Page 1 User’s Guide USG FLEX H Series Version 1.10 Edition 2, 9/2023 Default Login Details Login IP Address https://192.168.168.1 User Name admin Password 1234 Copyright © 2023 Zyxel and/or its affiliates. All rights reserved.
Page 2 • Web Configurator Online Help Click the help icon in any screen for help in configuring that screen and supplementary information. • More Information Zyxel Device. Go to support.zyxel.com to find other information on USG FLEX H Series User’s Guide...
Page 3: Document Conventions
Figures in this user guide may use the following generic icons. The Zyxel Device icon is not an exact representation of your device. Zyxel Device Generic Router Wireless Router / Access Point Switch Firewall Server Internet Network Cloud Smartphone USB Dongle USG FLEX H Series User’s Guide...
Page 4: Table Of Contents
IP Exception ............................314 SSL Inspection ............................319 User & Authentication ........................331 System ..............................350 Log and Report ........................... 392 File Manager ............................403 Diagnostics ............................411 Reboot ..............................422 Troubleshooting ..........................424 USG FLEX H Series User’s Guide...
Page 5: Table Of Contents
2.3.3 Interface Type - PPPoE ......................36 2.4 System Time ............................. 37 2.5 Device Registration ........................38 2.5.1 Exit the Wizard ........................39 2.6 License Activations ......................... 41 2.7 Finish ..............................42 Chapter 3 Hardware, Interfaces and Zones ......................43 USG FLEX H Series User’s Guide...
Page 6 5.4 The Resource Statistics Screen ...................... 67 5.5 The App Patrol Screen ........................68 5.6 The Content Filter Screen ......................69 5.7 The Reputation Filter Screens ......................71 5.7.1 IP Reputation ......................... 71 5.7.2 DNS Threat Filter ........................72 USG FLEX H Series User’s Guide...
Page 7 7.4 Bridge Interface ..........................121 7.4.1 Bridge Add/Edit ........................123 7.5 VTI Interface ..........................126 7.5.1 Restrictions for IPSec Virtual Tunnel Interface ..............127 7.5.2 VTI Add/Edit ......................... 127 7.6 Trunk Overview ..........................129 USG FLEX H Series User’s Guide...
Page 8 11.3.1 The Site to Site VPN Add/Edit Screen- Wizard ..............168 11.3.2 The Site to Site VPN Add/Edit Screen- Custom .............. 174 11.4 The Remote Access VPN Screen ..................... 178 Chapter 12 SSL VPN..............................184 USG FLEX H Series User’s Guide...
Page 9 14.4.1 What You Need to Know ....................226 14.4.2 The Schedule Screen ......................226 14.4.3 The Schedule Group Screen .................... 230 Chapter 15 Application Patrol ..........................232 15.1 Overview ............................. 232 15.1.1 What You Can Do in this Chapter ................... 232 USG FLEX H Series User’s Guide...
Page 10 18.1.1 What You Can Do in this Chapter ................... 291 18.2 Anti-Malware Screen ......................... 291 18.3 The Allow List Screen ........................293 18.4 The Block List Screen ........................295 18.5 Anti-Malware Technical Reference ..................297 Chapter 19 Sandbox............................299 USG FLEX H Series User’s Guide...
Page 11 23.1.1 What You Need To Know ....................331 23.1.2 User/Group User Summary Screen .................. 332 23.1.3 User Add/Edit Screen ......................334 23.1.4 User/Group Group Summary Screen ................337 23.1.5 User/Group Setting Screen ....................339 USG FLEX H Series User’s Guide...
Page 12 24.4.12 Editing a Security Option Control .................. 370 24.4.13 The DDNS Screen ......................371 24.4.14 The DDNS Add/Edit Screen .................... 373 24.5 Notification ..........................375 24.5.1 Mail Server .......................... 375 24.5.2 Alert ............................ 377 24.6 Certificate Overview ........................378 USG FLEX H Series User’s Guide...
Page 13 27.3.1 The Packet Capture Edit Screen ..................414 27.4 The CPU / Memory Status Screen ..................... 417 27.5 The System Log Screen ......................419 27.6 The Network Tool Screen ......................420 Chapter 28 Reboot...............................422 USG FLEX H Series User’s Guide...
Page 14 Chapter 29 Troubleshooting..........................424 29.1 Resetting the Zyxel Device ......................434 29.2 Getting More Troubleshooting Help ..................434 Appendix A Customer Support ..................... 435 Appendix B Product Features ......................440 Appendix C Legal Information ...................... 443 USG FLEX H Series User’s Guide...
Page 15: Part I: User's Guide
User’s Guide...
Page 16: Introduction
App Patrol Content Filter SecuReporter Reputation Filter Sandboxing Device Insight IP Exception SSL encrypted traffic Bundled UTM 1 year 1 year 1 year 1 year 1 year 1 year Feature License Management by Nebula Control USG FLEX H Series User’s Guide...
Page 17: Registration At Nebula Control Center (Ncc)
New licenses are valid for 1 year from the date of purchase. Please note that a trial license does not have a grace period. USG FLEX H Series User’s Guide...
Page 18: Applications
In the following figure user A can access both the Internet and an internal file server. User B has a lower level of access and can only access the Internet. User C is not even logged in, so and cannot access either the Internet or the file server. USG FLEX H Series User’s Guide...
Page 19: Management Overview
You can manage the Zyxel Device in the following ways. Web Configurator The Web Configurator allows easy Zyxel Device setup and management using an Internet browser. This User’s Guide provides information about the Web Configurator. USG FLEX H Series User’s Guide...
Page 20 The device can be monitored and/or managed by an SNMP manager. See Section 24.3 on page 356. Management Authentication Managers must be authenticated with a username and password, using one of: • Local Zyxel Device authentication • An external RADIUS server USG FLEX H Series User’s Guide...
Page 21: Web Configurator
Update Admin Info screen. Enter a new password of from 1 to 64 characters. Make a note of your new password, enter it in the following screen, then click Apply. The Login screen appears again. Log in with your new password. USG FLEX H Series User’s Guide...
Page 22: Remote Access To The Zyxel Device Networks
IPSec VPN. 1.4.3 Web Configurator Screens Overview The Web Configurator screen is divided into these parts: • A – title bar • B – navigation panel • C – main window USG FLEX H Series User’s Guide...
Page 23 Change Password: This is for admin account only. Click this to change the account password. You will need to log in again using the new password. Logout: Click this log out of the Web Configurator. About Click About to display basic information about the Zyxel Device. USG FLEX H Series User’s Guide...
Page 24 Use the Reference button to view which configuration settings reference to the object. For example, go to Object > Zone to select an entry, then click Reference to open the References screen. The References screen displays which settings are using the selected entry. Figure 9 Reference USG FLEX H Series User’s Guide...
Page 25: Navigation Panel
Use the navigation panel menu items to open status and configuration screens. Click the arrow of the navigation panel to hide the panel. The following sections introduce the Zyxel Device’s navigation panel menus and their screens. USG FLEX H Series User’s Guide...
Page 26 Table 7 Dashboard Menu Screens Summary FOLDER OR LINK FUNCTION System Collect and display the Zyxel Device system information, such as serial number, MAC address and CPU usage. Security Collect and display security event statistics. USG FLEX H Series User’s Guide...
Page 27 Configuration Screens Use the configuration screens to configure the Zyxel Device’s features. Table 9 Configuration Menu Screens Summary FOLDER OR LINK FUNCTION Services Licensing Signature Update Update signatures immediately or by a schedule. Network USG FLEX H Series User’s Guide...
Page 28 Enable and configure IPS settings. Create, import, or export custom signatures. Allow List Configure signatures that will be exempted from IPS inspection. USG FLEX H Series User’s Guide...
Page 29 Use this screen to configure: • The Zyxel Device host name. • System time settings. • Remote access to the Zyxel Device settings. • The web configurator language display settings. SNMP SNMP Configure SNMP communities and services. USG FLEX H Series User’s Guide...
Page 30: Tables And Lists
1.4.5 Tables and Lists Web Configurator tables and lists are flexible with several options for how to display their entries. Click a column heading to sort the table’s entries according to that column’s criteria. USG FLEX H Series User’s Guide...
Page 31 Use the icons and fields at the bottom of the table to navigate to different pages of entries and control how many entries display at a time. Figure 15 Navigating Pages of Table Entries USG FLEX H Series User’s Guide...
Page 32 When a list of available entries displays next to a list of selected entries, you can often just double-click an entry to move it from one list to the other. Figure 17 Working with List USG FLEX H Series User’s Guide...
Page 33: Initial Setup Wizard
Click Next to configure the Zyxel Device settings with the initial setup wizard. Note: You cannot proceed with the initial setup wizard if you do not select the check box. USG FLEX H Series User’s Guide...
Page 34: Connect To The Internet
Type a string using up to 63 of these characters a-zA-Z0-9!\"#$%&'()*+,-./:;<=>?@[]^_`{}to identify this Zyxel Device to the DHCP server. For example, Zyxel-TW. • VLAN Tag: Enable to tag the traffic going out from the Zyxel Device USG FLEX H Series User’s Guide...
Page 35: Interface Type - Static
• Connection Test: Click Connection Test to check that you can access the Internet. If you cannot, click Back and confirm that you entered the settings correctly. If you have, check that you got the correct settings from your ISP or network administrator. USG FLEX H Series User’s Guide...
Page 36: Interface Type - Pppoe
• VLAN Tag: Enable to tag the traffic going out from the Zyxel Device • VLAN ID: Enter a VLAN ID. This 12-bit number uniquely identifies each VLAN. Allowed values are 1-4080. USG FLEX H Series User’s Guide...
Page 37: System Time
If your Zyxel Device cannot get the correct date and time, it may not able to connect to a time server. Check the time server settings in System > Settings after you log into the Zyxel Device. USG FLEX H Series User’s Guide...
Page 38: Device Registration
Note: You must register your Zyxel Device at NCC to activate security services and upgrade firmware. You cannot proceed with the initial setup wizard if you do not register your Zyxel Device. Note: The Zyxel Device must be connected to the Internet in order to register. USG FLEX H Series User’s Guide...
Page 39: Exit The Wizard
Registration step. You will be redirected to the Zyxel Device login page after you click Exit. You cannot use the Zyxel Device security services and upgrade firmware if you do not register your Zyxel Device at NCC. USG FLEX H Series User’s Guide...
Page 40 You will also see a warning message to remind you to register your Zyxel Device every time you log into the web configurator. Please note that you will only see the warning message if you log in using an admin account. USG FLEX H Series User’s Guide...
Page 41: License Activations
Internet connection is working and click Refresh again. To check your Internet connection, try to access the Internet from a computer connected to a LAN port on the Zyxel Device. If you cannot, then check your Internet access settings on the Zyxel Device. USG FLEX H Series User’s Guide...
Page 42: Finish
The following screen displays when you finish the initial setup wizard. Click Finish to log into the Zyxel Device web configurator to configure the Zyxel Device settings. Click the Nebula Control Center (NCC) hyperlink to go to NCC to monitor and manage your Zyxel Device. Figure 28 Finish USG FLEX H Series User’s Guide...
Page 43: Hardware, Interfaces And Zones
Category 5 100M 100 m 100 MHz Category 5e 100 m 100 MHz Category 6 100m:1G 1G / 10G 250 MHz 37-50m:10G Category 6a 100 m 500 MHz Category 7 100 m 600 MHz USG FLEX H Series User’s Guide...
Page 44: Poe
USG FLEX 500H USG FLEX 700H IEEE 802.3 at PoE+ port 8 port 2 port 3-4 port 3-4 Power Management Mode Consumption Consumption Consumption Consumption Classification Classification Classification Classification (default) (default) (default) (default) PoE Power Budget USG FLEX H Series User’s Guide...
Page 45: Front Panels
Figure 30 USG FLEX 100H Front Panel Figure 31 USG FLEX 100HP Front Panel Figure 32 USG FLEX 200H Front Panel Figure 33 USG FLEX 200HP Front Panel Figure 34 USG FLEX 500H Front Panel USG FLEX H Series User’s Guide...
Page 46 The Zyxel Device is sending or receiving packets on this port at 1 Gbps. 500H) Amber This port has a successful 100 Mbps link. Blinking The Zyxel Device is sending or receiving packets on this port at 100 Mbps. There is no connection on this port. USG FLEX H Series User’s Guide...
Page 47 When configuring using the console port, you need a computer equipped with communications software configured to the following parameters: • Speed 115200 bps • Data Bits 8 • Parity None • Stop Bit 1 • Flow Control Off USG FLEX H Series User’s Guide...
Page 48: Rear Panels
Figure 40 USG FLEX 500H Rear Panel Figure 41 USG FLEX 700H Rear Panel Note: Make sure you connect the Zyxel Device's power cord to a socket-outlet with an earthing connection or its equivalent. USG FLEX H Series User’s Guide...
Page 49: Installation Scenarios
Table 19 USG FLEX Series Installation Comparison Table USG FLEX 100H/USG FLEX 100HP/ USG FLEX USG FLEX USG FLEX MODELS 500H 700H USG FLEX 200H/USG FLEX 200HP Rubber feet for desktop placement Wall Mounting Rack Mounting USG FLEX H Series User’s Guide...
Page 50: Desktop Installation Procedure
Make sure the rack will safely support the combined weight of all the equipment it contains and that the position of the ZyWALL does not make USG FLEX H Series User’s Guide...
Page 51: Wall-Mounting
When stacking in a rack, make sure there is at least 40 mm of clearance between Zyxel Devices. 3.2.3 Wall-mounting Do the following to attach your Zyxel Device to a wall. USG FLEX H Series User’s Guide...
Page 52 Note: Make sure the screws are securely fixed to the wall and strong enough to hold the weight of the Zyxel Device with the connection cables. Use the holes on the bottom of the Zyxel Device to hang the Zyxel Device on the screws. USG FLEX H Series User’s Guide...
Page 53: Power Cord Lock
3.3.1 For USG FLEX 100H, USG FLEX 100HP, USG FLEX 200H, USG FLEX 200HP, USG FLEX 500H Use a screw driver to remove the power cord lock and the screw from the Zyxel Device. USG FLEX H Series User’s Guide...
Page 54 Connect the power cord to the Zyxel Device power socket. Use the screw driver to secure the power cord lock and the screw with the power cord to the hole next to the power socket. USG FLEX H Series User’s Guide...
Page 55: For Usg Flex 700H
Insert Cable Clamp A into the case hole. Connect the power cord to the Zyxel Device power socket. Open Cable Clamp B and attach it to the power cord. Make sure Cable Clamp B covers the head of the power cord. USG FLEX H Series User’s Guide...
Page 56: Default Zones, Interfaces, And Ports
Table 22 Default Zone – Interface Mapping ZONE / INTERFACE USG FLEX 100H/USG FLEX 100HP USG FLEX 200H/USG FLEX 200HP Table 23 Default Zone – Interface Mapping ZONE / INTERFACE USG FLEX 500H USG FLEX 700H USG FLEX H Series User’s Guide...
Page 57: Dashboard
The System screen displays general device information, system resource usage, and interface status in widgets that you can re-arrange to suit your needs. You can also click the refresh icon ( ) to refresh individual widgets. USG FLEX H Series User’s Guide...
Page 58: System Information Screen
This field displays the MAC addresses used by the Zyxel Device. Each physical port has one MAC address. The first MAC address is assigned to physical port 1, the second MAC address is assigned to physical port 2, and so on. USG FLEX H Series User’s Guide...
Page 59: Virtual Device Screen
For the auxiliary interface: Inactive - The auxiliary interface is disabled. Connected - The auxiliary interface is enabled and connected. Disconnected - The auxiliary interface is not connected. USG FLEX H Series User’s Guide...
Page 60: Resource Usage Screen
This field shows how many sessions, established and non-established, that pass through/from/to/within the Zyxel Device. Click this field to display a chart of Zyxel Device’s recent session usage. 4.2.4 Bandwidth This screen displays a line graph of packet statistics for each interface. USG FLEX H Series User’s Guide...
Page 61: Client Usage Screen
This field displays the number of IP addresses that are reserved for the MAC addresses. DHCP Server This field displays the number of interface that the DHCP server is enabled on the Zyxel Device. USG FLEX H Series User’s Guide...
Page 62: The Latest Logs Screen
This field displays the destination address (if any) in the packet that generated the log. Priority This field displays the severity of the log. 4.3 The Security Screen Use the Security screen to check security status information about the Zyxel Device. USG FLEX H Series User’s Guide...
Page 63 • The number of scanned files for sandbox. • Top 5 applications that are used the most • Top 5 URLs that are detected the most Click the Refresh icon to update the information in the window right away. USG FLEX H Series User’s Guide...
Page 64: Part Ii: Technical Reference
Technical Reference...
Page 65: Monitor
88) to display and manage active IPSec SAs. • Use the VPN Status > IPSec VPN > Remote Access VPN screen (Section 5.17.2 on page 89) to display and manage remote access VPN clients. USG FLEX H Series User’s Guide...
Page 66: The Port Statistics Screen
This line represents traffic transmitted from the Zyxel Device on the physical port since it was last connected. This line represents the traffic received by the Zyxel Device on the physical port since it was last connected. USG FLEX H Series User’s Guide...
Page 67: The Interface Statistics Screen
5.4 The Resource Statistics Screen Use this screen to view the resource, including: • The percentage of the Zyxel Device processing capability is used. • The percentage of the Zyxel Device RAM is used. USG FLEX H Series User’s Guide...
Page 68: The App Patrol Screen
5.5 The App Patrol Screen Application patrol provides a convenient way to manage the use of various applications on the network. It manages general protocols (for example, HTTP and FTP) and instant messenger (IM), peer-to- USG FLEX H Series User’s Guide...
Page 69: The Content Filter Screen
The DNS domain scan allows the Zyxel Device to block access to specific websites by inspecting DNS queries made by users on your network. If the website in the DNS USG FLEX H Series User’s Guide...
Page 70 Click this button to discard all of the screen’s statistics and update the report display. Time This column displays the date and time when the users access the URL or FQDN. Action This column displays whether the Zyxel Device blocks or passes the accessed URL or FQDN. USG FLEX H Series User’s Guide...
Page 71: The Reputation Filter Screens
The Zyxel Device reputation filter includes IP reputation, DNS threat filter and URL threat filter. 5.7.1 IP Reputation This screen displays IP reputation statistics. IP reputation checks the reputation of an IP address from a database. Figure 60 Security Statistics > Reputation Filter > IP Reputation USG FLEX H Series User’s Guide...
Page 72: Dns Threat Filter
This screen displays DNS threat filter statistics. DNS threat filtering inspects DNS queries made by clients on your network and compares the queries against a database of blocked or allowed Fully Qualified Domain Names (FQDNs). Figure 61 Security Statistics > Reputation Filter > DNS Threat Filter USG FLEX H Series User’s Guide...
Page 73: Url Threat Filter
Click Reset to return the screen to its last-saved settings. 5.7.3 URL Threat Filter This screen displays URL threat filter statistics. URL threat filtering compares access to specific URLs against a database of blocked or allowed sites. USG FLEX H Series User’s Guide...
Page 74 Destination IP This field displays the destination IP address of traffic. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. USG FLEX H Series User’s Guide...
Page 75: The Ips Screen
This column displays the level of threat that the intrusions may pose. Source IP This column displays the source IP address of the intrusion attempts. Destination IP This column displays the destination IP address at which intrusion attempts were targeted. USG FLEX H Series User’s Guide...
Page 76: The Anti-Malware Screen
This column displays when you display the entries by Virus Name. This displays the name of a detected virus. Hash This column displays a hash value, MD5 (Message Digest 5)of the detected virus file. MD5 is hash algorithms used to authenticate packet data. USG FLEX H Series User’s Guide...
Page 77: The Ssl Inspection Screens
Figure 65 Security Statistics > SSL Inspection > Summary The following table describes the labels in this screen. Table 40 Security Statistics > SSL Inspection > Summary LABEL DESCRIPTION General Settings Refresh Click this button to update the report display. USG FLEX H Series User’s Guide...
Page 78: The Certificate Cache List Screen
SSL session with the server. It allows multiple SSL sessions to the same IP address and port number with different certificates from different SNI. This field displays the SNI for this SSL session. SSL Version This field shows the SSL version. TLS1.0/1.1/1.2 are currently supported. USG FLEX H Series User’s Guide...
Page 79: The Sandbox Screen
Zyxel Device has detected. Select Type to display if the file type of the detected file with unknown or untrusted programs and codes. Refresh Click this button to update the report display. USG FLEX H Series User’s Guide...
Page 80: The Interface Screen
This column displays the destination IP address at which the traffic of the file the Zyxel Device has checked is sent. 5.12 The Interface Screen This screen lists all of the Zyxel Device’s interfaces and their information. Click Network Status > Interface to display the following screen. USG FLEX H Series User’s Guide...
Page 81 This field displays the physical port number that is binded to the interface. An interface is binded to a port when the interface is bounded to the physical port. Type This field displays the type of connection the interface is using. USG FLEX H Series User’s Guide...
Page 82: The Session Monitor Screen
It is not possible to manage sessions in this screen. The following information is displayed. • User who started the session • Protocol or service port used • Source address • Destination address • Number of bytes received (so far) USG FLEX H Series User’s Guide...
Page 83 This field displays when View is set to all sessions. Type the destination IP address whose sessions Address you want to view. You cannot include the destination port. Source This field displays when View is set to all sessions. Select the country where the traffic is coming Country from. USG FLEX H Series User’s Guide...
Page 84: The Device Insight Screen
LAN/VLAN/DMZ networks behind the Zyxel Device. Information from clients that are in different IP subnets in the LAN/VLAN/DMZ networks might not be collected correctly as traffic must pass through another router or a layer-3 switch to the Zyxel Device. USG FLEX H Series User’s Guide...
Page 85 Guest A’s device will be identified and shown in the table again if he connects to your Zyxel Device networks in the future. Please note that clients that are blocked cannot be removed. Make sure to unblock clients before you remove them. USG FLEX H Series User’s Guide...
Page 86: The Login Users Screen
5.15 The Login Users Screen Use this screen to see a list of users currently logged into the Zyxel Device. To access this screen, click Network Status > Login Users. Figure 72 Network Status > Login Users USG FLEX H Series User’s Guide...
Page 87: The Dhcp Table Screen
Select a Zyxel Device interface that has DHCP enabled to show to which devices it has assigned DHCP IP addresses. Click this to add an entry that maps a static IP to a MAC address. USG FLEX H Series User’s Guide...
Page 88: The Ipsec Vpn Screen
Select an IPSec SA and click this button to disconnect it. Refresh Select an IPSec SA and click this button to update its status. This field is a sequential value, and it is not associated with a specific SA. USG FLEX H Series User’s Guide...
Page 89: The Remote Access Vpn Screen
This field displays the IP address the user used to establish this remote access VPN connection. Remote IP This field displays the IP address of the remote IPSec router the remote access VPN client is connected to. USG FLEX H Series User’s Guide...
Page 90: The Ssl Vpn Screen
This field displays how many seconds the SSL VPN client has been active. This field displays N/A if the SSL VPN client uses manual keys. Reauth/Lease Time This field displays the amount of reauthentication time remaining and the amount of lease time remaining for each SSL VPN client. USG FLEX H Series User’s Guide...
Page 91: Regular Expressions In Searching Ipsec Sas
“abc” and ending in “123” matches, no matter how many characters are in between. The whole VPN connection or policy name has to match if you do not use a question mark or asterisk. USG FLEX H Series User’s Guide...
Page 92: Licensing
You can use the following Zyxel Device features without a license: Table 51 Features Available Without a License MONITOR CONFIGURATION MAINTENANCE System Statistics Network Maintenance Network Status VPN Status Security Policy Object User & Authentication USG FLEX H Series User’s Guide...
Page 93: The Licenses Screen
Zyxel Device or purchase a license. Click Licensing > Licenses to display the following screen. Figure 77 Licensing > Licenses (Registered) The Licenses screen may show different services depending on the licenses you purchase or activate. USG FLEX H Series User’s Guide...
Page 94 Scan the QR code or click Nebula under Note to register your Zyxel Device at NCC. Please note that you need to register your Zyxel Device at NCC to upgrade firmware and use security services. USG FLEX H Series User’s Guide...
Page 95: The Signature Update Screen
This field displays the type of service engine used by the Zyxel Device. Current Version This field displays the signatures version number currently used by the Zyxel Device. This number gets larger as new signatures are added. USG FLEX H Series User’s Guide...
Page 96: Signature Update
) of a service to display the following screen. Use this screen to view the service update status. Figure 80 Licensing > Signature Update > Update > Update 6.1.5 Auto Update Click the Schedule icon ( ) of a service to display the following screen. USG FLEX H Series User’s Guide...
Page 97 Select this option to have the Zyxel Device check for new signatures once a week on the day and at the time specified. Click this button to save your changes to the Zyxel Device. USG FLEX H Series User’s Guide...
Page 98: Interfaces
• An interface is bound to a physical port or another interface. • Many interfaces can share the same physical port. • An interface belongs to at most one zone. • Many interfaces can belong to the same zone. USG FLEX H Series User’s Guide...
Page 99 For VLAN interfaces, x is defined by the number you enter in the VLAN name field. For example, Ethernet interface names are wan1, wan2, lan1, lan2, dmz; VLAN interfaces are vlan0, vlan1, vlan2...and so on. USG FLEX H Series User’s Guide...
Page 100 Figure 82 Example: Entry in the Routing Table Derived from Interfaces This information is used to create an entry in the routing table. Table 57 Example: Routing Table Entries for Interfaces IP ADDRESS(ES) DESTINATION 100.100.1.1/16 lan1 200.200.200.1/24 wan1 USG FLEX H Series User’s Guide...
Page 101 DHCP server. If you do, the interface routes DHCP requests to all of them. It is possible for an interface to be a DHCP relay and a DHCP client simultaneously. As a DHCP server, the interface provides the following information to DHCP clients. USG FLEX H Series User’s Guide...
Page 102 • The access and authentication method works with existing systems, including RADIUS. • You can access one of several network services. This makes it easier for the service provider to offer the service • PPPoE does not usually require any special configuration of the modem. USG FLEX H Series User’s Guide...
Page 103: Interface Screen
To remove a virtual interface, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Connect To dial-up to a PPPoE interface, select it and click Connect. Disconnect To disconnect from a PPPoE interface, select it and click Disconnect. USG FLEX H Series User’s Guide...
Page 104 This field displays the IP address of the remote IPSec VPN router. VPN Rule This shows the name of the associated IPSec VPN rule with VPN Tunnel Interface application scenario. Reference This field displays which settings use the entry. USG FLEX H Series User’s Guide...
Page 105: Internal/External Interface
The more routing information is exchanged, the more efficient the routers should be. However, the routers also generate more network traffic, and some routing protocols require a significant amount of configuration and management. USG FLEX H Series User’s Guide...
Page 106 Chapter 7 Interfaces Figure 84 Network > Interface > Interface > Internal > Add (Ethernet) USG FLEX H Series User’s Guide...
Page 107 External is for connecting to an external network (like the Internet). The Zyxel Device automatically adds this interface to the default WAN trunk. Interface Type Select the type of interface you want to configure. USG FLEX H Series User’s Guide...
Page 108 This option appears when Interface Type is internal. Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers on the network. DHCP Server USG FLEX H Series User’s Guide...
Page 109 IP addresses or options to clients with the specific VCI or reject the request from clients without the specific VCI. Type a string using up to 63 of these characters [a-zA-Z0-9!\"#$%&\'()*+,-./ :;<=>?@\[\\\]^_`{}] to identify this Zyxel Device to the DHCP server. For example, Zyxel-TW. USG FLEX H Series User’s Guide...
Page 110: Internal/External Vlan Add/Edit
• Traffic inside each VLAN is layer-2 communication (data link layer, MAC addresses). It is handled by the switches. As a result, the new switch is required to handle traffic inside VLAN 2. Traffic is only broadcast inside each VLAN, not each physical network. USG FLEX H Series User’s Guide...
Page 111 Otherwise, VLAN interfaces are similar to other interfaces in many ways. They have an IP address, subnet mask, and gateway used to make routing decisions. They restrict bandwidth and packet size. They can provide DHCP services, and they can verify the gateway is available. USG FLEX H Series User’s Guide...
Page 112 Chapter 7 Interfaces Figure 88 Network > Interface > Interface > Internal > Add (VLAN) USG FLEX H Series User’s Guide...
Page 113 External is for connecting to an external network (like the Internet). The Zyxel Device automatically adds this interface to the default WAN trunk. Interface Type Select the type of interface you want to configure. USG FLEX H Series User’s Guide...
Page 114 Gateway IP Enter the IP address of the router through which this WAN connection will send traffic. IP Address This option appears when Interface Type is internal. Enter the IP address for this interface. USG FLEX H Series User’s Guide...
Page 115 To use another IP address as the default router, select Custom Defined and enter the IP address. Lease time Specify how long each computer can use the information (especially the IP address) before it has to request the information again. Advanced Settings USG FLEX H Series User’s Guide...
Page 116: Internal/External Lag Add/Edit
• If you select an interface that has no ports bound to it, you must bind a port to this interface • If you select an interface that has more than one port bound to it, you must remove all ports but one from this interface. USG FLEX H Series User’s Guide...
Page 117 Chapter 7 Interfaces Figure 90 Network > Interface > Interface > Internal > Add (LAG) USG FLEX H Series User’s Guide...
Page 118 Each field is explained in the following table. Table 63 Network > Interface > Interface > Internal/External > Add (LAG) LABEL DESCRIPTION General Settings Enable Interface Select this to turn this interface on. Clear this to disable this interface. Interface Properties USG FLEX H Series User’s Guide...
Page 119 DHCP client and automatically get the IP address, subnet mask, and gateway address from a DHCP server. Use Fixed IP This option appears when Interface Type is external. Select this if you want to specify the IP Address address, subnet mask, and gateway manually. USG FLEX H Series User’s Guide...
Page 120 If this field is blank, the Start IP must also be blank. In this case, the Zyxel Device can assign every IP address allowed by the interface’s IP address and subnet mask, except for the first address (network address), last address (broadcast address) and the interface’s IP address. USG FLEX H Series User’s Guide...
Page 121: Bridge Interface
Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. 7.4 Bridge Interface This section introduces bridges and bridge interfaces and then explains the screens for bridge interfaces. USG FLEX H Series User’s Guide...
Page 122 The bridge interfaces also support more functions, like interface bandwidth parameters, DHCP settings, and connectivity check. To use the whole Zyxel Device as a transparent bridge, add all of the Zyxel Device’s interfaces to a bridge interface. USG FLEX H Series User’s Guide...
Page 123: Bridge Add/Edit
This screen lets you configure IP address assignment, interface bandwidth parameters, DHCP settings, and connectivity check for each bridge interface. To access this screen, click Network > Interface > Interface > Bridge > Add/Edit. The following screen appears. USG FLEX H Series User’s Guide...
Page 124 This field is read-only if you are editing the interface. Enter the name of the bridge interface. The format is brx, where x is 0 - 11. For example, br0, br3, and so on. USG FLEX H Series User’s Guide...
Page 125 If this field is blank, the Pool Size must also be blank. In this case, the Zyxel Device can assign every IP address allowed by the interface’s IP address and subnet mask, except for the first address (network address), last address (broadcast address) and the interface’s IP address. USG FLEX H Series User’s Guide...
Page 126: Vti Interface
In the following example configure VPN tunnels with static IP addresses or DNS on both Zyxel Devices (or IPSec routers at the end of the tunnel). Also configure VTI and a trunk on both Zyxel Devices. USG FLEX H Series User’s Guide...
Page 127: Restrictions For Ipsec Virtual Tunnel Interface
Note: You should have created a VPN tunnel for a VPN Tunnel Interface scenario first. To access this screen, click the Network > Interface > Interface > VTI > Add/Edit. The following screen appears. USG FLEX H Series User’s Guide...
Page 128 Zyxel Device stops routing to the gateway. The Zyxel Device resumes routing to the gateway the first time the gateway passes the connectivity check. Enable Select this to turn on the connection check. USG FLEX H Series User’s Guide...
Page 129: Trunk Overview
• Use the Add Trunk screen (Section 7.7.1 on page 133) to configure the member interfaces for a trunk and the load balancing algorithm the trunk uses. USG FLEX H Series User’s Guide...
Page 130: What You Need To Know
(WRR) algorithm sets the Zyxel Device to send traffic through each WAN interface in turn. In addition, the WAN interfaces are assigned weights. An interface with a larger weight gets more chances to transmit traffic than an interface with a smaller weight. USG FLEX H Series User’s Guide...
Page 131: The Trunk Summary Screen
7.7 The Trunk Summary Screen Click Network > Interface > Trunk to open the Trunk screen. The following screen lists the configured trunks and the load balancing algorithm that each is configured to use. USG FLEX H Series User’s Guide...
Page 132 This field displays the interfaces that belong to the trunk. Apply Click this button to save your changes to the Zyxel Device. Reset Click this button to return the screen to its last-saved settings. USG FLEX H Series User’s Guide...
Page 133: Configuring A User-Defined Trunk
Select an entry and click Edit to modify the entry’s settings. Remove To remove a member interface, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Name Select an interface name from the drop-down list box. USG FLEX H Series User’s Guide...
Page 134: Configuring The System Default Trunk
Note: The new session is allocated to each member interface equally and is not allowed to be changed for the default trunk. Figure 98 Network > Interface > Trunk > Default Trunk > Edit USG FLEX H Series User’s Guide...
Page 135: Port
Click this button to return the screen to its last-saved settings. 7.8 Port Use this screen to configure port settings. Click Network > Interface > Port in the navigation panel to display the configuration screen. USG FLEX H Series User’s Guide...
Page 136 Interface This field displays the interface for the port. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. USG FLEX H Series User’s Guide...
Page 137: Routing
IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator. Policy-based routing is applied to incoming packets on a per interface basis, prior to the normal routing. USG FLEX H Series User’s Guide...
Page 138 The following figure illustrates the DS field. DSCP (6 bits) Unused (2 bits) DSCP is backward compatible with the three precedence bits in the ToS octet so that non-DiffServ compliant, ToS-enabled network device will not conflict with the DSCP mapping. USG FLEX H Series User’s Guide...
Page 139: Policy Route Screen
IP protocol (ICMP, UDP, TCP, etc.) and port. The actions that can be taken include: • Routing the packet to a different gateway, outgoing interface, VTI interface, or trunk. USG FLEX H Series User’s Guide...
Page 140 This is the name of the service object. any means all services. Next-Hop This is the next hop to which packets are directed. It helps forward packets to their destinations and can be an IP address of a router or a VTI interface. USG FLEX H Series User’s Guide...
Page 141: Policy Route Edit Screen
Click Network > Routing to open the Policy Route screen. Then click the Add or Edit icon. The Add Policy Route or Policy Route Edit screen opens. Use this screen to configure or edit a policy route. USG FLEX H Series User’s Guide...
Page 142 Zyxel Device itself. For an interface, a tunnel, or an SSL VPN, you also need to select the individual interface, VPN tunnel, or SSL VPN connection. Source Address Select a source IP address object, including geographic address and FQDN (group) objects, from which the packets are sent. USG FLEX H Series User’s Guide...
Page 143 Zyxel Device's interface(s). Trunk This field displays when you select trunk in the Type field. Select a trunk group to have the Zyxel Device send the packets via the interfaces in the group. USG FLEX H Series User’s Guide...
Page 144: Static Route Screen
Click Reset to return the screen to its last-saved settings. 8.3 Static Route Screen Click Network > Routing > Static Route to open the Static Route screen. This screen displays the configured static routes. USG FLEX H Series User’s Guide...
Page 145: Static Route Add/Edit Screen
Click Reset to return the screen to its last-saved settings. 8.3.1 Static Route Add/Edit Screen Click Network > Routing > Static Route > Add/Edit to display the next screen. Use this screen to configure the required information for a static route. USG FLEX H Series User’s Guide...
Page 146 0~127. In practice, 2 or 3 is usually a good number. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. USG FLEX H Series User’s Guide...
Page 147: Nat
The following list specifies the ports used by the server process as its contact ports. See Section 14.2 on page 216 (Configuration > Object > Service) for more information about service objects. USG FLEX H Series User’s Guide...
Page 148 Suppose an NAT 1:1 rule maps a public IP address to the private IP address of a LAN SMTP email server to give WAN users access. NAT loopback allows other users to also use the rule’s original IP to access the mail server. USG FLEX H Series User’s Guide...
Page 149 (1.1.1.1). If the SMTP server replied directly to the LAN user without the traffic going through NAT, the source would not match the original destination address which would cause the LAN user’s computer to shut down the session. USG FLEX H Series User’s Guide...
Page 150: The Nat Screen
Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. USG FLEX H Series User’s Guide...
Page 151: The Nat Add/Edit Screen
The NAT Add/Edit screen lets you create new NAT rules and edit existing ones. To open this window, open the NAT summary screen. (See Section 9.2 on page 150.) Then, click on an Add icon or Edit icon to open the following screen. USG FLEX H Series User’s Guide...
Page 152 IP addresses that the outside clients use to access the server. The private and public ranges must have the same number of IP addresses. One many 1:1 NAT rule works like multiple 1:1 NAT rules, but it eases configuration effort since you only create one rule. USG FLEX H Series User’s Guide...
Page 153 This field is available if Mapping Type is Port. Enter the translated destination port if this NAT rule forwards the packet. External Start Port This field is available if Mapping Type is Ports. Enter the beginning of the range of original destination ports this NAT rule supports. USG FLEX H Series User’s Guide...
Page 154 A warning message will pop out when you click OK. If you click No in the warning message, the rule will apply to the Zyxel Device. You will not be able to access the web configurator through this interface. USG FLEX H Series User’s Guide...
Page 155: Alg
When the active interface’s connection fails, the client needs to re-initialize the connection through the second interface (that was set to passive) in order to have the connection go through the second interface. USG FLEX H Series User’s Guide...
Page 156: Before You Begin
• Configure the port numbers to which they apply. Note: If the Zyxel Device provides an ALG for a service, you must enable the ALG in order to use the application patrol on that service’s traffic. Figure 111 Network > ALG USG FLEX H Series User’s Guide...
Page 157 If you are using a custom TCP port number (not 21) for FTP traffic, enter it here. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. USG FLEX H Series User’s Guide...
Page 158: Ipsec Vpn
Diffie–Hellman key exchange algorithm to generate a shared secret key to encrypt IKE communications. This negotiation results in one single bi- directional ISAKMP Security Association (SA). The authentication can be performed using either pre- USG FLEX H Series User’s Guide...
Page 159: Ipsec Vpn Background Information
To set up an IKE SA, you have to specify the IP addresses of the Zyxel Device and remote IPSec router. You can usually enter a static IP address or a domain name for either or both IP addresses. Sometimes, USG FLEX H Series User’s Guide...
Page 160 Some Zyxel Devices also offer stronger forms of AES that apply 192-bit or 256-bit keys to 128-bit blocks of data. In most Zyxel Devices, you can select one of the following authentication algorithms for each proposal. The algorithms are listed in order from weakest to strongest. USG FLEX H Series User’s Guide...
Page 161 You have to create (and distribute) a pre-shared key. The Zyxel Device and remote IPSec router use it in the authentication process, though it is not actually transmitted or exchanged. Note: The Zyxel Device and the remote IPSec router must use the same pre-shared key. USG FLEX H Series User’s Guide...
Page 162 Main mode takes six steps to establish an IKE SA. Steps 1 - 2: The Zyxel Device sends its proposals to the remote IPSec router. The remote IPSec router selects an acceptable proposal and sends it back to the Zyxel Device. USG FLEX H Series User’s Guide...
Page 163 • Configure the NAT router to forward packets with the extra header unchanged. (See the field description for detailed information about the extra header.) The extra header may be UDP port 500 or UDP port 4500, depending on the standard(s) the Zyxel Device and remote IPSec router support. USG FLEX H Series User’s Guide...
Page 164 Note: The Zyxel Device and remote IPSec router must use the same encapsulation. These modes are illustrated below. Figure 117 VPN: Transport and Tunnel Mode Encapsulation Original Packet IP Header TCP Header Data USG FLEX H Series User’s Guide...
Page 165 For authentication, the Zyxel Device and remote IPSec router use the SPI, instead of pre-shared keys, ID type and content. The SPI is an identification number. Note: The Zyxel Device and remote IPSec router must use the same SPI. USG FLEX H Series User’s Guide...
Page 166: What You Can Do In This Chapter
In this example, a computer in network A is exchanging data with a computer in network B. Inside networks A and B, the data is transmitted the same way data is normally transmitted in the networks. Between routers X and Y, the data is protected by tunneling, encryption, authentication, and other USG FLEX H Series User’s Guide...
Page 167: The Site To Site Vpn Screen
VPN connection (each IPSec SA). Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. USG FLEX H Series User’s Guide...
Page 168: The Site To Site Vpn Add/Edit Screen- Wizard
To access this screen, go to the VPN > Site to Site VPN screen, and click either the Add icon or an Edit icon. Select Site-to-Site in VPN > Site to Site VPN> Add/Edit > Scenario > Type to create a VPN rule using the wizard. USG FLEX H Series User’s Guide...
Page 169 None/ Local Site: The remote IPSec device has a static IP address or a domain name. This Zyxel Device can initiate the VPN tunnel. Remote Site: The remote IPSec device has a dynamic IP address. Only the remote IPSec device can initiate the VPN tunnel. USG FLEX H Series User’s Guide...
Page 170 Enter the WAN IPv4 address or domain name of the remote IPSec device to identify the remote IPSec router by its IP address or domain name. 11.3.1.3 Authentication Use this screen to configure the authentication type and settings. USG FLEX H Series User’s Guide...
Page 171 Select Certificate to use one of the Zyxel Device certificates for authentication. 11.3.1.4 Policy & Routing Use this screen to configure the IP addresses of the computer on your network and the computer behind the remote IPSec device. USG FLEX H Series User’s Guide...
Page 172 Chapter 11 IPSec VPN Figure 124 VPN > Site to Site VPN > Add/Edit > Policy & Routing (Route-Based) Figure 125 VPN > Site to Site VPN > Add/Edit > Policy & Routing (Policy-Based) USG FLEX H Series User’s Guide...
Page 173 Use this screen to view a summary of the VPN tunnel configurations. You can click Edit to change the VPN tunnel configuration settings. Figure 126 VPN > Site to Site VPN > Add/Edit > Summary USG FLEX H Series User’s Guide...
Page 174: The Site To Site Vpn Add/Edit Screen- Custom
1 and phase 2 settings; see Section 11.2 on page 159 for more information on IKE SA proposals. Figure 127 VPN > Site to Site VPN > Add/Edit > Scenario > Type > Custom USG FLEX H Series User’s Guide...
Page 175 Select Route-Based to create a VPN rule that encrypts traffic based on the static route settings. Select Policy-Based to create a VPN rule that encrypts traffic based on the Local and Remote IPv4 addresses you set in Policy in Phase 2 Settings. Network USG FLEX H Series User’s Guide...
Page 176 The Zyxel Device and the remote IPSec router must both have at least one proposal that uses use the same encryption and the same key. Longer keys are more secure, but require more processing power, resulting in increased latency and decreased throughput. USG FLEX H Series User’s Guide...
Page 177 Encapsulation Select which type of encapsulation the IPSec SA uses. Tunnel - this mode encrypts the IP header information and the data. The Zyxel Device and remote IPSec router must use the same encapsulation. USG FLEX H Series User’s Guide...
Page 178: The Remote Access Vpn Screen
Configure the settings in this screen to create a new or edit an existing remote access VPN rule to securely access the Zyxel Device local networks from anywhere. See Section 11.1 on page 158 for more USG FLEX H Series User’s Guide...
Page 179 SecuExtender VPN client installed on his device and uses a supported computer operating system. Make sure the settings configured on the IPSec VPN client matches the settings you configured on the Zyxel Device. Click VPN > IPSec VPN > Remote Access VPN to open the following screen. USG FLEX H Series User’s Guide...
Page 180 Chapter 11 IPSec VPN Figure 129 VPN > IPSec VPN > Remote Access VPN USG FLEX H Series User’s Guide...
Page 181 Enter an IPv4 address in CIDR notation, for example, type 192.168.1.1/24. The IP address pool is used to assign IP addresses to the VPN clients. The SSL VPN IP pool should not overlap with IP addresses on the Zyxel Device's local networks and the SSL user's network. USG FLEX H Series User’s Guide...
Page 182 SHA is generally considered stronger than MD5, but it is also slower. The Zyxel Device and the remote IPSec router must both have a proposal that uses the same authentication algorithm. USG FLEX H Series User’s Guide...
Page 183 10.15 and later built-in IKEv2 VPN clients support DH14 by default. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. USG FLEX H Series User’s Guide...
Page 184: Ssl Vpn
In split tunnel mode, only the traffic going to the networks behind the Zyxel Device is encrypted. Traffic going to the Internet from the remote client does not go through the Zyxel Device and is not encrypted. USG FLEX H Series User’s Guide...
Page 185: The Ssl Vpn Screen
Please note that you cannot delete an object that is referenced by other settings. 12.2 The SSL VPN Screen Configure the settings in this screen to create a new or edit an existing SSL access policy. USG FLEX H Series User’s Guide...
Page 186 • macOS 10.15 and later versions. Make sure the settings configured on the SSL VPN client matches the settings you configured on the Zyxel Device. Click VPN > SSL VPN to open the following screen. USG FLEX H Series User’s Guide...
Page 187 Chapter 12 SSL VPN Figure 132 VPN > SSL VPN USG FLEX H Series User’s Guide...
Page 188 Select a specified RADIUS server from the drop-down list box for the Zyxel Device to use for Secondary Server authentication. User Select a user or user group to associate the user or user group to this SSL access policy. Advanced Settings USG FLEX H Series User’s Guide...
Page 189 SSL VPN clients have to update their SSL VPN settings so their SSL VPN settings match the Zyxel Device SSL VPN settings. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. USG FLEX H Series User’s Guide...
Page 190: Security Policy
Figure 133 Default Directional Security Policy Example 13.2 What You Can Do in this Chapter • Use the Policy Control screens (Section 13.3 on page 192) to enable or disable policies, asymmetrical routes, and manage and configure policies. USG FLEX H Series User’s Guide...
Page 191: What You Need To Know
When you configure a Security Policy rule for packets destined for the Zyxel Device itself, make sure it does not conflict with your service control rule. The Zyxel Device checks the security policy before the service control rules for traffic destined for the Zyxel Device. USG FLEX H Series User’s Guide...
Page 192: The Security Policy Screen
A computer on the LAN1 initiates a connection by sending a SYN packet to a receiving server on the WAN. The Zyxel Device reroutes the packet to gateway A, which is in Subnet 2. USG FLEX H Series User’s Guide...
Page 193: Configuring The Security Policy Control Screen
LAN IP address as the destination. • The ordering of your policies is very important as policies are applied in sequence. The following screen shows the Policy Control summary screen. USG FLEX H Series User’s Guide...
Page 194 The ordering of your policies is important as they are applied in order of their numbering. The following read-only fields summarize the policies you have created that apply to traffic traveling in the selected packet direction. USG FLEX H Series User’s Guide...
Page 195: The Policy Control Add/Edit Screen
Click Reset to return the screen to its last-saved settings. 13.3.2 The Policy Control Add/Edit Screen In the Policy Control screen, click the Edit or Add icon to display the Policy Control Edit or Add screen. USG FLEX H Series User’s Guide...
Page 196 Select any to apply the policy to all traffic going to IPv4 addresses. Service Select a service or service group from the drop-down list box. USG FLEX H Series User’s Guide...
Page 197: Example: Allow A Server To Ping The Zyxel Device Without Creating Logs
Internet. The Zyxel Device creates a log every time the server pings it. You want to allow the server to ping the Zyxel Device without creating so many logs. This example uses the parameters given below. Table 97 Address Object Configuration Example NAME ADDRESS TYPE IP ADDRESS Server Host 2.2.2.2 USG FLEX H Series User’s Guide...
Page 198 Configure the settings using the parameters given in Table 98 on page 198. Set Log to no so when the server pings the Zyxel Device, the Zyxel Device will not create logs. Click Apply to save your changes. USG FLEX H Series User’s Guide...
Page 199: Dos Prevention Overview
Note: First, create a DoS prevention profile in the In the Security Policy > DoS Prevention > Profile screen. Then, apply the profile to traffic originating from a specific zone in the Security Policy > DoS Prevention >DoS Prevention Policy screen. USG FLEX H Series User’s Guide...
Page 200: The Dos Prevention Policy Screen
The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. Priority This is the rank in the list of anomaly profile policies. The list is applied in order of priority. Name This is the name of the anomaly profile policy. USG FLEX H Series User’s Guide...
Page 201: The Dos Prevention Profile Screen
DoS prevention profiles consist of traffic anomaly profiles. To create a new profile, click Add. Type a new profile name, enable or disable individual policies and then edit the default log options and actions. Click Security Policy > DoS Prevention > Profile to view the following screen. USG FLEX H Series User’s Guide...
Page 202: The Dos Prevention Profile Add/Edit Screen
DoS prevention looks for abnormal behavior such as scan or flooding attempts. In the Security Policy > DoS Prevention > Profile screen, click the Edit or Add icon to create or edit an existing profile. USG FLEX H Series User’s Guide...
Page 203 Chapter 13 Security Policy Figure 139 Security Policy > DoS Prevention > Profile > Add/Edit USG FLEX H Series User’s Guide...
Page 204 The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. Name This is the name of the anomaly policy. Click the Name column heading to sort in ascending or descending order according to the protocol anomaly policy name. USG FLEX H Series User’s Guide...
Page 205: Security Policy Example Applications
The Zyxel Device applies the security policies in order. So for this example, when the Zyxel Device receives traffic from the LAN, it checks it against the first policy. If the traffic matches (if it is IRC traffic) USG FLEX H Series User’s Guide...
Page 206 • The third row is the default policy of allowing all traffic from the LAN1 to go to the WAN. Alternatively, you configure a LAN1 to WAN policy with the CEO’s user name (say CEO) to allow IRC traffic from any source IP address to go to any destination address. USG FLEX H Series User’s Guide...
Page 207 The policy for the CEO must come before the policy that blocks all LAN1 to WAN IRC traffic. If the policy that blocks all LAN1 to WAN IRC traffic came first, the CEO’s IRC traffic would match that policy and the Zyxel Device would drop it and not check any other security policies. USG FLEX H Series User’s Guide...
Page 208: Object
The Address screen provides a summary of all addresses in the Zyxel Device. To access this screen, click Object > Address > Address. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. USG FLEX H Series User’s Guide...
Page 209 The Object > Address > Address > Add/Edit screen allows you to create a new address or edit an existing one. To access this screen, go to the Address screen (see Section 14.1.2 on page 208), and click either the Add icon or an Edit icon in the IPv4 Address Configuration section. USG FLEX H Series User’s Guide...
Page 210 If you selected GEOGRAPHY as the Address Type, use this field to select a country or continent. A GEOGRAPHY object uses the data from the country-to-IP/continent-to-IP address database. Go to the Object > Address > Geo IP screen to configure the custom country-to-IP/continent- to-IP address mappings for a GEOGRAPHY object. USG FLEX H Series User’s Guide...
Page 211: Address Group Summary Screen
The Address Group Add/Edit screen allows you to create a new address group or edit an existing one. To access this screen, go to the Address Group screen (see Section 14.1.3 on page 211), and click either the Add icon or an Edit icon in the IPv4 Address Group Configuration section. USG FLEX H Series User’s Guide...
Page 212: Geo Ip Summary Screen
You can then use geographic address objects in security policies to forward or deny traffic to whole countries or regions. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. USG FLEX H Series User’s Guide...
Page 213 Chapter 14 Object Figure 146 Object > Address > Geo IP USG FLEX H Series User’s Guide...
Page 214 Chapter 14 Object Figure 147 Object > Address > Geo IP > Region vs. Continent USG FLEX H Series User’s Guide...
Page 215 This screen allows you to create a new geography-to-IP address mapping. To access this screen, go to the Geo IP screen (see Section 14.1.4 on page 212), and click the Add icon in the Custom IPv4 to Geography Rules section. Figure 148 Geo IP > Add USG FLEX H Series User’s Guide...
Page 216: Service Overview
Then, the connection is terminated. In contrast, computers use UDP to send short messages to each other. There is no guarantee that the messages arrive in sequence or that the messages arrive at all. USG FLEX H Series User’s Guide...
Page 217: The Service Summary Screen
To access this screen, log in to the Web Configurator, and click Object > Service > Service. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. USG FLEX H Series User’s Guide...
Page 218 Select an entry and click Reference to check which settings use the entry. Name This field displays the name of each service. Content This field displays a description of each service. Reference This displays the number of times an object reference is used in a profile. USG FLEX H Series User’s Guide...
Page 219 Enter the number of the next-level protocol (IP protocol). Allowed values are 1 - 255. Apply Click Apply to save your customized settings and exit this screen. Reset Click Reset to return the screen to its last-saved settings. USG FLEX H Series User’s Guide...
Page 220: The Service Group Summary Screen
Object > Service > Service Group > Default_Allow_WAN_To_ZyWALL service group, which is used in the WAN_to_Device security policy. To access this screen, click Object > Service > Service Group. Figure 151 Object > Service > Service Group USG FLEX H Series User’s Guide...
Page 221 Service Group screen (see Section 14.2.3 on page 220), and click either the Add icon or an Edit icon. Figure 152 Object > Service > Service Group > Add/Edit USG FLEX H Series User’s Guide...
Page 222: Zone Overview
Zones cannot overlap. Each Ethernet interface, VLAN interface, bridge interface, PPPoE/PPTP interface and VPN tunnel can be assigned to at most one zone. Virtual interfaces are automatically assigned to the same zone as the interface on which they run. USG FLEX H Series User’s Guide...
Page 223: What You Need To Know
223, traffic to or from computer C is extra-zone traffic. • Some zone-based security and policy settings may apply to extra-zone traffic, especially if you can set the zone attribute in them to Any or All. See the specific feature for more information. USG FLEX H Series User’s Guide...
Page 224: The Zone Screen
The Zone Edit screen allows you to add or edit a zone. To access this screen, go to the Zone screen (see Section 14.4.2 on page 226), and click the Add icon or an Edit icon. USG FLEX H Series User’s Guide...
Page 225: Schedule Overview
Click Reset to return the screen to its last-saved settings. 14.4 Schedule Overview Use schedules to set up one-time and recurring schedules for policy routes, security policies, application patrol, and content filtering. The Zyxel Device supports one-time and recurring schedules. One-time USG FLEX H Series User’s Guide...
Page 226: What You Need To Know
Recurring schedules are useful for defining the workday and off- work hours. 14.4.2 The Schedule Screen The Schedule screen provides a summary of all schedules in the Zyxel Device. To access this screen, click Object > Schedule. Figure 156 Object > Schedule USG FLEX H Series User’s Guide...
Page 227 The One-Time Schedule Add/Edit screen allows you to define a one-time schedule or edit an existing one. To access this screen, go to the Schedule screen (see Section 14.4.2 on page 226), and click either the Add icon or an Edit icon in the One Time section. USG FLEX H Series User’s Guide...
Page 228 • Hour - 1-12 AM/PM • Minute - 0 - 59 Apply Click Apply to save your customized settings and exit this screen. Reset Click Reset to return the screen to its last-saved settings. USG FLEX H Series User’s Guide...
Page 229 • Hour - 1-12 AM/PM • Minute - 0 - 59 Apply Click Apply to save your customized settings and exit this screen. Reset Click Reset to return the screen to its last-saved settings. USG FLEX H Series User’s Guide...
Page 230: The Schedule Group Screen
The Schedule Group Add/Edit screen allows you to define a schedule group or edit an existing one. To access this screen, go to the Schedule screen (see), and click either the Add icon or an Edit icon in the Schedule Group section. USG FLEX H Series User’s Guide...
Page 231 Move any members you do not want included to the list on the left. Apply Click Apply to save your customized settings and exit this screen. Reset Click Reset to return the screen to its last-saved settings. USG FLEX H Series User’s Guide...
Page 232: Application Patrol
Device looks at the IP payload (OSI level-7 inspection) and attempts to match it with known patterns for specific applications. Usually, this occurs at the beginning of a connection, when the payload is more consistent across connections, and the Zyxel Device examines several packets to make sure the match USG FLEX H Series User’s Guide...
Page 233: Application Patrol Profile
A profile is an application object(s) or application group(s) that has customized action and log settings. Click Security Service > App Patrol to open the following screen. Click the Application Patrol icon for more information on the Zyxel Device’s security features. USG FLEX H Series User’s Guide...
Page 234 Select an entry and click Remove to delete the selected entry. Reference Select an entry and click Reference to check which settings use the entry. Name This displays the name of the profile created. USG FLEX H Series User’s Guide...
Page 235: Application Patrol Profile > Add/Edit - Application Management
15.2.1 Application Patrol Profile > Add/Edit - Application Management Use this screen to configure profile settings. Click Security Service > App Patrol > Add/Edit to open the following screen. Figure 162 Security Service > App Patrol > Add/Edit > Application Management USG FLEX H Series User’s Guide...
Page 236 - the Zyxel Device drops packets that matches these signatures and sends notification. Apply Click Apply to save your settings to the Zyxel Device. Reset Click Reset to return to the profile summary page without saving any changes. USG FLEX H Series User’s Guide...
Page 237: Example: Block An Application
Go to Security Service > App Patrol and click Add. In the following screen, enter the profile name using the parameter given in Table 124 on page 237. Click Add under Application Management to open the Add Application screen. USG FLEX H Series User’s Guide...
Page 238 Chapter 15 Application Patrol Search for TikTok in Category and Application and select the checkbox. Set Log to Log Alert and Action to Reject. Click Add to save your changes. USG FLEX H Series User’s Guide...
Page 239 Chapter 15 Application Patrol Click Apply to save the app patrol profile. USG FLEX H Series User’s Guide...
Page 240 Chapter 15 Application Patrol Go to Security Policy > Policy Control. Select LAN_Outgoing then click Edit. Set Application Patrol to BlockMedia and Log to by profile. Click Apply to save your changes. USG FLEX H Series User’s Guide...
Page 241 BlockMedia profile has been applied to the LAN_Outgoing security policy. You can also check the logs in Log & Report > Log / Events. The Zyxel Device will create logs if the clients on the Zyxel Device LAN try to access TikTok. USG FLEX H Series User’s Guide...
Page 242 Chapter 15 Application Patrol USG FLEX H Series User’s Guide...
Page 243: Content Filtering
• Use schedule objects to define when to apply a content filter profile. • Use address and/or user/group objects to define to whose web access to apply the content filter profile. • Apply a content filter profile that you have custom-tailored. USG FLEX H Series User’s Guide...
Page 244 The DNS Domain Scan allows the Zyxel Device to block access to specific websites by inspecting DNS queries made by users on your network. If the website in the DNS query contains prohibited material, USG FLEX H Series User’s Guide...
Page 245 Zyxel Device’s cache. The Zyxel Device blocks, blocks and logs or just logs the request based on your configuration. If the Zyxel Device has no record of the web site, it queries the external content filter database. USG FLEX H Series User’s Guide...
Page 246: Content Filter General Screen
Click Security Service> Content Filter to open the Content Filter General screen. Use this screen to enable content filtering, view and order your list of content filter policies, create a denial of access message or specify a redirect URL. Figure 165 Security Service > Content Filter > General USG FLEX H Series User’s Guide...
Page 247 Collect Statistics Enable to have the Zyxel Device collect content filtering statistics. All of the statistics are erased if you restart the Zyxel Device or click Flush Data in Security Statistics > Content Filter. USG FLEX H Series User’s Guide...
Page 248: Content Filtering Add Profile
Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. 16.2.1 Content Filtering Add Profile Click Security Service > Content Filter > Add or Edit to open the following screen. USG FLEX H Series User’s Guide...
Page 249 When external database content filtering blocks access to a web page, it displays the denied access message that you configured in the Content Filter General screen along with the category of the blocked web page. USG FLEX H Series User’s Guide...
Page 250 This category does not include text translation. Art Culture Heritage Web pages that contain virtual art galleries, artist sites (including sculpture and photography), museums, ethnic customs, and country customs. This category does not include online photograph albums. USG FLEX H Series User’s Guide...
Page 251 Web pages that provide networking for online dating, matchmaking, escort services, or introductions to potential spouses. This category does not include sites that provide social networking that might include dating, but are not specific to dating. USG FLEX H Series User’s Guide...
Page 252 Web pages that allow users to wager or place bets online, or provide gambling software that allows online betting, such as casino games, betting pools, sports betting, and lotteries. This category does not include web pages related to gambling that do not allow betting online. USG FLEX H Series User’s Guide...
Page 253 Illegal UK Web pages that contain child sexual abuse content hosted anywhere in the world, and criminally obscene and incitement to racial hatred content hosted in the UK. USG FLEX H Series User’s Guide...
Page 254 This category also includes corporate web pages that list job openings, salary comparison sites, temporary employment, and company job-posting sites. This category does not include make-money-at-home sites. USG FLEX H Series User’s Guide...
Page 255 Web pages from charitable or educational groups that fulfill a stated mission, benefiting the larger community, such as clubs, lobbies, communities, non-profit organizations, labor unions, and advocacy groups. Examples are Masons, Elks, Boy and Girl Scouts, or Big Brothers. USG FLEX H Series User’s Guide...
Page 256 This category might also include information on how to distribute illegal content, perpetrate fraud, or consumer scams. This category does not include computer-related fraud. USG FLEX H Series User’s Guide...
Page 257 This category includes sites that allow you to browse model homes. This category does not include content related to personal finance, such as credit applications. USG FLEX H Series User’s Guide...
Page 258 Search Engines Web pages that provide search results that enable users to find information on the Internet based on key words. This category does not include site-specific search engines. USG FLEX H Series User’s Guide...
Page 259 Although users can post any type of content, these forums tend to present less risk of containing offensive content. Sites that offer a variety of forums with themes, including technical and business content, are only in the categories of Forum/Bulletin Boards or Chat. USG FLEX H Series User’s Guide...
Page 260 This category is intended to block advertisements on web pages, not the companies that provide the advertisements or advertising services. This category does not include aggressive advertising adware. See the Spyware/ Adware category. USG FLEX H Series User’s Guide...
Page 261: Content Filter Allow List Screen
Click Security Service > Content Filter > Add/Edit to open the Allow List screen. You can create a common list of good (allowed) web site addresses. Use this screen to add or remove specific sites from the filter list. Figure 167 Security Service > Content Filter> Add/Edit > Allow List USG FLEX H Series User’s Guide...
Page 262: Content Filter Block List Screen
Click Security Service > Content Filter > Add/Edit to open the Block List screen. You can create a common list of bad (blocked) web site addresses. Use this screen to add or remove specific sites from the filter list. USG FLEX H Series User’s Guide...
Page 263 The entry must contain at least one “.” or it will be invalid. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. USG FLEX H Series User’s Guide...
Page 264: Content Filter Blocked Url Keywords Screen
Select no if you don’t want the Zyxel Device to generate logs. Click this to create a new entry. Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. USG FLEX H Series User’s Guide...
Page 265: Test Web Site Category Screen
Click Security Service > Content Filter > Add/Edit to open the Test Web Site Category screen.Use this screen to check which category a web page belongs to. Figure 170 Security Service > Content Filter > Add/Edit > Test Web Site Category USG FLEX H Series User’s Guide...
Page 266: Example: Block Lan Users From Using A Remote Wan Application
You want to block all LAN clients from using TeamViewer. Create a Content Filtering profile that includes the remote access category. Create a Content Filtering block list rule with TeamViewer as the keyword. Then apply the profile to the LAN_Outgoing security policy. USG FLEX H Series User’s Guide...
Page 267 By Profile NoRemoteAccess Go to Security Service > Content Filtering and click Add. Configure the profile settings using the parameters given in Table 133 on page 267. Select the Remote Access checkbox under Managed Categories. USG FLEX H Series User’s Guide...
Page 268 Click Add to add a block list rule using the parameters given in Table 134 on page 267. Click Apply to save your changes. Go to Security Policy > Policy Control. Select LAN_Outgoing then click Edit. USG FLEX H Series User’s Guide...
Page 269 Chapter 16 Content Filtering Set Content Filter to NoRemoteAccess and Log to by profile. Click Apply to save your changes. USG FLEX H Series User’s Guide...
Page 270 NoRemoteAccess profile has been applied to the LAN_Outgoing security policy. You can also check the logs in Log & Report > Log / Events. The Zyxel Device will create logs if the clients on the Zyxel Device LAN try to access TeamViewer. USG FLEX H Series User’s Guide...
Page 271 Chapter 16 Content Filtering USG FLEX H Series User’s Guide...
Page 272: Reputation Filter
URL threat filtering compares access to specific URLs against a database of blocked or allowed sites. Sites on the database are sorted into categories such as: • Anonymizers • Browser Exploits • Malicious Downloads • Malicious Sites • Phishing • Spam URLs • Spyware Adware Keyloggers USG FLEX H Series User’s Guide...
Page 273: What You Can Do In This Chapter
Allow List Block List The Zyxel Device Database Click Security Service > Reputation Filter > IP Reputation to display the configuration screen as shown next. Figure 172 Security Service > Reputation Filter > IP Reputation USG FLEX H Series User’s Guide...
Page 274 These are sites that distribute exploits or exploit kits to infect website visitors’ devices. Exploits include shellcode, root kits, worms, or viruses that download additional malware to infect devices. An exploit kit consists of different exploits. USG FLEX H Series User’s Guide...
Page 275 Enter an IPv4 address of a website, and click the Query button to check if the website associates with suspicious activities that could pose a security threat to users or their computers. Apply Click Apply to save your changes. Reset Click Reset to return the screen to its last-saved settings. USG FLEX H Series User’s Guide...
Page 276: Ip Reputation Allow List Screen
To turn off an entry, select it and click Disable. Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. IPv4 Address This field displays the IPv4 address of this entry. USG FLEX H Series User’s Guide...
Page 277: Ip Reputation Block List Screen
Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. Active To turn on an entry, select it and click Active. Inactive To turn off an entry, select it and click Inactive. USG FLEX H Series User’s Guide...
Page 278: Dns Threat Filter Screen
• Type “PTR” (Pointer) that specifies a reverse query (requesting the FQDN corresponding to the IP address you provided) • Type “SOA” (Start Of zone Authority) used when transferring zones The priority for DNS Threat Filter checking is as follows: Allow List Block List Cloud Query Cache USG FLEX H Series User’s Guide...
Page 279 IP address. pass: Select this action to have the Zyxel Device allow the DNS query packet and not reply with a DNS reply packet containing a default or custom-defined IP address. USG FLEX H Series User’s Guide...
Page 280 Adware programs typically display blinking advertisements or pop-up windows when you perform a certain action. Adware programs are often installed in exchange for another service, such as the right to use a program without paying for it. Test Domain Name Category USG FLEX H Series User’s Guide...
Page 281: Dns Threat Filter Allow List Screen
Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. Active To turn on an entry, select it and click Active. USG FLEX H Series User’s Guide...
Page 282: Dns Threat Filter Block List Screen
“www” is the host, “zyxel” is the third-level domain, “com” is the second- level domain, and “tw” is the top level domain. Underscores are not allowed. Use "*." as a prefix in the FQDN for a wildcard domain name (for example, *.example.com). USG FLEX H Series User’s Guide...
Page 283: Url Threat Filter Screen
Click Security Service > Reputation Filter > URL Threat Filter to display the configuration screen as shown next. USG FLEX H Series User’s Guide...
Page 284 Enable to have the Zyxel Device collect URL threat filter statistics. All of the statistics are erased if you restart the Zyxel Device or click Flush Data in Security Statistics > Reputation Filter > URL Threat Filter. Message to display when a site is blocked USG FLEX H Series User’s Guide...
Page 285: Url Threat Filter Allow List Screen
Use this screen to create allow list entries. The Zyxel Device will allow incoming packets from the listed IPv4 addresses and URLs. Click Security Service > Reputation Filter > URL Threat Filter > Allow List to display the configuration screen as shown next. USG FLEX H Series User’s Guide...
Page 286: Url Threat Filter Block List Screen
Use this screen to create block list entries. The Zyxel Device will block incoming packets from the listed IPv4 addresses and URLs. Click Security Service > Reputation Filter > URL Threat Filter > Block List to display the configuration screen as shown next. USG FLEX H Series User’s Guide...
Page 287 Select an entry and click this to delete it. Block List This field displays the URL of this entry. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. USG FLEX H Series User’s Guide...
Page 288: Anti-Malware
Figure 181 Zyxel Device Anti-Malware Example The Zyxel Device queries the Defend Center database by sending the file’s has value (A) and receiving the scan results (B) through the Defend Center (DC) Figure 182 Cloud Query USG FLEX H Series User’s Guide...
Page 289 Before going through the Anti-Malware scan, the Zyxel Device first identifies the packets sent by the following four major protocols with corresponding standard ports: • FTP (File Transfer Protocol) • HTTP (Hyper Text Transfer Protocol) USG FLEX H Series User’s Guide...
Page 290 Changes to the Zyxel Device’s anti-malware settings only affect new sessions, not sessions that already existed before you applied the changed settings. Enabling Cloud Query may affect file transfer speeds. The Zyxel Device does not scan the following file/traffic types: USG FLEX H Series User’s Guide...
Page 291: What You Can Do In This Chapter
If Destroy infected file is disabled, any malicious file found can still be executed by the end user after it is forwarded. The administrator would have to inform the user if there is an infected file. USG FLEX H Series User’s Guide...
Page 292 When you select this check box, if a malware signature is matched, the Zyxel Device overwrites the infected portion of the file with zeros before being forwarded to the user. The uninfected portion of the file will pass through unmodified. USG FLEX H Series User’s Guide...
Page 293: The Allow List Screen
Click Security Service > Anti-Malware > Allow List to display the following screen. Use Add to put a new entry in the list or Edit to change an existing one or Remove to delete an existing entry. USG FLEX H Series User’s Guide...
Page 294 Click the column icon to select the fields you want to show in the table. Uncheck the checkbox if you want to hide a field in the table. Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. USG FLEX H Series User’s Guide...
Page 295: The Block List Screen
Click Security Service > Anti-Malware > Block List to display the following screen. Use Add to put a new entry in the list or Edit to change an existing one or Remove to delete an existing entry. USG FLEX H Series User’s Guide...
Page 296 Click the column icon to select the fields you want to show in the table. Uncheck the checkbox if you want to hide a field in the table. Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. USG FLEX H Series User’s Guide...
Page 297: Anti-Malware Technical Reference
It inspects files for malware patterns as they are moved in and out of the drive. However, host-based anti-malware scanners cannot eliminate all malware for a number of reasons: • HAM scanners are slow in stopping malware threats through real-time traffic (such as from the Internet). USG FLEX H Series User’s Guide...
Page 298 • NAM scanners stop malware threats at the network edge before they enter or exit a network. • NAM scanners reduce computing loading on computers as the read-time data traffic inspection is done on a dedicated security device. USG FLEX H Series User’s Guide...
Page 299: Sandbox
Events. We suggest you to inform your client not to open the file until sandbox has completed checking. If the client already opened it, then please urge the client to run an up-to-date anti-malware scanner. USG FLEX H Series User’s Guide...
Page 300: Sandbox Screen
Click Security Service > Sandbox to display the configuration screen as shown next. Use this screen to enable sandbox and specify the actions the Zyxel Device takes when malicious or suspicious files are detected. Figure 187 Security Service > Sandbox USG FLEX H Series User’s Guide...
Page 301 ZIP Archive (zip): A zip file is a file used to compress multiple files together into a single file. A zip file can reduce the overall size of a collection of files. Apply Click Apply to save your changes. Reset Click Reset to return the screen to its last-saved settings. USG FLEX H Series User’s Guide...
Page 302: Ips
While IPS signatures have the Zyxel Device respond instantaneously, Rate Based Signatures are IPS signatures that allow the Zyxel Device to just respond after a number of occurrences (Count) within a certain time period (Period) you set. USG FLEX H Series User’s Guide...
Page 303: Before You Begin
Click Security Service > IPS to open this screen. Use this screen to view signature information. Note: You must register for the IPS signature service (at least the trial) before you can use it. See the Licensing screens. USG FLEX H Series User’s Guide...
Page 304 Chapter 20 IPS Figure 190 Security Service > IPS USG FLEX H Series User’s Guide...
Page 305 The results are displayed in a table showing the Status, SID, Name, Severity, Classification, Platform, Service, Log, and Action criteria as selected in the search. Click the SID column header to sort search results by signature ID. USG FLEX H Series User’s Guide...
Page 306 Hold down the [Ctrl] key if you want to make multiple selections. Service This field displays signatures by IPS service group(s). See Table 153 on page 307 for group details.Hold down the [Ctrl] key if you want to make multiple selections. USG FLEX H Series User’s Guide...
Page 307 Any attack includes all other kinds of attacks that are not specified in the policy such as password, spoof, hijack, phishing, and close-in. USG FLEX H Series User’s Guide...
Page 308 This method allows users to send small requests messages that result in the streaming of large media objects, providing an opportunity for malicious users to exhaust resources in the system with little effort expended on their part. USG FLEX H Series User’s Guide...
Page 309: Query Example
MISC_EXPLOIT MISC_DDOS MISC_BACKDOOR MISC IMAP ICMP FINGER 20.2.1 Query Example This example shows a search with these criteria: • Severity: Severe • Classification Type: Misc • Platform: Windows • Service: Any • Actions: Any USG FLEX H Series User’s Guide...
Page 310: The Allow List Screen
Click Configuration > Security Service > IPS > Allow List to display the following screen. Use Add to put a new item in the list or Edit to change an existing one or Remove to delete an existing entry. USG FLEX H Series User’s Guide...
Page 311: Ips Technical Reference
Disadvantages of host IPSs are that you have to install them on each device (that you want to protect) in your network and due to the necessarily tight integration with the host operating system, future operating system upgrades could cause problems. USG FLEX H Series User’s Guide...
Page 312 Fragmentation Offset fragoffset Time to Live IP Options ipopts Same IP sameip Transport Protocol Transport Protocol: TCP Port (In Snort rule header) Flow flow Flags flags Sequence Number Ack Number Window Size window USG FLEX H Series User’s Guide...
Page 313 Offset (relative to start of payload) offset Relative to end of last match distance Content content Case-insensitive nocase Decode as URI uricontent Note: Not all Snort functionality is supported in the Zyxel Device. USG FLEX H Series User’s Guide...
Page 314: Ip Exception
Add the IP address of the trusted web site to Destination in IP Exception so the Zyxel Device will not perform security checking when you access the web site to save resources. Figure 194 IP Exception Bypass Destination Example IP Exception supports bypassing the following security services: USG FLEX H Series User’s Guide...
Page 315: The Ip Exception Screen
IP address. Service to Bypass This field displays which services will not inspect matched packets. This field displays if the Zyxel Device will generate a log when the incoming traffic is in the exception list. USG FLEX H Series User’s Guide...
Page 316: The Ip Exception Add/Edit Screen
Selected services do not inspect packets that match source/destination criteria above. Non- selected services do inspect packets that match source/destination criteria above. Apply Click Apply to save your customized settings and exit this screen. Reset Click Reset to return the screen to its last-saved settings. USG FLEX H Series User’s Guide...
Page 317: Example: Bypass A Website
1.1.1.1 Table 160 IP Exception Configuration Example NAME SOURCE DESTINATION SERVICES TO BYPASS ForTrustedWebsite TrustedWebsite Anti-Malware URL Threat filter IP Reputation DNS Threat Filter Go to Object > Address > Address and click Add. USG FLEX H Series User’s Guide...
Page 318 317. Click Apply to save your changes. Go to Security Service > IP Exception and click Add. Configure the settings using the parameters given in Table 160 on page 317. Click Apply to save your changes. USG FLEX H Series User’s Guide...
Page 319: Ssl Inspection
• Use the Security Service > SSL Inspection > Certificate Update screens (Section 22.4 on page 327) to update the latest certificates of servers using SSL connections to the Zyxel Device network USG FLEX H Series User’s Guide...
Page 320: What You Need To Know
This may vary by locale. 22.2 The SSL Inspection Profile Screen An SSL Inspection profile is a template with pre-configured certificate, action and log. Click Security Service > SSL Inspection > Profile to open this screen. USG FLEX H Series User’s Guide...
Page 321 Chapter 22 SSL Inspection Figure 199 Security Service > SSL Inspection > Profile USG FLEX H Series User’s Guide...
Page 322 Client 1 - sessions will not be processed (pass) by SSL inspection • Client 2 - RSA-2048 • Client 3 - ECDSA-256. Statistics Enable this to have the Zyxel Device collect SSL inspection statistics. Profile Management Click Add to create a new profile. USG FLEX H Series User’s Guide...
Page 323: Add / Edit Ssl Inspection Profiles
Click Security Service > SSL Inspection > Profile > Add to create a new profile or select an existing profile and click Edit to change its settings. Figure 200 Security Service > SSL Inspection > Profile > Add / Edit USG FLEX H Series User’s Guide...
Page 324 They also appear in red in the Monitor > Log screen. Select this option to have the Zyxel Device send an alert for unsupported traffic that matches traffic bound to this policy. Untrusted cert chain USG FLEX H Series User’s Guide...
Page 325: Exclude List Screen
Click Configuration > Security Service > SSL Inspection > Exclude List to display the following screen. Use Add to put a new item in the list or Edit to change an existing one or Remove to delete an existing entry. USG FLEX H Series User’s Guide...
Page 326 Use ‘\*’ to indicate a single wildcard character. Apply Click Apply to save your settings to the Zyxel Device. Reset Click Reset to return to the profile summary page without saving any changes. USG FLEX H Series User’s Guide...
Page 327: Certificate Update Screen
Figure 202 SSL Inspection Certificate Update Overview Click Configuration > Security Service > SSL Inspection > Certificate Update to display the following screen. Figure 203 Configuration > Security Service > SSL Inspection > Certificate Update USG FLEX H Series User’s Guide...
Page 328: Install A Ca Certificate In A Browser
Windows operating system (PC). First, save the certificate to your computer. Run the certificate manager using certmgr.msc. Go to Trusted Root Certification Authorities > Certificates. USG FLEX H Series User’s Guide...
Page 329 Chapter 22 SSL Inspection From the main menu, select Action > All Tasks > Import and run the Certificate Import Wizard to install the certificate on the PC. USG FLEX H Series User’s Guide...
Page 330 Click Tools > Options > Advanced > Encryption > View Certificates, click Import and enter the filename of the certificate you want to import. See the browser's help for further information. USG FLEX H Series User’s Guide...
Page 331: User & Authentication
Change the Zyxel Device settings (web, CLI) WWW, SSH, FTP, Console viewer Look at the Zyxel Device settings (web, CLI) WWW, SSH, Console Perform basic diagnostics (CLI) Access Users user Access network services ext-user Extent user account USG FLEX H Series User’s Guide...
Page 332: User/Group User Summary Screen
The sequence of members in a user group is not important. 23.1.2 User/Group User Summary Screen The User screen provides a summary of all user accounts. To access this screen, click User & Authentication > User/Group > User. USG FLEX H Series User’s Guide...
Page 333 - this user account is maintained in a remote server, such as RADIUS or LDAP. See Ext-User Accounts on page 332 for more information about this type. Description This field displays the description for each user. Created Date This field displays the date the account is created. USG FLEX H Series User’s Guide...
Page 334: User Add/Edit Screen
'BOB' not ‘bob’. • User names have to be different than user group names. To access this screen, go to the User screen, and click either the Add icon or an Edit icon. USG FLEX H Series User’s Guide...
Page 335 Chapter 23 User & Authentication Figure 205 User & Authentication > User/Group > User > Add/Edit (Local Administrator) USG FLEX H Series User’s Guide...
Page 336 This field is not available if you select the Extent User type. Enter a password consists of 4 to 64 characters for this user account, including 0-9a-zA- Z’(){}<>^‘+/:!*#@&=$\.~%,|;-” Retype This field is not available if you select the Extent User type. USG FLEX H Series User’s Guide...
Page 337: User/Group Group Summary Screen
The Group screen provides a summary of all user groups. In addition, this screen allows you to add, edit, and remove user groups. To access this screen, login to the Web Configurator, and click User & Authentication > User/Group > Group. Figure 207 User & Authentication > User/Group > Group USG FLEX H Series User’s Guide...
Page 338 ), or dashes (-), but the first character cannot be a number. This value is case- sensitive. User group names have to be different than user names. Description Enter the description of the user group, if any. You can use up to 60 characters, punctuation marks, and spaces. USG FLEX H Series User’s Guide...
Page 339: User/Group Setting Screen
Zyxel Device. You can also use this screen to specify when users must log in to the Zyxel Device before it routes traffic for them. To access this screen, login to the Web Configurator, and click User & Authentication > User/Group > Setting. USG FLEX H Series User’s Guide...
Page 340 You can still manually configure any user account’s authentication timeout settings. Edit row Mouse-over an entry and click Edit row to modify the entry’s settings. Delete row Mouse-over an entry and click Delete row to delete an entry. USG FLEX H Series User’s Guide...
Page 341 If you do not select this, access users can login as many times as they want as long as they use different IP addresses. Maximum number per Type the maximum number of simultaneous logins by each access user. access account USG FLEX H Series User’s Guide...
Page 342: User Authentication Overview
RADIUS (Remote Authentication Dial-In User Service) authentication is a popular protocol used to authenticate users by means of an external or built-in RADIUS server. RADIUS authentication allows you to validate a large number of users from a central location. USG FLEX H Series User’s Guide...
Page 343: Aaa Server Overview
23.3 AAA Server Overview You can use an AAA (Authentication, Authorization, Accounting) server to provide control access to your network. A Zyxel Device AAA server is a RADIUS server. Use the AAA Server screens to create and USG FLEX H Series User’s Guide...
Page 344: Radius Server
To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. References Select an entry and click References to open a screen that shows which settings use the entry. This field displays the index number. USG FLEX H Series User’s Guide...
Page 345: Adding A Radius Server
Click User & Authentication > AAA Server > RADIUS Server Summary > Add to display the following screen. Use this screen to create a new RADIUS server entry or edit an existing one. Figure 213 User & Authentication > AAA Server > RADIUS Server Summary > Add USG FLEX H Series User’s Guide...
Page 346 Zyxel Device is to check to determine to which group a user belongs. If it does Attribute not display, select user-defined and specify the attribute’s number. This attribute’s value is called a group identifier; it determines to which group a user belongs. USG FLEX H Series User’s Guide...
Page 347: Two-Factor Authentication Overview
The Zyxel Device requests the admin user’s user-name, password and mobile phone number or email address from the Active Directory, RADIUS server or local Zyxel Device database in order to authenticate this admin user. USG FLEX H Series User’s Guide...
Page 348: User Authentication Two-Factor Authentication
• Maximum verification code failed attempts: 3 • Backup code length: 8 digits 23.4.1 User Authentication Two-Factor Authentication Use this screen to select the service (Web and SSH) that requires two-factor authentication for the admin user. USG FLEX H Series User’s Guide...
Page 349 Two-factor Select which services require Two-Factor Authentication for the admin user. Authentication • for Services: • Apply Click Apply to save the changes. Reset Click Reset to return the screen to its last-saved settings. USG FLEX H Series User’s Guide...
Page 350: System
Zyxel Device system time must be accurate. The Zyxel Device’s Real Time Chip (RTC) keeps track of the time and date. There is also a software mechanism to set the time manually or get the current time and date from an external server. USG FLEX H Series User’s Guide...
Page 351: Administration Settings
HTTPS (HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a web protocol that encrypts and decrypts web pages. Secure Socket Layer (SSL) is an application-level protocol that enables secure transactions of data by ensuring confidentiality (an unauthorized party cannot read the USG FLEX H Series User’s Guide...
Page 352 Note: To allow an SSH connection to the Zyxel Device, add SSH in the Object > Service > Service Group > Default_Allow_WAN_To_ZyWALL service group which defines the default services allowed in the WAN_to_Device security policy. USG FLEX H Series User’s Guide...
Page 353: Settings
5.14 on page 84 for more information. 24.2.4 Settings Use this section to select a display language for the Zyxel Device’s Web Configurator screens. Click System > Settings to open the following screen. USG FLEX H Series User’s Guide...
Page 354 Chapter 24 System Figure 218 System > Settings USG FLEX H Series User’s Guide...
Page 355 The FTP port is 21 by default. You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. USG FLEX H Series User’s Guide...
Page 356: Snmp
Zyxel Device through the network. The Zyxel Device supports SNMP version one (SNMPv1), version two (SNMPv2c) and version 3 (SNMPv3). The next figure illustrates an SNMP management operation. USG FLEX H Series User’s Guide...
Page 357: Snmpv3 And Security
• Trap - Used by the agent to inform the manager of some events. 24.3.1 SNMPv3 and Security SNMPv3 enhances security for SNMP management using authentication and encryption. SNMP managers can be required to authenticate with agents before conducting SNMP management sessions. USG FLEX H Series User’s Guide...
Page 358: Supported Mibs
To change your Zyxel Device’s SNMP settings, click System > SNMP tab. The screen appears as shown. Use this screen to configure your SNMP settings, including from which zones SNMP can be used to access the Zyxel Device. You can also specify from which IP addresses the access can come. USG FLEX H Series User’s Guide...
Page 359 The default is public and allows all requests. SNMP V1 SNMP V2C Select the SNMP version for the Zyxel Device. The SNMP version on the Zyxel Device must match the version on the SNMP manager. SNMP Community USG FLEX H Series User’s Guide...
Page 360: Add Snmp V3 User
Click Add under SNMP V3 User Configuration in System > SNMP to create an SNMPv3 user for authentication with managers using SNMP v3. Use the username and password of the login accounts you specify in this screen to create accounts on the SNMP v3 manager. USG FLEX H Series User’s Guide...
Page 361: Dns & Ddns
DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. USG FLEX H Series User’s Guide...
Page 362: Dns Server Address Assignment
Resource Records (RR) obtained from a previous query (and kept for a period of time). If the Zyxel Device does not have the requested information, it can forward the request to DNS servers. This is known as recursion. USG FLEX H Series User’s Guide...
Page 363 Configure the Security Option Control section in the System > DNS & DDNS > DNS screen if you suspect the Zyxel Device is being used (either by hackers or by a corrupted open DNS server) in a DNS amplification attack. USG FLEX H Series User’s Guide...
Page 364 Chapter 24 System Figure 222 System > DNS & DDNS > DNS USG FLEX H Series User’s Guide...
Page 365 To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action. USG FLEX H Series User’s Guide...
Page 366: Address/Ptr Record
A PTR (pointer) record is also called a reverse record or a reverse lookup record. It is a mapping of an IP address to a domain name. 24.4.4 Adding an Address/PTR Record Click the Add icon in the Address/PTR Record table to add an IPv4 address/PTR record. USG FLEX H Series User’s Guide...
Page 367: Cname Record
This eliminates chances for errors and increases efficiency in DNS management. 24.4.6 Adding a CNAME Record Click the Add icon in the CNAME Record table to add a record. Use “*.” as a prefix for a wildcard domain name. For example *.zyxel.com. USG FLEX H Series User’s Guide...
Page 368: Mx Record
24.4.8 Adding a MX Record Click the Add icon in the MX Record table to add a MX record. Figure 225 System > DNS & DDNS > DNS > MX Record Add USG FLEX H Series User’s Guide...
Page 369: Domain Zone Forwarder
Enter * if all domain zones are served by the specified DNS server(s). Type This displays whether the DNS server IP address is assigned by the ISP dynamically through a specified interface or configured manually (User-defined). USG FLEX H Series User’s Guide...
Page 370: Security Option Control
24.4.12 Editing a Security Option Control Use this screen to change allow or deny actions for Query Recursion and Additional Info from Cache. USG FLEX H Series User’s Guide...
Page 371: The Ddns Screen
The DDNS screen provides a summary of all DDNS domain names and their configuration. In addition, this screen allows you to add new domain names, edit the configuration for existing domain names, and delete domain names. Click System > DNS & DDNS > DDNS to open the following screen. USG FLEX H Series User’s Guide...
Page 372 -The DDNS server checks the source IP address of the packets from the Zyxel Device for the IP address to use for the domain name. custom - The IP address is static. USG FLEX H Series User’s Guide...
Page 373: The Ddns Add/Edit Screen
Click System > DNS & DDNS > DDNS and then an Add or Edit icon to open this screen. Figure 229 System > DNS & DDNS > DDNS > Add/Edit USG FLEX H Series User’s Guide...
Page 374 Select the interface to use for updating the IP address mapped to the domain name. Select Any to let the domain name be used with any interface. Select None to not use a backup address. USG FLEX H Series User’s Guide...
Page 375: Notification
Use this screen to configure a mail server so you can receive reports and notification emails such as when your password is about to expire. After you configure the screen, you can test the settings in USG FLEX H Series User’s Guide...
Page 376 This box is effective when you select the SMTP Authentication check box. Type the user name to provide to the SMTP server when the log is emailed. Use up to 30 characters, including 0-9a- zA-Z@._- USG FLEX H Series User’s Guide...
Page 377: Alert
Send Alerts to Type the email address to which alerts are delivered. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. USG FLEX H Series User’s Guide...
Page 378: Certificate Overview
(Certificate Revocation List). The Zyxel Device can check a peer’s certificate against a directory server’s list of revoked certificates. The framework of servers, software, procedures and policies that handles keys is called PKI (public-key infrastructure). USG FLEX H Series User’s Guide...
Page 379: Verifying A Certificate
Browse to where you have the certificate saved on your computer. Make sure that the certificate has a “.cer” or “.crt” file name extension. USG FLEX H Series User’s Guide...
Page 380: My Certificates
HTTPS connection. 24.7 My Certificates Click System > My Certificates to open the My Certificates screen. This is the Zyxel Device’s summary list of certificates and certification requests. Figure 233 System > My Certificates USG FLEX H Series User’s Guide...
Page 381 This field displays the date that the certificate becomes applicable. Valid To This field displays the date that the certificate expires. The text displays in red and includes an Expired! message if the certificate has expired. USG FLEX H Series User’s Guide...
Page 382: The My Certificates Add Screen
Certificates screen after you click Apply. Make sure that the certification authority information is correct and that your Internet connection is working properly if you want the Zyxel Device to enroll a certificate online. Figure 235 System > My Certificates > Add USG FLEX H Series User’s Guide...
Page 383 Server Authentication Select this to have Zyxel Device generate and store a request for server authentication certificate. Client Authentication Select this to have Zyxel Device generate and store a request for client authentication certificate. USG FLEX H Series User’s Guide...
Page 384: The My Certificates Edit Screen
24.7.2 The My Certificates Edit Screen Click System > My Certificates and then the Edit icon to open the My Certificate Edit screen. You can use this screen to view in-depth certificate information and change the certificate’s name. USG FLEX H Series User’s Guide...
Page 385 This field displays identifying information about the certificate’s issuing certification authority, such as Common Name, Organizational Unit, Organization and Country. With self-signed certificates, this is the same as the Subject Name field. “none” displays for a certification request. USG FLEX H Series User’s Guide...
Page 386: The My Certificates Import Screen
The certificate you import replaces the corresponding request in the My Certificates screen. You must remove any spaces from the certificate’s filename before you can import it. USG FLEX H Series User’s Guide...
Page 387: Trusted Certificates
Zyxel Device to accept as trusted. The Zyxel Device also accepts any valid certificate signed by a certificate on this list as being trustworthy; thus you do not need to import any certificate that is signed by one of these certificates. USG FLEX H Series User’s Guide...
Page 388 This field displays the date that the certificate becomes applicable. Valid To This field displays the date that the certificate expires. The text displays in red and includes an Expired! message if the certificate has expired. USG FLEX H Series User’s Guide...
Page 389: The Trusted Certificates Edit Screen
“Not trusted” in this field if any certificate on the path has expired or been revoked. Refresh Click Refresh to display the certification path. Name This field displays the identifying name of this certificate. USG FLEX H Series User’s Guide...
Page 390: The Trusted Certificates Import Screen
Click System > Certificate > Trusted Certificates > Import to open the Import Trusted Certificates screen. Follow the instructions in this screen to save a trusted certificate to the Zyxel Device. Note: You must remove any spaces from the certificate’s filename before you can import the certificate. USG FLEX H Series User’s Guide...
Page 391 You cannot import a certificate with the same name as a certificate that is already in the Zyxel Device. Browse Click Browse to find the certificate file you want to upload. Click OK to save the certificate on the Zyxel Device. USG FLEX H Series User’s Guide...
Page 392: Log And Report
Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. The Web Configurator saves the filter settings if you leave the Log/Events screen and return to it later. USG FLEX H Series User’s Guide...
Page 393 This field is a sequential value, and it is not associated with a specific log message. Time This field displays the time the log message was recorded. Category This field displays the log that generated the log message. It is the same value used in the Category field above. USG FLEX H Series User’s Guide...
Page 394: Log Settings Screen
Note: Only connect one USB device. It must allow writing (it cannot be read-only) and use the FAT16, FAT32, EXT2, or EXT3 file system. To access this screen, click Log & Report > Log Settings. USG FLEX H Series User’s Guide...
Page 395 Consolidation Type how often, in seconds, to consolidate log information. If the same log message appears Interval multiple times, it is aggregated into one log message in the Count field in Log Category Setting. USG FLEX H Series User’s Guide...
Page 396: Secureporter
Zyxel Devices in order to identify anomalies, alert on potential internal / external threats, and report on network usage. You need to buy a license for SecuReporter for your Zyxel Device and register it at NCC. USG FLEX H Series User’s Guide...
Page 397 Slide the switch to the right under General Settings to enabled SecuReporter. Do not go to the SecuReporter portal until after you have enabled SecuReporter on this Zyxel Device and applied the settings. You can also see license status, type, expiration date. Click Apply and wait. USG FLEX H Series User’s Guide...
Page 398 Select the categories of logs that you want this Zyxel Device to send to SecuReporter for analysis and trend spotting. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. USG FLEX H Series User’s Guide...
Page 399: Email Daily Report
Note: Data collection may decrease the Zyxel Device’s traffic throughput rate. The following screens are an example of a email daily report. Figure 246 Email Daily Report: System Resource Usage Figure 247 Email Daily Report- Licensing USG FLEX H Series User’s Guide...
Page 400 Figure 249 Email Daily Report: DHCP Table Click Log & Report > Email Daily Report to display the following screen. Configure this screen to have the Zyxel Device email you system statistics at the specified time. USG FLEX H Series User’s Guide...
Page 401 Chapter 25 Log and Report Figure 250 Log & Report > Email Daily Report USG FLEX H Series User’s Guide...
Page 402 Schedule Select the time of the day the report is emailed. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. USG FLEX H Series User’s Guide...
Page 403: File Manager
Once your Zyxel Device is configured and functioning properly, it is highly recommended that you back up your configuration file before making further configuration changes. The backup configuration file will be useful in case you need to return to your previous settings. USG FLEX H Series User’s Guide...
Page 404 • You can change the way the startup-config.conf file is applied. The Zyxel Device ignores any errors in the startup-config.conf file and applies all of the valid commands. The Zyxel Device still generates a log for any errors. Figure 251 Maintenance > File Manager > Configuration File USG FLEX H Series User’s Guide...
Page 405 Use this button to have the Zyxel Device sends the selected configuration file to the configured email addresses. Click a configuration file’s row to select it and click Email to have the Zyxel Device mail that configuration file. The following screen displays. USG FLEX H Series User’s Guide...
Page 406 Set the Zyxel Device to back up its configuration file once a day at the specified hour and minute. Weekly Set the Zyxel Device to back up its configuration file once a week on the specified day, at the specified hour and minute. USG FLEX H Series User’s Guide...
Page 407: Firmware Management
Zyxel Device will automatically use the (good) backup image to boot. 26.3.1 Cloud Helper Cloud Helper lets you know if there is a later firmware available on the Cloud Helper server and lets you download it if there is. USG FLEX H Series User’s Guide...
Page 408: The Firmware Management Screen
Click the icon and then browse to the location of the unzipped files. The Zyxel Device will reboot automatically when it finishes uploading. 26.3.2 The Firmware Management Screen Click Maintenance > File Manager > Firmware Management to open the Firmware Management screen. USG FLEX H Series User’s Guide...
Page 409 Cloud Server. Release Date This displays the date the latest firmware version was made available. Release Note The release note contains details of latest firmware version such as new features and bug fixes. USG FLEX H Series User’s Guide...
Page 410 Slide the switch to the newly downloaded firmware become the running firmware after the Zyxel Device automatically restarts. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. USG FLEX H Series User’s Guide...
Page 411: Diagnostics
This screen also lists the files of diagnostic information the Zyxel Device has collected and stored on the Zyxel Device or in a connected USB storage device. You may need to send these files to customer support for troubleshooting. USG FLEX H Series User’s Guide...
Page 412 Busy on device: The Zyxel Device is generating a diagnostic file containing its own configuration and diagnostic information. Collect Now Click this to have the Zyxel Device run the uploaded script and create a new diagnostic file. USG FLEX H Series User’s Guide...
Page 413: The Packet Capture Screen
(also known as a network or protocol analyzer) such as Wireshark. Figure 255 Maintenance > Diagnostics > Packet Capture USG FLEX H Series User’s Guide...
Page 414: The Packet Capture Edit Screen
Click Maintenance > Diagnostics > Packet Capture > Edit to open the packet capture screen. Note: New capture files overwrite existing files of the same name. Change the File Suffix field’s setting to avoid this. USG FLEX H Series User’s Guide...
Page 415 Select interfaces for which to capture packets and click the right arrow button to move them to the right. IP Version Select the version of IP for which to capture packets. Select any to capture packets for all IP versions. USG FLEX H Series User’s Guide...
Page 416 Select this to have the Zyxel Device only store packet capture entries on the Zyxel storage only Device. The available storage size is displayed as well. Note: The Zyxel Device reserves some on board storage space as a buffer. USG FLEX H Series User’s Guide...
Page 417: The Cpu / Memory Status Screen
27.4 The CPU / Memory Status Screen Click Maintenance > Diagnostics > CPU / Memory Status to open the CPU/Memory Status screen. Use this screen to view the CPU and memory performance of various applications on the Zyxel Device. USG FLEX H Series User’s Guide...
Page 418 Chapter 27 Diagnostics Figure 257 Maintenance > Diagnostics > CPU / Memory Status USG FLEX H Series User’s Guide...
Page 419: The System Log Screen
Click Maintenance > Diagnostics > System Log to open the System Log screen. This screen lists the files of diagnostic information the Zyxel Device has collected and stored on a connected USB storage device. You may need to send these files to customer support for troubleshooting. USG FLEX H Series User’s Guide...
Page 420: The Network Tool Screen
This column displays the date and time that the individual files were saved. 27.6 The Network Tool Screen Use this screen to perform various network tests. Click Maintenance > Diagnostics > Network Tool to display this screen. USG FLEX H Series User’s Guide...
Page 421 “-w waittime” (where waittime is a time period in seconds) to set how long the Zyxel Device waits for a response to a probe before running another traceroute. Test Click this button to start the test. Reset Click this button to return the screen to its last-saved settings. USG FLEX H Series User’s Guide...
Page 422: Reboot
Click Reboot to reboot the Zyxel Device without turning the power off. Click Shutdown to prepare the Zyxel Device to turn off. Wait for the PWR/SYS LED to turn off before you remove the Zyxel Device power cable. Figure 260 Maintenance > Reboot USG FLEX H Series User’s Guide...
Page 423: Part Iii: Appendices And Troubleshooting
Appendices and Troubleshooting...
Page 424: Troubleshooting
(such as a DSL modem) is working properly. • Check the WAN interface's status in the Dashboard. Use the installation setup wizard again and make sure that you enter the correct settings. Use the same case as provided by your ISP. USG FLEX H Series User’s Guide...
Page 425 The Zyxel Device checks the policy routes in the order that they are listed. So make sure that your custom policy route comes before any other routes that the traffic would also match. The Zyxel Device is not applying the custom security policy I configured. USG FLEX H Series User’s Guide...
Page 426 The Zyxel Device sent an alert that a malware-infected file has been found, but the file was still forwarded to the user and could still be executed. USG FLEX H Series User’s Guide...
Page 427 (reject-both, reject-receiver or reject-sender, drop, none in this order). If a packet matches a rule for reject-receiver and it also matches a rule for reject-sender, then the Zyxel Device will reject-both. The Zyxel Device’s performance seems slower after configuring DoS Prevention. USG FLEX H Series User’s Guide...
Page 428 • You may need to configure the DDNS entry’s IP Address setting to Auto if the interface has a dynamic IP address or there are one or more NAT routers between the Zyxel Device and the DDNS server. USG FLEX H Series User’s Guide...
Page 429 • The Zyxel Device and remote IPSec router must use the same active protocol. • The Zyxel Device and remote IPSec router must use the same encapsulation. • The Zyxel Device and remote IPSec router must use the same SPI. USG FLEX H Series User’s Guide...
Page 430 You can upload the firmware package to the Zyxel Device with the option enabled, so you only need to clear the Destroy compressed files that could not be decompressed option while you download the USG FLEX H Series User’s Guide...
Page 431 The schedule I configured is not being applied at the configured times. Make sure the Zyxel Device’s current date and time are correct. I cannot get a certificate to import into the Zyxel Device. USG FLEX H Series User’s Guide...
Page 432 The Web Configurator is the recommended method for uploading firmware. You only need to use the command line interface if you need to recover the firmware. See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it. USG FLEX H Series User’s Guide...
Page 433 My Zyxel Device cannot assign correct IP addresses to DHCP clients in my LAN and DMZ. Make sure your Zyxel Device is the only device with DHCP server enabled in your network. The clients’ information I collected using device insight is not correct. USG FLEX H Series User’s Guide...
Page 434: Resetting The Zyxel Device
Release the RESET button, and wait for the Zyxel Device to restart. You should be able to access the Zyxel Device using the default settings. 29.2 Getting More Troubleshooting Help Search for support information for your model at www.zyxel.com for more troubleshooting suggestions. USG FLEX H Series User’s Guide...
Page 435: Appendix A Customer Support
Corporate Headquarters (Worldwide) Taiwan • ZyXEL Communications (Taiwan) Co., Ltd. • https://www.zyxel.com Asia China • ZyXEL Communications Corporation–China Office • https://www.zyxel.com/cn/sc India • ZyXEL Communications Corporation–India Office • https://www.zyxel.com/in/en-in Kazakhstan • ZyXEL Kazakhstan • https://www.zyxel.com/ru/ru USG FLEX H Series User’s Guide...
Page 436 • ZyXEL Thailand Co., Ltd. • https://www.zyxel.com/th/th Vietnam • ZyXEL Communications Corporation–Vietnam Office • https://www.zyxel.com/vn/vi Europe Belarus • ZyXEL Communications Corp. • https://www.zyxel.com/ru/ru Belgium (Netherlands) • ZyXEL Benelux • https://www.zyxel.com/nl/nl • https://www.zyxel.com/fr/fr Bulgaria • ZyXEL Bulgaria USG FLEX H Series User’s Guide...
Page 437 • ZyXEL Hungary & SEE • https://www.zyxel.com/hu/hu Italy • ZyXEL Communications Italy S.r.l. • https://www.zyxel.com/it/it Norway • ZyXEL Communications A/S • https://www.zyxel.com/no/no Poland • ZyXEL Communications Poland • https://www.zyxel.com/pl/pl Romania • ZyXEL Romania • https://www.zyxel.com/ro/ro USG FLEX H Series User’s Guide...
Page 438 • ZyXEL Turkey A.S. • https://www.zyxel.com/tr/tr • ZyXEL Communications UK Ltd. • https://www.zyxel.com/uk/en-gb Ukraine • ZyXEL Ukraine • https://www.zyxel.com/ua/uk-ua South America Argentina • ZyXEL Communications Corp. • https://www.zyxel.com/co/es-co Brazil • ZyXEL Communications Brasil Ltda. USG FLEX H Series User’s Guide...
Page 439 • ZyXEL Communications Corp. • https://www.zyxel.com/co/es-co South America • ZyXEL Communications Corp. • https://www.zyxel.com/co/es-co Middle East Israel • ZyXEL Communications Corp. • https://il.zyxel.com North America • ZyXEL Communications, Inc. – North America Headquarters • https://www.zyxel.com/us/en-us USG FLEX H Series User’s Guide...
Page 440: Appendix B Product Features
Device Login HTTPd Max. HTTPd Number Objects Address Object 1,000 Address Group Max. Address Object In One Group Service Object 1,000 1,000 Service Group Max. Service Object In One Group Schedule Object Schedule Group USG FLEX H Series User’s Guide...
Page 441 1024 1024 1024 1024 Max. Allow List Rule Max. Block List Rule DNS Threat Filter Max. Statistic Number 1024 1024 1024 1024 1024 1024 Max. Allow List Rule Max. Block List Rule IP Exception USG FLEX H Series User’s Guide...
Page 442 Concurrent File Collect Capability Upload File Size Up to 10MB per Up to 10MB Up to 10MB per Up to 10MB per file Up to 10MB per file Up to 10MB per file file file USG FLEX H Series User’s Guide...
Page 443: Appendix C Legal Information
• Connect the equipment into an outlet on a circuit different from that to which the receiver is connected • Consult the dealer or an experienced radio/TV technician for assistance CANADA The following information applies if you use the product within Canada area ISED Statement CAN ICES-003 (B)/NMB-003(B) USG FLEX H Series User’s Guide...
Page 444 Do not leave a battery in an extremely high temperature environment or surroundings since it can result in an explosion or the leakage of flammable liquid or gas. • Do not subject a battery to extremely low air pressure since it may result in an explosion or the leakage of flammable liquid or gas. USG FLEX H Series User’s Guide...
Page 445 återvinningsstation. Vid tiden för kasseringen bidrar du till en bättre miljö och mänsklig hälsa genom att göra dig av med den på ett återvinningsställe. 台灣安全警告 - 為了您的安全，請先閱讀以下警告及指示 : • 請勿將此產品接近水、火焰或放置在高溫的環境。 • 避免設備接觸 : - 任何液體 - 切勿讓設備接觸水、雨水、高濕度、污水腐蝕性的液體或其他水份。 - 灰塵及污物 - 切勿接觸灰塵、污物、沙土、食物或其他不合適的材料。 • 雷雨天氣時，不要安裝或維修此設備。有遭受電擊的風險。 USG FLEX H Series User’s Guide...
Page 446 To obtain the services of this warranty, contact your vendor. You may also refer to the warranty policy for the region in which you bought the device at https://www.zyxel.com/global/en/support/warranty-information. Registration Register your product online at www.zyxel.com to receive email notices of firmware upgrades and related information. USG FLEX H Series User’s Guide...
Page 447 Appendix C Legal Information Trademarks ZyNOS (Zyxel Network Operating System) and ZON (Zyxel One Network) are registered trademarks of Zyxel Communications, Inc. Other trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners.
Page 448 - Install the power supply before connecting the power cable to the power supply. - Unplug the power cable before removing the power supply. - If the system has multiple sources of power, disconnect power from the system by unplugging all power cables from the power supply. USG FLEX H Series User’s Guide...
Page 449 這是甲類的資訊產品，在居住的環境中使用時，可能會造成射頻干擾，在這種情況下，使用者會被要求採取某些適當的對策。 • 為避免電磁干擾，本產品不應安裝或使用於住宅環境。安全警告 – 為了您的安全，請先閱讀以下警告及指示 : • 請勿將此產品接近水、火焰或放置在高溫的環境。 • 避免設備接觸 : - 任何液體 - 切勿讓設備接觸水、雨水、高濕度、污水腐蝕性的液體或其他水份。 - 灰塵及污物 - 切勿接觸灰塵、污物、沙土、食物或其他不合適的材料。 • 雷雨天氣時，不要安裝或維修此設備。有遭受電擊的風險。 • 切勿重摔或撞擊設備，並勿使用不正確的電源變壓器。 • 若接上不正確的電源變壓器會有爆炸的風險。 • 請勿隨意更換產品內的電池。 • 如果更換不正確之電池型式，會有爆炸的風險，請依製造商說明書處理使用過之電池。 • 請將廢電池丟棄在適當的電器或電子設備回收處。 • 請勿將設備解體。 USG FLEX H Series User’s Guide...
Page 450 Open Source Licenses This product may contain in part some free software distributed under GPL license terms and/or GPL like licenses. To request the source code covered under these licenses, please go to: https://www.zyxel.com/form/gpl_oss_software_notice.shtml USG FLEX H Series User’s Guide...
Page 451 Anomaly Detection and Prevention, see ADP user 331, 342 Anonymizer 280, 285 accounting server Anonymous Proxies active protocol anti-malware boot sector virus and encapsulation EICAR e-mail active sessions 60, 82 virus file infector USG FLEX H Series User’s Guide...
Page 452 289, 309 CA (Certificate Authority), see certificates worm cable types authentication in IPSec capturing packets 177, 178, 182 server CAT 5 cable authentication algorithms CAT 5e cable and active protocol CAT 6 cable USG FLEX H Series User’s Guide...
Page 453 Data Encryption Standard, see DES backing up date downloading DDNS editing backup mail exchanger lastgood.conf 404, 406 mail exchanger managing service providers startup-config.conf troubleshooting startup-config-bad.conf USG FLEX H Series User’s Guide...
Page 454 DoS (Denial of Service) attacks and restart DSCP 140, 143 current version 59, 409 Dynamic Host Configuration Protocol, see DHCP. getting updated uploading DynDNS firmware package DynDNS see also DDNS troubleshooting Dynu firmware upload troubleshooting USG FLEX H Series User’s Guide...
Page 455 IP address and subnet mask statistics port groups, see also port groups. troubleshooting 425, 427 PPPoE/PPTP, see also PPPoE/PPTP interfaces. Iframe Injection prerequisites IKE SA relationships between aggressive mode 159, 162, 163 static DHCP and certificates subnet mask USG FLEX H Series User’s Guide...
Page 456 130, 133, 135 round robin authentication algorithms see also trunks encapsulation session-oriented encryption algorithms weighted round robin local policy Perfect Forward Secrecy (PFS) local user database proposal remote policy troubleshooting USG FLEX H Series User’s Guide...
Page 457 My Certificates, see also certificates MyDoom P Reputation Priority P2P (Peer-to-peer) attacks 139, 147 ALG, see ALG see also Peer-to-peer and address objects packet and address objects (HOST) inspection signatures and ALG packet capture USG FLEX H Series User’s Guide...
Page 458 NAT power off reputation filter anonymizers troubleshooting categories spyware adware keyloggers PPP interfaces statistics subnet mask reset PPPoE and RADIUS RESET button PPPoE/PPTP interfaces 1631 (NAT) PPTP 2131 (DHCP) as VPN 2132 (DHCP) USG FLEX H Series User’s Guide...
Page 459 Secure Socket Layer, see SSL backdoor/Trojan security associations, see IPSec buffer overflow security policy DoS/DDoS actions and ALG and application patrol scan and IPSec VPN virus/worm and logs Web attack and NAT signature ID and schedules USG FLEX H Series User’s Guide...
Page 460 SSL Inspection Protocols to-ZyWALL security policy SSL inspection and NAT Server Signed Certificate Keys and NAT traversal (VPN) SSL policy and service control objects used and VPN SSL VPN trademarks USG FLEX H Series User’s Guide...
Page 461 LDAP member interface mode 134, 135 and policy routes member interfaces and RADIUS see also load balancing and security policy Trusted Certificates, see also certificates and service control tunnel encapsulation attributes for Ext-User USG FLEX H Series User’s Guide...
Page 462 ALG zones and interfaces and security policy active protocol 191, 195 and VPN and NAT extra-zone traffic basic troubleshooting inter-zone traffic IKE SA, see IKE SA intra-zone traffic IPSec types of traffic IPSec SA USG FLEX H Series User’s Guide...

This manual is also suitable for:

Usg flex 100h Usg flex 100hp Usg flex 200h Usg flex 200hp Usg flex 500h Usg flex 700h ... Show all

ZyXEL Communications USG FLEX H Series User Manual

Chapter 1 Introduction

Chapter 4 Dashboard

Chapter 5 Monitor

Chapter 6 Licensing

Chapter 7 Interfaces

Chapter 8 Routing

Chapter 9 NAT

Chapter 10 ALG

Chapter 11 Ipsec VPN

Chapter 12 SSL VPN

Chapter 13 Security Policy

Chapter 14 Object

Chapter 15 Application Patrol

Chapter 16 Content Filtering

Chapter 17 Reputation Filter

Chapter 18 Anti-Malware

Chapter 19 Sandbox

Chapter 20 IPS

Chapter 21 IP Exception

Chapter 22 SSL Inspection

Chapter 23 User & Authentication

Chapter 24 System

Quick Links

Troubleshooting

Related Manuals for ZyXEL Communications USG FLEX H Series

Summary of Contents for ZyXEL Communications USG FLEX H Series