Discussions - Zyxel Community

How do I check which category a URL belongs to on USG Flex models using the CLI?
Question: How do I check which category a URL belongs to on USG Flex models using the CLI? Answer : The user can use the following CLI command to check which category a URL belongs to: For instance, the user queries www.google.com to identify its category as a search engine for the firewall. cmd url-category-query search…
How to block a specific device using the Device Insight block list?
Scenario : The user may want to block a specific device, and this article will guide you on how to use the Device Insight block list to achieve this purpose. Answer : Navigate to Configuration > Object >Device Insight > Enable this feature. Navigate to Monitor > Network Status > Device Insight > Select the device that you…
How to use the CLI to check if the security policy is enabled or disabled on the USG Flex H model?
Question : In this FAQ: How to use CLI to enable and disable security policy? And this FAQ will guide you on how to use the CLI to check if the security policy is enabled or disabled on the USG Flex H model. Answer : Please use the CLI "show config vrf main secure-policy enabled" to check the result. usgflex200h> show…
[ATP/FLEX] How do I allow a specific lan client to access the device on a Nebula firewall?
Scenario : How do I allow a specific IP address to access the device on a Nebula firewall? Answer : For instance, if a user wants to allow the IP address 192.168.1.33 to access the firewall and deny other clients from accessing it, please refer to the steps below to set it up STEP1. Please navigate to Site-wide > Configure…
[ATP/FLEX] Why the firewall rule set to WAN to Any,but cannot block Geo IP to establish VPN?
Question : Why is the firewall rule set to WAN to Any, but it cannot block Geo IP from establishing a VPN, as shown below? Answer : Because the direction 'Any' doesn't include 'Device', the VPN traffic (UDP 500 and 4500) will still be passed to the firewall normally and won't be dropped by the security. To avoid this,…
[ATP/FLEX]How can I block VPN services on Nebula firewall?
Scenario : If the user wants to block the VPN services on Nebula firewall? How to configure it? Answer : Please navigate to Site-wide > Configure > Firewall > Security policy to add a security policy to deny traffic from any source to the device for UDP 500 and UDP 4500 ports.
[ATP/FLEX] How to block GeoIP to establish IPsec VPN connection with your firewall?
Scenario : If you want to block specific GeoIP addresses from establishing an IPsec VPN connection with your firewall to enhance the security of your network services, how can you configure this? Answer : Please navigate to Site-wide> Configure > Firewall > Security policy and add a security policy to deny UDP 500, and UDP…
[ATP/FLEX] How to block Web-Proxy on Nebula
The user might use the Web-Proxy tool(such as steganos) to bypass Content Filter's category inspection. This article will guide you on how to use security policies to block this behavior. Configuration steps: Navigate to Configure > Firewall > Security policy to set the Action set to Deny and configure the Web-Proxy URLs…
Why do we encounter the "NET::ERR_CERT_AUTHORITY_INVALID" message when accessing certain websites?
Background and Scenario: When we browse certain specific websites or a device's local Web-GUI, the browser may display a “NET::ERR_CERT_AUTHORITY_INVALID” message. To access the URL or IP address, we need to click 'continue' and then we can browse it. Answer: The root cause is related to the browser not trusting the…
How to block the client from accessing a certain country using Geo IP?
The Geo IP offers to identify the country-based IP addresses; it allows you to block the client from accessing a certain country based on the security policy. When the user makes HTTP or HTTPS request, USG Flex H queries the IP address from the cloud database, then takes action when it matches the block country in the…
How to configure MAC Authentication via Nebula Cloud Authentication Server (NCAS) on Nebula switch
MAC-based authentication is a powerful security feature that allows you to manage network access based on the MAC addresses of connected devices. By implementing MAC-based authentication, you can strengthen your network's security and ensure that only authorized devices are permitted to connect. Topology and Scenario:…
How to protect Nebula switches against rogue DHCP servers?
In order to enhance the security of your network switches, Zyxel offers two ways of protecting a network which are DHCP Server Guard and IP Source Guard features on Nebula. These features protect your switches against untrusted DHCP servers, ensuring a safer and more reliable network environment. This guide will walk you…
[ATP/FLEX] How to Set Up L2TP IPSec VPN with AD Authentication on Nebula?
Nebula Cloud provides VPN solutions that can authenticate through an AD server for L2TP over IPsec VPN / IPsec VPN. Configure Steps Using Windows Server 2016 as the AD server 1. AD server installation Install an AD Server and set it as a domain controller. If installed in a virtual machine, make sure that the virtual NIC…
How to configure CNP and claim one-month free license in NCC?
What is Connect & Protect (CNP) service? Connect & Protect service helps to provide a secure and reliable wireless experience to prevent malicious websites access and optimize wireless performance. How to claim CNP 1-month free license? To claim 1-month free license for your Zyxel AP, please go to the device tab in the…
How to implement Compound Authentication with Dynamic VLAN Assignment?
Dynamic VLAN Assignment separates and isolates devices into different network segments based on the device or user authorization and their characteristics. Scenario and Topology Configuration The following steps are applicable for switches supporting compound authentication. MAC authentication + Dynamic VLAN assignment is…
How to configure port security to disable dynamic MAC learning and allow access to particular device
The port security feature allows user to limit the number of connected devices by limiting the number of dynamic MAC address that can be learned on the port. However, there are scenarios that we would like only certain trusted/known devices that can have access, but block any unknown “rogue” devices. Let’s say in a small…
How to use ACL to mirror traffic of a specific criteria
The port mirroring feature allows user to duplicate a traffic flow to the monitor port in order to examine/monitor the traffic from the monitor port without interference. It’s useful for troubleshooting or scenarios involving supervisory control. However, there are some cases that monitor port somehow receives numbers of…
How to Separate Traffic through L2 Port Isolation
It’s a common application that we desire to separate or isolate the mutual traffic between various clients/devices on switches in a network environment. The most intuitive implementation is to create different VLANs to logically segment a LAN into different broadcast domains to achieve the goal. However, there are certain…
How to Configure the Switch to Translate Customer VLAN to Service Provider VLAN
VLAN Mapping provides a mechanism to map a Customer VLAN to a service provider’s VLAN (Translated-VLAN). Packets received on a port will map to a Translated VLAN based on a port ID and customer VLAN ID from packets. VLAN Mapping also can be used to prevent traffic from forwarding between different customers when they use…
How to configure the switch & RADIUS server to implement 802.1x Port-auth w/ Dynamic VLAN Assignment
Zyxel switch models support 802.1x Port Authentication that forces hosts to submit valid user credentials to be authenticated by an authentication server (In this case would be RADIUS Server) before their traffic can be forwarded across the switch. Dynamic VLAN Assignment, a variation of Port Authentication, allows host…

Welcome!

It looks like you're new here. Sign in or register to get started.