USG FLEX H Series - V1.37 Patch 0 Firmware Release
Zyxel Employee
Zywall USG FLEX H Series Release Note
January 2026
Firmware Version on all models
- Please use the cloud firmware upgrade function to upgrade USG FLEX H Series
| USG FLEX H Series | Firmware Version |
| FLEX50H | V1.37(ACLO.0)C0 |
| FLEX50HP | V1.37(ACLP.0)C0 |
| FLEX100H | V1.37(ABXF.0)C0 |
| FLEX100HP | V1.37(ACII.0)C0 |
| FLEX200H | V1.37(ABWV.0)C0 |
| FLEX200HP | V1.37(ABXE.0)C0 |
| FLEX500H | V1.37(ABZH.0)C0 |
| FLEX700H | V1.37(ABZI.0)C0 |
New Feature and Enhancements
1. [Enhancement] SSL VPN / Captive Portal authentication with Microsoft Entra ID/Google (OIDC).
2. [Enhancement] Application‑Aware Policy Routing. [eITS#250800760]
3. [Enhancement] Policy Route Next hop support dynamic VPN tunnel.
4. [Enhancement] Anti-Malware allow/block list supports SHA-256 hash value.
5. [Enhancement] Support # and ; as a comment symbol in External Block List (EBL) entry. [eITS#250901370]
6. [Enhancement] Support Anomaly Detection and Prevention. [eITS#250200680]
7. [Enhancement] IPsec VPN (S2S and Remote Access) IKEv2 support AES-GCM.
8. [Enhancement] IPsec VPN (S2S and Remote Access) support DH31-32 group.
9. [Enhancement] IPsec VPN Phase2 policy object supports Interface subnet type.
10. [Enhancement] The IPsec VPN Tunnel zone can be directly matched in Security Policy.
11. [Enhancement] SSL VPN page add Certification expiry information. [eITS#250101430]
12. [Enhancement] mDNS Proxy support AirPlay, AirDrop and Chromecast cross subnets. [eITS#210601927]
13. [Enhancement] BWM: Support for IEEE 802.1p marking. [eITS#250601378, 250600442]
14. [Enhancement] Interface Ingress & Egress Rate Limiting Support. [eITS#250600089]
15. [Enhancement] DHCP table support Import function. [eITS#240101697, 250401083, 250401189]
16. [Enhancement] DHCP: Added validation to prevent the DHCP address pool from exceeding the interface subnet mask range. [eITS#250501381]
17. [Enhancement] Add a validation check in the DHCP pool configuration to prevent the pool from exceeding the interface subnet mask range. [eITS#250501381]
18. [Enhancement] Captive Portal Active Directory integration with “User Principal Name” attribute. [eITS#241101233, 241100761]
19. [Enhancement] (CLI only) Support GARP interval in NAT virtual server rule. [eITS#250800621]
20. [Enhancement] Troubleshooting: Diagnostics add an option to include the running configuration.
21. [Enhancement] Troubleshooting: An event log is now generated when applying an NCC provision configuration fails.
22. [Enhancement] CLI to support device provide Client information (host name) to SecuReporter.
23. [Enhancement] Support custom SecuExtender configuration provisioning port.
24. [Enhancement] User Experience and GUI enhancement:
a. Dark Mode: Added support for Dark Mode.
b. Packet Explorer: Tooltip information is now displayed only for local users and local user groups when the flow changes.
c. Remote Access VPN (IPsec/SSL): Added user object validation in the Authentication section. (User field cannot be empty.) [eITS#250800306]
d. Change to a Different ISP: Updated the informational note (i-note) for improved clarity.
e. Application Patrol: Added a Cancel option when renaming a profile.
f. IGMP Proxy: Added an i-note explaining the processing order between Multicast Address Reception and Security Policy.
g. Captive Portal: The Service Type field in the exempt list now supports the +Add Group function.
h. Security Policy: Log filter now supports protocol-based filtering. [eITS#251100597]
i. Policy Control: Security rule wildcard source address warning message correction. [eITS#251200261]
25. [Enhancement] [Web Configuration Onboarding]: When Web Configuration onboarding (Nebula Cloud) is selected, the device does not perform a reset during site assignment.
26. [Enhancement] [Specific Project – Taiwan]: Added support for SecuManager (v3) under System > Advanced.
27. [Feature Change] [Packet Flow Explorer]: Dynamic/Site-to-Site VPN moved back to the first priority in the routing flow. [eITS#251100706]
28. [Feature Change] [Packet Flow Explorer]: Tooltip information is not displayed for AD/LDAP/RADIUS users or when the user type is set to Group with all members logged in.
29. [Feature Change] [SSL Inspection Statistic]: Removed Maximum Concurrent Session from the GUI. The concurrent session count now turns red when the limit is reached.
30. [Feature Change] [Alert Mail]: Updated memory usage display to focus on system memory usage only, excluding FastPath backend usage.
31. [Feature Change] [Tailscale] Upgrade Tailscale to v1.90.8
32. [Feature Change] [SNMP] SNMP is disabled by default.
33. [Feature Change] [GUI/Captive Portal]: Renamed Authentication Policy > Advance tab to Settings.
34. [Feature Change] [Captive Portal]: When a Redirect FQDN is configured, a DNS A record must be manually added to map the FQDN to the Captive Portal server address (default: 6.6.6.6). [AP Controller] *Local only
1. [Enhancement] Support to manage IAP500BE
2. [Enhancement] Support individual AP radio settings.
3. [Enhancement] Support client policy by wildcard.
4. [Enhancement] Support proxy by controller directly.
5. [Enhancement] Support wireless diagnostic features.
6. [Enhancement] Support SSID view client information.
7. [Enhancement] Support WLAN Top-N information.
8. [Enhancement] Support internal authentication server certificate selection. [eITS#250701412, 251000304]
9. [Enhancement] Email daily report contains WLAN information
Bug Fix
1. [eITS#250800314] ESP replies to the wrong interface if both ge1 and ge2 are selected in the WAN trunk
2. [eITS#250800936] SSL VPN: Fixed an issue where authentication could fail if a user group contained nested user groups.
3. [eITS#250900060] The VLAN interface cannot assign a DHCP IP address because the interface fails to initialize.
4. [eITS#250900483] Unable to fall back to the primary VTI interface in a route-based VPN scenario
5. [eITS#250900846] SecuReporter missing AD Users display
6. [eITS#250900890] SSL Inspection session was unable to be released automatically
7. [eITS#250901103] Accessing an uninitialized list in the conntrack destroy callback causes undefined behavior and leads to a fastpath daemon deadlock.
8. [eITS#251000114] If AD user exists in multiple groups, it may affect AD auth. failed.
9. [eITS#251000357] There is a spelling error in the email notification.
10. [eITS#251000497] abnormal DDNS update status
11. [eITS#251000842] VPN authentication fails for AD users with multiple group memberships
12. [eITS#251001202] The DoS prevention rule is configured for traffic from the WAN interface, but it is also filtering traffic coming from the IPsec tunnel.
13. [eITS#251001621] Connected SSL client will get disconnected when adding a new object.
14. [eITS#251100269] The Nebula Cloud Authentication of IPsec Remote VPN is failed due to the USG Flex H firewall is behind NAT.
15. [eITS#251100344] Fixed reserved IP issue with empty hostname devices.
16. [eITS#251100931] Empty VLAN members
17. [eITS#251100995] High CPU usage leads to stability issues.
18. [eITS#251101213] SNMP daemon causes device to freeze.
19. [eITS#251101734] Pushing settings from NCC causes the PPPoE redial. 20.[eITS#251101885] SNMP daemon core dump in some cases.
21. [eITS#251101960] German Translation Issue – "All" and "Any" Options displayed the same
22. [eITS#251200277] No-IP DDNS cannot sync with server successfully due to the server side has support new value, and firewall shows unknown.
23. [eITS#251200748] VPN config not initialized during boot up.
24. [eITS#251201002] Remove the "remove startup" CLI command.
25. [eITS#251201016] The VPN user traffic of "Ext-User" is unable to be managed by Security policy rule.
26. [eITS#251201198] Adjust Content Filter Denied Access Message field limitation: Cannot saved as blank
27. [eITS#251201358] Adding or modifying a schedule object causes the device web GUI time out.
28. [eITS#251200907] Adjust BWM Source IP address limitation to no more than 1024
29. [ZNGA-8744] [Monitor][VPN Connection] Cannot show Android Strongswan client connection on Client to site login account table.
30. [ZNGA-5688] Policy-based IPSec VPN doesn't bypass the direct route to other subnets.
31. [ZNGA-8815] The local user object cannot be deleted because multiple “provision” references remain with the user. [AP Controller]
1. [eITS#251001634] Secure WiFi- AP managed amount decreases to default 8 when FLEX H Internet access/synced failed.
2. [eITS#251101963] AP List displays a status of “VLAN Conflict” after USG reboot.
Please refer to the Download Link for more details.
Comments
-
Hi @Zyxel_Melen
I've updated my USG Flex 200HP firewall, and for some reason randomly it's reboot.
One or two times per day after the update, the firewall reboot inexplicably. Yesterday night I watching a streaming movie on TV and it's rebooted alone, with only this TV connected in LAN.
0 -
Hi @Maverick87
Thanks for letting me know this issue. I have replied in your post. Meet you there.
Zyxel Melen0
Ally Member
Categories
- All Categories
- 442 Beta Program
- 2.9K Nebula
- 213 Nebula Ideas
- 127 Nebula Status and Incidents
- 6.4K Security
- 554 USG FLEX H Series
- 342 Security Ideas
- 1.7K Switch
- 84 Switch Ideas
- 1.4K Wireless
- 52 Wireless Ideas
- 6.9K Consumer Product
- 295 Service & License
- 471 News and Release
- 90 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.7K FAQ
- 34 Documents
- 87 About Community
- 102 Security Highlight