USG FLEX with ZLD5.0 Frequently Asked Questions
The following sections covers the new concept same security across networks, product, license service and more.
Part 1 Same Security Across Networks
Q1: Why would I need “same security across networks”?
Due to the pandemic, businesses now need to ensure their networks can be accessed securely outside of the office by their employees working remotely, while still providing the same level of corporate security. The SMB(s) are now faced with an impending issue as to how to ensure a secure connection from a remote workplace back to the corporate network, as a myriad of dangers related to security can occur in a home network or employees' devices, so ensuring the same level of security is implemented at remote workplaces as if it were in the office is essential.
Q2: What are the additional licenses required for same security across networks deployment?
There are Nebula solutions and new security licenses for you to complete“same security across networks”:
Q3. What is Secure WiFi? Are all APs supporting Secure WiFi service?
With Secure WiFi service in the Nebula solution, remote access point is deployed in the remote workplace, such as a home. The RAP could build up secure tunnel (L2 network connection) back to main office and achieve best productivity. The L2 connection is secured by de facto encryption technology, plus strong two-factor authentication is enforced. In Zyxel’s AP portfolio, these products fully support the Secure WiFi service:
Q4. Why would I need secure tunnel?
During these pandemic time, working from home or remote work is becoming the norm. As such for security professionals, how to balance productivity and security is a real challenge. In the Zyxel solution, with the NVGRE tunnel in place, a transparent L2 network connection established in between main office and remote workplace – you could access resources just like sitting in the office using the same wireless network accessing the same application. On the other hand, to increase the security level, we have to tunnel the L2 traffic into a secure tunnel with strong cipher. With combination of both, we could ensure productivity in a secured manner.
Q5. What is 2FA? What is the benefit of implementing 2FA?
2FA (Two-factor Authentication) is the technology to add an extra layer of user identity verification against network access attempts across all premises. With 2FA in place, it simply delivers stronger security. Having a second form of identification greatly decreasing the chance of a hacker gaining access to corporate asset or sensitive information.
Q6. Why would I need Collaborative Detection & Response, when I
already enabled UTM services?
Bring Your Own Device (BYOD) is now a trend, and
it is here to stay. Personal device access to an organization’s network can
present serious security challenges. Unknown risks from drop-in increases,
making it hard to manage. On top of the Zyxel Security Fabric, the CDR
(Collaborative Detection & Response) feature not only just sending alarm
against security breaches, but it takes a step further to stop threat events at
the network edge – all these decisions and actions are automatic and
Q7. What options do I got to enforce corporate security policy in remote workplaces?
In Zyxel Security solution, there are few options of your choice – it depends on the scenario where:
Scenario 1: Single employee/mobility: SecuExtender endpoint software is the best solution. It provides the best available security protection for road warriors.
Scenario 2: Work From Home: To balance productivity and security, Remote AP (located in the remote workplace), plus USG FLEX (located in the main office) are the combination. A L2 tunnel secured by strong cipher delivers streamlined working experience accessing same SSID/VLAN/application in the main office securely. With enforcement of 2FA, it greatly decreases the chance of a hacker gaining access to corporate asset or sensitive information.
Scenario 3: Branch office: Deployed with USG FLEX, it delivers full-blown UTM protection powered by Zyxel Security Fabric. Moreover, VPN Tunnel with IKEv2 provides highest security to inter connect remote networks.
Part 2 Product & Service
Q1: Will the USG FLEX's security services also be available in Nebula?
The UTM Security Pack license is designed for both on premises and on Nebula Cloud. The UTM Security Pack license will be activated automatically once you have the device registered. The UTM Security Pack bundled with USG FLEX including the following services:
Q2: Can I use the ATP series in Nebula Cloud?
No, the ATP series does not support Nebula Cloud. However, Zyxel does plan to bring the ATP to the Nebula Cloud by Q4/2021.
Q3: What is the relationship between SecuReporter and Nebula? What do they integrate today and in the future?
SecuReporter is a cloud-based security analytics tool, which works with ATP/USG FLEX/USG series to deliver comprehensive security insight in your network. When using the USG FLEX in Nebula, we leverage the advantage from both NCC and SecuReporter, so you can access to traffic usage report and event log within NCC while you get in-depth security analytics from SecuReporter with seamless integration (from NCC single-sign-on to SecuReporter, plus redirect to the SecuReporter dashboard landing exactly on the same device)
Q4: Will the USG FLEX come with 1 year of Nebula Pro Pack license?
Yes, the USG FLEX default bundled with 1 year UTM Security Pack license will receive the Nebula Pro Pack license. The UTM Security Pack and the Nebula Pro Pack are aligned with the same expiration date.
However, the device-only USG FLEX will come with 30 days trial UTM Security Pack and Nebula Pro Pack license.
Q5: What license migration plan is available
from USG to USG FLEX?
We offer easy migration plan for you to seamlessly migrate to USG FLEX series. We will pick your existing USG license with the longest remaining time as a benchmark and extend other USG licenses to that benchmark for free, and then migrate it to an 8-in-1 USG FLEX license pack. This is a one-time offer for every USG you own. Learn more here.
Q6: Is there a return grace period for licenses converted from USG FLEX back to USG?
No, once the license is converted from a USG to a USG FLEX, the license on the USG will be revoked and the process cannot be reversed.
Q7: Where do I purchase a license?
Part 3. Technical in-depth
Q1: Is there a way to convert a Next-Gen USG configuration file and apply it to Nebula?
No, Zyxel’s USG Configuration Converter supports on premises USG Series only. It converts the configuration file of the USG/ZyWALL Series into the format of the USG FLEX/ATP Series.
Q2: What functions will you be losing when moving the USG FLEX appliance from on-premises to Nebula Cloud?
The experience in management will be more in line with Nebula user experience, so some feature configuration may differ but generally the same functionality will remain the same. In Nebula the USG FLEX actually leverages from the cloud and include additional features not found in on-premises mode, such as: 2FA Network Access and Security Profile Sync.
Q3: Will there be any limitations in terms of running a Site-to-Site VPN between a USG FLEX managed in Nebula and any of our other firewalls that are operating in on-premises mode?
Nebula does support VPNs interconnecting with non Nebula-managed gateways, which include on-premises USG FLEX/ATP/USG, and even VPN-capable firewalls from major brands from Fortinet, SonicWALL, and many more.
Q4: Will this be supported – having the flexibility to only apply Application Patrol and Content Filter to specific policy control rules, when a USG FLEX is managed in Nebula Cloud?
Yes, the USG FLEX in Nebula Cloud does support the flexibility to only apply Application Patrol and Content Filter to specific policy control rules. This enables the clients to whitelist devices from these services. In addition to this, they also have the ability to create several profiles to apply to specific sets of clients.
Q5: If I moved my USG FLEX from on-premises to the Nebula Cloud, what features or policy routing changes would there be?
When manage the USG FLEX in Nebula Cloud, there will be less flexibility and granularity of the policy route. As a result, these scenarios won’t be supported:
- The environment has L3 switch and the interface subnet needs going through VPN tunnel.
- Some USG FLEX LAN subnets need going through with specific WAN interface, when the first WAN failed, they need to use the other WAN to go through (failover).
- Having two policy routes and when the primary policy route connectivity check failed, the traffic is expected to go through the secondary policy route.
- Outgoing traffic needs to add the DSCP mark.
- Outgoing traffic needs SNAT with specific IP (current design is: only “SANT to the WAN interface IP” supported)
- The policy route criteria by user/user group or schedule.
- The initiation packet from USG FLEX can't be configured in policy route (current design: only configuring the pass-through traffic is supported)
- These functions are not supported: User/User Group, DSCP, Schedule, Healthy Check, and SNAT with specific IP.