Nebula VPN for H Series Firewalls
Zyxel_Claudia
Posts: 126 
Zyxel Employee
Zyxel Employee
in Other Topics
Summary:
- Enables NCC to automatically configure IPSec VPN Profiles between cloud-managed firewalls.
- Supports VPN provisioning between H Series and other Zyxel Security Appliances.
- Allows only one failover interface for VPN tunnels.
- VPN Load Balancing is not supported.
H Series vs. Non-H Series Nebula VPN:
- H Series Firewalls can join existing Nebula VPN topologies with USG FLEX, ATP, SCR, USG LITE, and other H Series models.
- Non-Nebula VPN peers (third-party or locally managed) can only be added via the H Series' Local Web GUI.
- Non-Nebula VPN peers configured locally will not be displayed in the VPN Orchestrator’s VPN Topology.
VPN Interface and Network Settings:
Path: Site-wide > Configure > Firewall > Site-to-Site VPN
- VPN settings remain unchanged after a device-cloud full synchronization.
- H Series Firewalls support only one primary and one secondary external interface for VPN tunnels.
- Traffic Flow:
- By default, traffic is sent out through the Primary VPN Interface tunnel.
- If the Primary VPN Interface fails (due to tunnel failure or ping check failure), traffic is automatically sent through the Secondary VPN Interface.
- Primary and Secondary VPN Interface behavior applies to all Security Appliances as of Nebula 18.30.
- Each VPN Interface creates a full-mesh tunnel with peer interfaces.
- Bridge interfaces cannot be selected for VPN connections.
Nebula VPN Settings:
Path: Site-wide > Configure > Firewall > Site-to-Site VPN
- Settings remain unchanged even after a full device-cloud sync.
- All Nebula VPN setup and behavior remain consistent across H Series and non-H Series models.
Smart VPN Settings:
Path: Organization-wide > Organization-wide Manage > VPN Orchestrator
- H Series VPN settings can also be managed via the VPN Orchestrator’s Smart VPN feature.
Monitoring VPN Connections in NCC:
Path: Site-wide > Monitor > Firewall > VPN Connections
- VPN connection monitoring for H Series Firewalls is identical to non-H Series models.
- Non-Nebula VPN Peers configured via the local Web GUI will not be displayed in this page.
Tracking Nebula VPN Settings in the Local Web GUI:
Path: VPN Status > IPSec VPN > Site-to-Site VPN
- VPN Profiles provisioned by Nebula VPN are route-based VPN policies and are not displayed in the IPSec Site-to-Site VPN page.
- VPN tunnels created from Nebula VPN can be verified under the VPN Status tab.
Routing Flow Hierarchy:
Path: Maintenance > Packet Flow Explore > Routing Flow
- Route-based VPNs created from Nebula VPN fall under "Nebula Static Route" in the Packet Flow Explore page.
Tagged:
0
Categories
- All Categories
- 416 Beta Program
- 2.5K Nebula
- 160 Nebula Ideas
- 108 Nebula Status and Incidents
- 5.9K Security
- 330 USG FLEX H Series
- 286 Security Ideas
- 1.5K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 42 Wireless Ideas
- 6.6K Consumer Product
- 259 Service & License
- 400 News and Release
- 86 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.8K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 80 Security Highlight