interface which will be the the DHCP IP Or in my setup also incoming WAN to Secondary IP 192.168.254.1 Source Address 192.168.252.0/23 next hop WAN 2 SNAT outgoing-interface which will be the the DHCP IP with Static…
SecuExtender VPN CLIENT for ARM processor
I propose a version of the IPSEC client for ARM CPUs.
ZySH scripts in FlexH
In the original version of Flex there was a Maintenance-Shell Script function from the beginning, this was very important for transferring parts of configurations between different boxes. In the new Flex H uOS 1.31 series this is no longer there, and it is reportedly not planned for version 1.32 (04/2025). Is there any…
USG FLEX H series - support user type 'ext-group-user'
User @p4_greg hopes the USG FLEX H series supports the user type 'ext-group-user', like the ZLD firewall. This use case is normally used to limit the VPN users to a specific Active Directory group. If anyone likes this idea, please leave your comment and give it a vote. Original post
GitHub - Repository
Dear Team, I would like to propose the creation of an official GitHub repository for Zyxel, where scripts and solutions for specific use cases can be shared. Currently, there is a lack of repositories containing ready-made templates and scripts, similar to what competitors like Fortigate offer. The repository could…
Console port compatibility with SH-RJ45A from DSD Tech
Hi to all the Zyxel folks reading this message, serial connection has been part of Zyxel devices I see for a long time… Zywall 2 Plus and Zywall 5 had a serial connection availabe, some with RS232 port some with an RJ45 port. Today, RJ45 console port is still on latest USG Flex lineup, and I think it's not going away soon.…
Please fix the settings below, they do not work as intended
Password renewal option every __ days, opting out this option does not work. Even if renew password is NOT enabled, the device still requires a new password for ALL users every 60 days- see pictures attached. Either you take out the click option because it does not work anyway, or you make it work 😊 This other option does…

Welcome!

It looks like you're new here. Sign in or register to get started.