USG FLEX H Series - V1.37 Patch 0 Firmware Release

Zywall USG FLEX H Series Release Note 

January 2026

Firmware Version on all models

• Please use the cloud firmware upgrade function to upgrade USG FLEX H Series

New Feature and Enhancements

1. [Enhancement] SSL VPN / Captive Portal authentication with Microsoft Entra ID/Google (OIDC).

2. [Enhancement] Application‑Aware Policy Routing. [eITS#250800760]

3. [Enhancement] Policy Route Next hop support dynamic VPN tunnel.

4. [Enhancement] Anti-Malware allow/block list supports SHA-256 hash value.

5. [Enhancement] Support # and ; as a comment symbol in External Block List (EBL) entry. [eITS#250901370]

6. [Enhancement] Support Anomaly Detection and Prevention. [eITS#250200680]

7. [Enhancement] IPsec VPN (S2S and Remote Access) IKEv2 support AES-GCM.

8. [Enhancement] IPsec VPN (S2S and Remote Access) support DH31-32 group.

9. [Enhancement] IPsec VPN Phase2 policy object supports Interface subnet type.

10. [Enhancement] The IPsec VPN Tunnel zone can be directly matched in Security Policy.

11. [Enhancement] SSL VPN page add Certification expiry information. [eITS#250101430]

12. [Enhancement] mDNS Proxy support AirPlay, AirDrop and Chromecast cross subnets. [eITS#210601927]

13. [Enhancement] BWM: Support for IEEE 802.1p marking. [eITS#250601378, 250600442]

14. [Enhancement] Interface Ingress & Egress Rate Limiting Support. [eITS#250600089]

15. [Enhancement] DHCP table support Import function. [eITS#240101697, 250401083, 250401189]

16. [Enhancement] DHCP: Added validation to prevent the DHCP address pool from exceeding the interface subnet mask range. [eITS#250501381]

17. [Enhancement] Add a validation check in the DHCP pool configuration to prevent the pool from exceeding the interface subnet mask range. [eITS#250501381]

18. [Enhancement] Captive Portal Active Directory integration with “User Principal Name” attribute. [eITS#241101233, 241100761]

19. [Enhancement] (CLI only) Support GARP interval in NAT virtual server rule. [eITS#250800621]

20. [Enhancement] Troubleshooting: Diagnostics add an option to include the running configuration.

21. [Enhancement] Troubleshooting: An event log is now generated when applying an NCC provision configuration fails.

22. [Enhancement] CLI to support device provide Client information (host name) to SecuReporter.

23. [Enhancement] Support custom SecuExtender configuration provisioning port.

24. [Enhancement] User Experience and GUI enhancement: 

a. Dark Mode: Added support for Dark Mode.
b. Packet Explorer: Tooltip information is now displayed only for local users and local user groups when the flow changes.
c. Remote Access VPN (IPsec/SSL): Added user object validation in the Authentication section. (User field cannot be empty.) [eITS#250800306]
d. Change to a Different ISP: Updated the informational note (i-note) for improved clarity.
e. Application Patrol: Added a Cancel option when renaming a profile.
f. IGMP Proxy: Added an i-note explaining the processing order between Multicast Address Reception and Security Policy.
g. Captive Portal: The Service Type field in the exempt list now supports the +Add Group function.
h. Security Policy: Log filter now supports protocol-based filtering. [eITS#251100597]
i. Policy Control: Security rule wildcard source address warning message correction. [eITS#251200261]

25. [Enhancement] [Web Configuration Onboarding]: When Web Configuration onboarding (Nebula Cloud) is selected, the device does not perform a reset during site assignment.

26. [Enhancement] [Specific Project – Taiwan]: Added support for SecuManager (v3) under System > Advanced.

27. [Feature Change] [Packet Flow Explorer]: Dynamic/Site-to-Site VPN moved back to the first priority in the routing flow. [eITS#251100706]

28. [Feature Change] [Packet Flow Explorer]: Tooltip information is not displayed for AD/LDAP/RADIUS users or when the user type is set to Group with all members logged in.

29. [Feature Change] [SSL Inspection Statistic]: Removed Maximum Concurrent Session from the GUI. The concurrent session count now turns red when the limit is reached.

30. [Feature Change] [Alert Mail]: Updated memory usage display to focus on system memory usage only, excluding FastPath backend usage.

31. [Feature Change] [Tailscale] Upgrade Tailscale to v1.90.8

32. [Feature Change] [SNMP] SNMP is disabled by default.

33. [Feature Change] [GUI/Captive Portal]: Renamed Authentication Policy > Advance tab to Settings.

34. [Feature Change] [Captive Portal]: When a Redirect FQDN is configured, a DNS A record must be manually added to map the FQDN to the Captive Portal server address (default: 6.6.6.6). [AP Controller] *Local only

1. [Enhancement] Support to manage IAP500BE

2. [Enhancement] Support individual AP radio settings.

3. [Enhancement] Support client policy by wildcard.

4. [Enhancement] Support proxy by controller directly.

5. [Enhancement] Support wireless diagnostic features.

6. [Enhancement] Support SSID view client information.

7. [Enhancement] Support WLAN Top-N information.

8. [Enhancement] Support internal authentication server certificate selection. [eITS#250701412, 251000304]

9. [Enhancement] Email daily report contains WLAN information

Bug Fix

1. [eITS#250800314] ESP replies to the wrong interface if both ge1 and ge2 are selected in the WAN trunk

2. [eITS#250800936] SSL VPN: Fixed an issue where authentication could fail if a user group contained nested user groups.

3. [eITS#250900060] The VLAN interface cannot assign a DHCP IP address because the interface fails to initialize.

4. [eITS#250900483] Unable to fall back to the primary VTI interface in a route-based VPN scenario

5. [eITS#250900846] SecuReporter missing AD Users display

6. [eITS#250900890] SSL Inspection session was unable to be released automatically

7. [eITS#250901103] Accessing an uninitialized list in the conntrack destroy callback causes undefined behavior and leads to a fastpath daemon deadlock.

8. [eITS#251000114] If AD user exists in multiple groups, it may affect AD auth. failed.

9. [eITS#251000357] There is a spelling error in the email notification.

10. [eITS#251000497] abnormal DDNS update status

11. [eITS#251000842] VPN authentication fails for AD users with multiple group memberships

12. [eITS#251001202] The DoS prevention rule is configured for traffic from the WAN interface, but it is also filtering traffic coming from the IPsec tunnel.

13. [eITS#251001621] Connected SSL client will get disconnected when adding a new object.

14. [eITS#251100269] The Nebula Cloud Authentication of IPsec Remote VPN is failed due to the USG Flex H firewall is behind NAT.

15. [eITS#251100344] Fixed reserved IP issue with empty hostname devices.

16. [eITS#251100931] Empty VLAN members

17. [eITS#251100995] High CPU usage leads to stability issues.

18. [eITS#251101213] SNMP daemon causes device to freeze.

19. [eITS#251101734] Pushing settings from NCC causes the PPPoE redial. 20.[eITS#251101885] SNMP daemon core dump in some cases.

21. [eITS#251101960] German Translation Issue – "All" and "Any" Options displayed the same

22. [eITS#251200277] No-IP DDNS cannot sync with server successfully due to the server side has support new value, and firewall shows unknown.

23. [eITS#251200748] VPN config not initialized during boot up.

24. [eITS#251201002] Remove the "remove startup" CLI command.

25. [eITS#251201016] The VPN user traffic of "Ext-User" is unable to be managed by Security policy rule.

26. [eITS#251201198] Adjust Content Filter Denied Access Message field limitation: Cannot saved as blank

27. [eITS#251201358] Adding or modifying a schedule object causes the device web GUI time out.

28. [eITS#251200907] Adjust BWM Source IP address limitation to no more than 1024

29. [ZNGA-8744] [Monitor][VPN Connection] Cannot show Android Strongswan client connection on Client to site login account table.

30. [ZNGA-5688] Policy-based IPSec VPN doesn't bypass the direct route to other subnets.

31. [ZNGA-8815] The local user object cannot be deleted because multiple “provision” references remain with the user. [AP Controller]

1. [eITS#251001634] Secure WiFi- AP managed amount decreases to default 8 when FLEX H Internet access/synced failed.

2. [eITS#251101963] AP List displays a status of “VLAN Conflict” after USG reboot.

Please refer to the Download Link for more details.