Nebula 19.10 Update: H-Series "Configure First" and Onboarding Enhancements

Zyxel_Lynn

With Nebula 19.10, Zyxel introduces significant improvements for the H-Series firewalls, giving organizations more flexibility when replacing firewalls, pre-configuring devices, and managing onboarding between cloud (NCC) and local configurations.

These updates are crucial for partners and administrators planning H-Series deployments or migrating from existing firewalls, ensuring smooth transitions with minimal downtime.

1. Pre-Configuration Support for H-Series

Historically, Nebula allowed administrators to create “virtual assets” (pre-configuration profiles) for supported firewall models. These allow you to set up interfaces, routing, and policies in NCC before the physical firewall is added.

With Nebula 19.10, the H-Series firewalls are now included in this list. This means you can:

• Select the H-Series model when creating a virtual asset.
• Configure firewall settings in advance.
• Have settings automatically applied once the device is onboarded.

2. Behavior Differences: Replacing Firewalls

When replacing firewalls in NCC, model tiers and migration paths matter.

Previous Behavior (USG FLEX/ATP)

• Lower → Higher Tier:

Cloud settings are preserved, and NCC converts port settings.

• Higher → Lower Tier:

Cloud settings reset to defaults.

New Behavior for H-Series

• Replacing H-Series with higher or lower tier H-Series:

All cloud settings reset to default.

• Replacing H-Series with the same tier (e.g., 100H → 100HP):

NCC keeps all cloud settings.

This is an important difference to keep in mind when swapping firewalls.

3. New Onboarding Methods for H-Series

Originally, H-Series supported only Local Web Configurator Onboarding, where local settings would override NCC.

With Nebula 19.10 + UOS 1.35 firmware, two new options are added:

• Plug-and-Play Onboarding:
  • Works like APs and switches.
  • If the device is factory reset and has internet access, NCC automatically provisions it with cloud settings.
• Nebula Onboarding (via local wizard):
  • During the initial wizard, admins can explicitly choose Nebula.
  • NCC’s cloud settings override local settings.

Summary of Onboarding Methods

Method	Result
Web Configurator	Local overrides cloud
Nebula Onboarding	Cloud overrides local
Plug-and-Play	Cloud overrides local (auto-provisioned after reset)

4. The Reset Flag: How NCC Decides Who Wins

When an H-Series firewall “calls home” to NCC, it sends a reset flag.

• True → NCC is allowed to overwrite local settings.
• False → Local settings override NCC.

When Rest Flag = True

• Factory reset (30s hold)
• Device removed/transferred from a Nebula org/site

When Rest Flag = False

• Web Configurator chosen during onboarding
• Wizard completed (even if skipped)

Admins can check the reset state via CLI:

show_debug nebula pre-config state

5. Site/Org Transfers: Key Changes in 19.10

• Before 19.10: Moving a firewall between sites required Config Override Tool (manual).
• After 19.10:
  • Firewall undergoes a reboot.
  • Local settings reset to default (with some exceptions).
  • Cloud and local re-synchronize after the wizard.
  • Expect ~5 minutes of downtime during transfer.

Additional Notes

• Change Organization:
  • Firewall resets admin password and firewall settings.
  • WAN settings can optionally be kept.
• Change Site:
  • Firewall keeps WAN settings (no option to reset).
  • All other firewall settings reset.

6. The 7-Second Reset vs. 30-Second Reset

• 30-second reset = Full factory reset (reset flag = True).
• 7-second reset = System default reset (uses last known onboarding method).

Important: After upgrading to UOS 1.35, the last known method defaults to local onboarding.

• Meaning: If customers use the 7s reset, the reset flag = False, and plug-and-play onboarding will not occur.
• To trigger plug-and-play onboarding, customers must either:
  • Perform a full 30-second reset, or
  • Remove the device from its Nebula site/org.

7. Migration Considerations (Replacing Old Firewall with H-Series)

When swapping an older firewall (e.g., USG FLEX 200) with an H-Series (e.g., 200H), customers must consider:

1. Preserving old firewall’s cloud settings.
2. Minimizing downtime.
3. Retaining historical AP/Switch data in the Nebula site.

Recommendation Migration SOP

1. Replicate the site → Preserve old firewall settings in a “backup” site.
2. Upgrade new H-Series firmware to the latest version.
3. Configure locally first (choose Web Configurator, unplug WAN during wizard to skip Nebula registration).
4. Replace physically → Connect new firewall in place of old.
5. Cloud Device Replacement → Remove old firewall from Nebula, add new H-Series.
   • Since Web Configurator was used, reset flag = False → Local settings override cloud.
6. Verify stability and re-upload backup config if needed.

This process ensures minimal downtime while preserving historical Nebula data for APs and switches.

8. Looking Ahead

Currently, brand-new H-Series units ship with UOS 1.09 firmware. Customers must:

1. Complete the local wizard.
2. Upgrade to 1.35.
3. Then onboard to Nebula.

In the future, Zyxel plans to allow direct upgrades from factory firmware (1.09) to latest (1.35+) during plug-and-play onboarding, reducing deployment steps.

Final Summary

Nebula 19.10 + UOS 1.35 introduces major changes for H-Series onboarding and migration:

• Pre-configure H-Series in NCC before device arrival.
• Three onboarding methods (Web Configurator, Nebula, Plug-and-Play).
• Reset flag determines override behavior.
• Transfers now reset settings + require reboot (expect downtime).
• 7s reset defaults to local method after upgrade; use 30s reset for cloud onboarding.
• Migration SOP ensures minimal downtime and preserves history when replacing old firewalls.

This update provides administrators with greater flexibility but also introduces new behaviors that must be understood to avoid misconfigurations or unexpected resets.