Nebula VPN Enhancements: Renaming & Interface Logic Updates

Zyxel_Claudia

Zyxel Networks has implemented several updates to its VPN services for all cloud-managed security appliances (USG FLEX, ATP, Security Routers, and H Series). These enhancements affect not only the naming conventions but also the underlying VPN interface behavior, especially in environments with multiple WAN connections.

VPN Changes

1. Name Changes for VPN Features

To align with market trends and product clarity, the following renaming has occurred:

Rename Nebula VPN Topology to SD-VPN (software-defined VPN)

Non-Nebula VPN Peer to Auto-Link VPN

These changes are now reflected across the Nebula Control Center (NCC) in both configuration and monitoring sections.

2. Removal of ‘Auto’ in Outgoing Interface Settings

Previously, users could set the outgoing interface for a VPN tunnel to “auto”, which allowed the firewall to automatically form tunnels using all available WAN interfaces. For example:

• With WAN1 and WAN2 enabled on both devices, the firewall would create four VPN tunnels.

While this supported load balancing between multiple outgoing interface.

3. New Interface Logic: Primary and Secondary Designation

Now, VPNs are configured with a primary and secondary WAN interface:

• Primary Interface: Used for all traffic if it is available.
• Secondary Interface: Acts as a failover option, only used when the primary is down.

Even though the firewall still forms four tunnels for redundancy, only one tunnel is active for traffic at a time. This improves resource efficiency.