Nebula 19.10 Update: H-Series Support Account and Password Synchronization

Zyxel_Lynn

As part of the Nebula 19.10 release, Zyxel introduces a new approach to administrator account handling for the H-Series firewalls. This update ensures secure and consistent account management across both cloud (NCC) and local device configurations—particularly important since H-Series operates in hybrid mode (managed by both on-premise IT admins and cloud MSPs).

Why a Support Account?

In many cases, local IT admins and managed service providers (MSPs) share responsibilities for the same firewall. To balance this:

• Admin account → Managed locally by the organization’s IT team, using their private password (not shared with MSPs).
• Support account → Managed via NCC and shared by the MSP across all their sites, using the site-wide password set in Nebula.

This separation improves security and usability, ensuring that MSPs can manage devices without requiring access to sensitive local passwords.

Rules for Admin and Support Accounts

1. Default Admin Passwords
   • Older H-Series units shipped with 1234 as the default password.
   • Newer units ship with a unique admin password printed on the back label.
2. Cloud Onboarding Behavior
   • If the firewall still uses 1234 during cloud onboarding, NCC will force a one-time password change:
     • The admin account password becomes the site-wide password.
     • A support account is created with the same site-wide password.
   • If the firewall already has a unique password (sticker) or the admin password was changed manually, NCC will not override it.
3. Existing Support Accounts
   • If a firewall already had a locally created account called support, NCC will rename it (e.g., support1, support2) and provision its own support account with the site-wide password.

Where to See the Support Account

• The support account is not visible in the web GUI.
• It can be verified in the startup configuration (show config startup) via CLI.
• Entries appear as:

nebula-support

support <MD5-hash-password>

• This confirms NCC has provisioned the account successfully.

Note: The support account does not appear in backup configuration files—so restoring from backup will not overwrite it.

Password Reset Behavior

To improve security, NCC enforces strict rules:

• The admin password can never remain 1234 after cloud onboarding.
• If you factory reset an H-Series, NCC may still apply a pending reset action once the firewall reconnects online.
  • Example: If you reset the firewall, change the admin password locally, and then reconnect it to the internet, NCC may override your local change with the site-wide password if a reset command was queued.
• This explains cases where customers see their password unexpectedly replaced with the Nebula site-wide password.

Summary

Scenario	Result
Old H-Series, default 1234, onboarding	Admin password changed to site-wide password, support account created
New H-Series, unique password (sticker)	NCC keeps unique admin password, creates support account
Admin password changed manually	NCC respects manual password, creates support account
Pre-existing “support” account	Renamed (e.g., support1, support2), NCC provisions its own support account
Firewall removed from Nebula site while offline	NCC queues reset; once firewall reconnects, password resets to site-wide password

Key Takeaways

• Admin account = Local IT, private, not synced with NCC.
• Support account = NCC-managed, synced with site-wide password.
• NCC enforces password policies to eliminate weak defaults (1234).
• Pending reset actions can override local password changes once the firewall reconnects.

This change provides greater security, better MSP workflows, and standardized account handling for H-Series firewalls, while still giving local admins control over their private credentials.