Download Print this page

ZyXEL Communications USG FLEX H Series User Manual

Hide thumbs Also See for USG FLEX H Series:

User manual (462 pages)

Table Of Contents

Table of Contents

Advertisement

Quick Links

Download this manual

User's Guide

USG FLEX H Series

Default Login Details

Login IP Address

User Name

Password

WAN

LAN

Copyright © 2025 Zyxel and/or its affiliates. All rights reserved.

https://192.168.168.1

admin

See Zyxel Device label or 1234

P1 or P2 (see

Table 12 on page

P3 or P4 (see

Table 12 on page

Version 1.31 Edition 1, 1/2025

48)

48)

Table of Contents

Advertisement

Table of Contents

Troubleshooting

Need help?

Need help?

Do you have a question about the USG FLEX H Series and is the answer not in the manual?

Questions and answers

Summary of Contents for ZyXEL Communications USG FLEX H Series

Page 1 User’s Guide USG FLEX H Series Version 1.31 Edition 1, 1/2025 Default Login Details Login IP Address https://192.168.168.1 User Name admin Password See Zyxel Device label or 1234 P1 or P2 (see Table 12 on page P3 or P4 (see Table 12 on page Copyright ©...
Page 2: Related Documentation
• Web Configurator Online Help Click the help icon in any screen for help in configuring that screen and supplementary information. • More Information Go to support.zyxel.com to find other information on Zyxel Device. USG FLEX H Series User’s Guide...
Page 3: Warnings And Notes
Figures in this user guide may use the following generic icons. The Zyxel Device icon is not an exact representation of your device. Zyxel Device Generic Router Wireless Router / Access Point Switch Firewall Server Internet Network Cloud Smartphone USB Dongle USG FLEX H Series User’s Guide...
Page 4: Table Of Contents
External Block Lists ..........................384 User & Authentication ........................389 System ..............................415 Log and Report ........................... 470 Firmware/File Manager ........................483 Diagnostics ............................496 Packet Flow Explore ........................... 508 Reboot/ShutDown ..........................519 Troubleshooting ..........................522 USG FLEX H Series User’s Guide...
Page 5: Table Of Contents
2.1 Initial Setup Wizard Overview ....................... 36 2.1.1 Terms of Use/Privacy Policy/Firmware Upgrade Notification .......... 36 2.2 Connect to the Internet ......................... 37 2.2.1 Interface Type - DHCP ......................37 2.2.2 Interface Type - Static ......................38 USG FLEX H Series User’s Guide...
Page 6 4.2.3 Resource Usage Screen ....................... 68 4.2.4 Bandwidth ..........................69 4.2.5 Client Usage Screen ......................70 4.2.6 The Latest Logs Screen ......................70 4.3 The Security Screen ........................71 Part II: Technical Reference................73 Chapter 5 Monitor ..............................74 USG FLEX H Series User’s Guide...
Page 7 6.1.5 Auto Update ........................109 Chapter 7 Interfaces............................111 7.1 Interface Overview ........................111 7.1.1 What You Can Do in this Chapter ..................111 7.1.2 What You Need to Know ....................111 7.2 Interface Screen ........................... 119 USG FLEX H Series User’s Guide...
Page 8 10.1.2 What You Need to Know ....................171 10.2 The Bandwidth Management Configuration ................173 10.2.1 The Bandwidth Management Add/Edit Screen ............175 10.2.2 Adding Objects for the BWM Policy ................178 10.3 Example: Prioritize a Specific Application ................181 USG FLEX H Series User’s Guide...
Page 9 14.3.2 The Policy Control Add/Edit Screen ................239 14.3.3 Example: Allow a Server to Ping the Zyxel Device Without Creating Logs ....241 14.4 DoS Prevention Overview ......................243 14.4.1 The DoS Prevention Policy Screen ................... 244 USG FLEX H Series User’s Guide...
Page 10 Chapter 17 Content Filtering ..........................293 17.1 Overview ............................. 293 17.1.1 What You Can Do in this Chapter ................... 293 17.1.2 What You Need to Know ....................293 17.2 Content Filtering General Screen ..................... 296 USG FLEX H Series User’s Guide...
Page 11 19.5 Anti-Malware Technical Reference ..................350 Chapter 20 Sandbox............................352 20.1 Overview ............................. 352 20.1.1 What You Need to Know ....................352 20.2 Sandbox Screen ......................... 353 Chapter 21 IPS ..............................356 21.1 Overview ............................. 356 USG FLEX H Series User’s Guide...
Page 12 25.1.1 What You Need To Know ....................389 25.1.2 User/Group User Summary Screen .................. 390 25.1.3 User Add/Edit Screen ......................392 25.1.4 User/Group Group Summary Screen ................395 25.1.5 User/Group Setting Screen ....................397 25.2 User Authentication Overview ....................401 USG FLEX H Series User’s Guide...
Page 13 26.4.8 Adding a MX Record ......................435 26.4.9 Domain Zone Forwarder ....................436 26.4.10 Adding a Domain Zone Forwarder ................436 26.4.11 Security Option Control ....................437 26.4.12 Editing a Security Option Control .................. 437 USG FLEX H Series User’s Guide...
Page 14 28.1.2 What you Need to Know ....................483 28.1.3 Configuration File Flow at Restart ................... 483 28.2 The Configuration File Screen ....................484 28.2.1 Example: Back Up and Restore Zyxel Device Configuration ........490 28.3 Firmware Management ......................492 USG FLEX H Series User’s Guide...
Page 15 32.3 Restarting the Zyxel Device ....................... 535 32.4 Getting More Troubleshooting Help ..................536 Appendix A Customer Support ..................... 537 Appendix B Product Features ......................542 Appendix C Legal Information ...................... 548 Index ..............................557 USG FLEX H Series User’s Guide...
Page 16: Part I: User's Guide
User’s Guide...
Page 17: Introduction
Sandboxing Device Insight IP Exception SSL encrypted Bundled Security 1 year 1 year 1 year 1 year 1 year 1 year 1 year 1 year Feature License Management by Nebula Cloud Center Device HA USG FLEX H Series User’s Guide...
Page 18: Registration At Nebula Control Center (Ncc)
• Application Patrol • Device Insight • IPS (Intrusion Prevention System). • Nebula Professional Pack • Reputation Filter, including IP Reputation, URL Threat Filter, DNS Threat Filter services and External Blocking Lists (EBL) for these services USG FLEX H Series User’s Guide...
Page 19: License Priority
Please note that a trial license does not have a grace period. 1.4 Applications These are some Zyxel Device application scenarios. 1.4.1 Security Router Security includes a Stateful Packet Inspection (SPI) firewall. USG FLEX H Series User’s Guide...
Page 20: Vpn Connectivity
In the following figure user A can access both the Internet and an internal file server. User B has a lower level of access and can only access the Internet. User C is not even logged in, so and cannot access either the Internet or the file server. USG FLEX H Series User’s Guide...
Page 21: Load Balancing
You can manage the Zyxel Device in the following ways. Web Configurator The Web Configurator allows easy Zyxel Device setup and management using an Internet browser. This User’s Guide provides information about the Web Configurator. USG FLEX H Series User’s Guide...
Page 22: Command Line Interface (Cli)
The device can be monitored and/or managed by an SNMP manager. See Section 26.5 on page 443. Management Authentication Managers must be authenticated with a username and password, using one of: • Local Zyxel Device authentication USG FLEX H Series User’s Guide...
Page 23: Web Configurator
HTTPS server, and it is recommended to keep this setting. The Login screen appears. Select a display language for the Zyxel Device’s web configurator screens in the upper right of the screen. The following are the languages supported at the time of writing. USG FLEX H Series User’s Guide...
Page 24: Remote Access To The Zyxel Device Networks
Zyxel Device. The first layer is the VPN client/Zyxel Device’s login user name / password. The second layer is an authorized SMS (via mobile phone number) or email address. See Section 25.4 on page 411 for more information on two-factor authentication. USG FLEX H Series User’s Guide...
Page 25: Web Configurator Screens Overview
Select a display language for the Zyxel Device’s web configurator screens. Web Console Select this to display a Command Line Interface (CLI) in your browser. See the Command Line Interface Reference Guide for information on commands. USG FLEX H Series User’s Guide...
Page 26 You will need to log in again using the new password. Logout: Click this log out of the Web Configurator. About Click About to display basic information about the Zyxel Device. Figure 8 About USG FLEX H Series User’s Guide...
Page 27: Navigation Panel
Type an entry in the Search box to find a menu item containing that entry. The following sections introduce the Zyxel Device’s navigation panel menus and their screens. USG FLEX H Series User’s Guide...
Page 28: Dashboard Screens
Table 5 Dashboard Menu Screens Summary FOLDER OR LINK FUNCTION System Collect and display the Zyxel Device system information, such as serial number, MAC address and CPU usage. Security Collect and display security event statistics. USG FLEX H Series User’s Guide...
Page 29: Monitoring Screens
Display and manage IPSec VPN connections from external users who want to Access VPN access the networks behind the Zyxel Device. SSL VPN Remote Display and manage SSL VPN connections from external users who want to Access VPN access the networks behind the Zyxel Device. USG FLEX H Series User’s Guide...
Page 30: Configuration Screens
Create and manage groups of addresses to apply to policies as a single objects. Geo IP Update the database of country-to-IP address mappings and manually configure country-to-IP address mappings for geographic address objects that can be used in security policies. USG FLEX H Series User’s Guide...
Page 31 IPS (Intrusion Prevention System) features. The Zyxel Device will not intercept nor inspect the incoming packets that match the rules in the IP exception list for the anti-malware and/ or IPS (Intrusion Prevention System) features. USG FLEX H Series User’s Guide...
Page 32 Create and manage the Zyxel Device’s certificates. Trusted Certificates Import and manage certificates from trusted sources. Advanced System Parameters Edit default Zyxel Device parameters such as UDP/ICMP timeout, ARP spoofing, device insight and LLDP. Log & Report USG FLEX H Series User’s Guide...
Page 33: Maintenance Screens
1.6.5 Tables and Lists Web Configurator tables and lists are flexible with several options for how to display their entries. Click a column heading to sort the table’s entries according to that column’s criteria. USG FLEX H Series User’s Guide...
Page 34: Error /Warning Messages
Some screens may display an error message if there is a parsing or time-out error. Use Test in Maintenance > Firmware/File Manager > Configuration to see if the currently running configuration file has an error. USG FLEX H Series User’s Guide...
Page 35 NCC, or click OK to apply or remove the security service feature. The Security profile sync will then be disabled on the NCC. Figure 16 Warning When Adding or Editing A Security Service Feature Figure 17 Warning When Removing A Security Service Feature USG FLEX H Series User’s Guide...
Page 36: Initial Setup Wizard
Click Next to configure the Zyxel Device settings with the initial setup wizard. Note: You cannot proceed with the initial setup wizard if you do not select the check box. USG FLEX H Series User’s Guide...
Page 37: Connect To The Internet
Type a string using up to 63 of these characters a-zA-Z0-9!\"#$%&'()*+,-./:;<=>?@[]^_`{}to identify this Zyxel Device to the DHCP server. For example, Zyxel-TW. • VLAN Tag: Enable to tag the traffic going out from the Zyxel Device. USG FLEX H Series User’s Guide...
Page 38: Interface Type - Static
DNS servers. • VLAN Tag: Enable to tag the traffic going out from the Zyxel Device. • VLAN ID: Enter a VLAN ID. This 12-bit number uniquely identifies each VLAN. Allowed values are 1-4080. USG FLEX H Series User’s Guide...
Page 39: Possible Errors
• Password: Enter the password associated with the user name. You can use up to 63 single-byte characters, including 0-9a-zA-Z-_@$ . /+ # ; :%\~^&*() "= {}[]|! ,<'>'. Spaces are not allowed. This field cannot be blank. USG FLEX H Series User’s Guide...
Page 40: System Time
If your Zyxel Device cannot get the correct date and time, it may not able to connect to a time server. Check the time server settings in System > Settings after you log into the Zyxel Device. USG FLEX H Series User’s Guide...
Page 41: Device Registration
• Automatically add it by scanning the QR code to use the Nebula Mobile app. • Manually add it by entering the Zyxel Device’s serial number and LAN MAC address at NCC. See the label at the back of the Zyxel Device for this information. USG FLEX H Series User’s Guide...
Page 42: Exit The Wizard
If you did not previously activate your service licenses at another Zyxel portal, then you must add your Zyxel Device to a site in an organization at in order to activate your Zyxel Device service licenses, including SecuReporter, perform firmware upgrades and avail of remote support through Nebula. USG FLEX H Series User’s Guide...
Page 43 You will also see a warning message to remind you to register your Zyxel Device every time you log into the web configurator. Please note that you will only see the warning message if you log in using an admin account. Figure 26 Register Warning Message USG FLEX H Series User’s Guide...
Page 44: License Summary
• Expired: The service license has expired. Go to NCC > Organization-wide > License & Inventory to renew your license. 2.6 Subnet Planning You must register your Zyxel Device to an organization and site in the Nebula Control Center (NCC) to see this screen. USG FLEX H Series User’s Guide...
Page 45 Note: If you apply Yes, let Nebula adjust subnets of ge3/ge4, your computer will be temporarily disconnected from the Zyxel Device. Wait 10 seconds for the Zyxel Device to apply the IP address assigned by the NCC. USG FLEX H Series User’s Guide...
Page 46: Finish
Note: If you want to run the initial wizard again, you must reset the Zyxel Device. Make sure to back up your current configuration first as you will lose all web configurator settings after the reset. Figure 30 Finish USG FLEX H Series User’s Guide...
Page 47: Hardware, Interfaces And Zones
USG FLEX 200H USG FLEX 200HP USG FLEX 500H USG FLEX 700H 2.5 Gbps Multi-Gigabit Ethernet Ports P1, P2 P1, P2 P1, P2, P3, P4 P1, P2 10 Gbps Multi-Gigabit Ethernet Ports P3, P4 USG FLEX H Series User’s Guide...
Page 48: Default Physical Port - Interface Mapping
Ethernet ports. Each device that receives power through an Ethernet port is a Powered Device (PD). A Powered Device (PD) is a device that receives power through PoE, such as an IP camera, a wireless router, an IP telephone or a general outdoor router. USG FLEX H Series User’s Guide...
Page 49 Type 2 Switch Port Power IEEE Power Classification Class 0, 1, 2, 3 Class 4 Maximum Power Per Port 15.4 W 30 W Port Voltage Range 44 - 57 V 50 - 57 V Cables USG FLEX H Series User’s Guide...
Page 50: Front Panels
Figure 33 USG FLEX 50HP Front Panel Figure 34 USG FLEX 100H Front Panel Figure 35 USG FLEX 100HP Front Panel Figure 36 USG FLEX 200H Front Panel Figure 37 USG FLEX 200HP Front Panel USG FLEX H Series User’s Guide...
Page 51 The Zyxel Device is sending or receiving packets on this port at 1 Gbps. Amber This port has a successful 100 Mbps link. Blinking The Zyxel Device is sending or receiving packets on this port at 100 Mbps. There is no connection on this port. USG FLEX H Series User’s Guide...
Page 52 The Zyxel Device PWR/SYS LED will blink green while booting up. Connect a storage device for system logs and storage. P1-P8 (USG FLEX These are Multi-Gigabit 1G/2.5G/10G RJ-45 Ethernet ports. 200H / 200HP) P1-P12 (USG FLEX 500H / 700H) USG FLEX H Series User’s Guide...
Page 53: Rear Panels
The connection ports are located on the rear panel. Figure 40 USG FLEX 50H Rear Panel Figure 41 USG FLEX 50HP Rear Panel Figure 42 USG FLEX 100H Rear Panel Figure 43 USG FLEX 100HP Rear Panel USG FLEX H Series User’s Guide...
Page 54 The fans are for cooling the Zyxel Device. Make sure they are not obstructed to allow maximum ventilation. Lock Attach a lock-and-cable from the Kensington lock (the small, metal-reinforced, oval hole) to a permanent object, such as a pole, to secure the Zyxel Device in place. USG FLEX H Series User’s Guide...
Page 55: Console Port Pin Connectors
The DB-9 connector pins are as follows. Figure 49 DB-9 Connector Pins These are the cable pinouts for RJ-45 to DB-9. Table 18 Cable Pinouts for RJ-45 to DB-9 SIGNAL CONSOLE PORT RJ-45 PIN DB-9 PIN SIGNAL 1, 9 USG FLEX H Series User’s Guide...
Page 56: Installation Scenarios
Overheating could affect the performance of your Zyxel Device, or even damage it. 3.2.1 Desktop Installation Procedure Make sure the Zyxel Device is clean and dry. Remove the adhesive backing from the rubber feet. USG FLEX H Series User’s Guide...
Page 57: Rack-Mounting
Align one bracket with the holes on one side of the Zyxel Device and secure it with the included bracket screws (smaller than the rack-mounting screws). Attach the other bracket in a similar fashion. USG FLEX H Series User’s Guide...
Page 58: Wall-Mounting
Drill into a wall two holes 3 mm – 4 mm (0.12" – 0.16") wide, 20 mm – 30 mm (0.79” – 1.18”) deep and a distance X (see the preceding table) apart. Place two screw anchors in the holes. USG FLEX H Series User’s Guide...
Page 59 Note: Make sure the screws are securely fixed to the wall and strong enough to hold the weight of the Zyxel Device with the connection cables. Use the holes on the bottom of the Zyxel Device to hang the Zyxel Device on the screws. Figure 54 Wall Mounting USG FLEX H Series User’s Guide...
Page 60: Power Cord Lock
• USG FLEX 200HP • USG FLEX 500H Use a screw driver to remove the power cord lock and the screw from the Zyxel Device. Attach the Zyxel Device power cord through the power cord lock. USG FLEX H Series User’s Guide...
Page 61: Procedure B
Use the screw driver to secure the power cord lock and the screw with the power cord to the hole next to the power socket. 3.3.2 Procedure B Follow this procedure for: • USG FLEX 700H Insert Cable Clamp A into the case hole. USG FLEX H Series User’s Guide...
Page 62 Open Cable Clamp B and attach it to the power cord. Make sure Cable Clamp B covers the head of the power cord. Close Cable Clamp B to secure the power cord to the power socket. USG FLEX H Series User’s Guide...
Page 63: Dashboard
The System screen displays general device information, system resource usage, and interface status in widgets that you can re-arrange to suit your needs. You can also click the refresh icon ( ) to refresh individual widgets. USG FLEX H Series User’s Guide...
Page 64: System Information Screen
This field displays the MAC addresses used by the Zyxel Device. Each physical port has one MAC address. The first MAC address is assigned to physical port 1, the second MAC address is assigned to physical port 2, and so on. USG FLEX H Series User’s Guide...
Page 65 This field displays how long the Zyxel Device has been running since it last restarted or was turned on. System Time This field displays the current date and time in the Zyxel Device. The format is yyyy- mm-dd hh:mm:ss. USG FLEX H Series User’s Guide...
Page 66 (system-default.conf). See Section 28.1.3 on page 483 for more information on configuration file flow at restart. USG FLEX H Series User’s Guide...
Page 67: Port Status Screen
Hover your cursor over a connected interface or slot to display status details. The following labels display when you hover your cursor over a connected interface or slot. USG FLEX H Series User’s Guide...
Page 68: Resource Usage Screen
You may ignore it, and observe the long-term usage. Memory This field displays what percentage of the Zyxel Device’s RAM is currently being used. Click this field to display a chart of the Zyxel Device’s recent total, system and fastpath memory usage. USG FLEX H Series User’s Guide...
Page 69: Usb Storage
If you disconnect the USB storage device from the Zyxel Device, you can then use click Connect to reconnect the USB storage device. 4.2.4 Bandwidth This screen displays a line graph of packet statistics for each interface. USG FLEX H Series User’s Guide...
Page 70: Client Usage Screen
This field displays the number of interface that the DHCP server is enabled on the Zyxel Device. 4.2.6 The Latest Logs Screen In this screen click The Latest Logs to go to Log & Report > Log / Events. USG FLEX H Series User’s Guide...
Page 71: The Security Screen
You need to renew the license in order to keep using the feature. Click Buy Now to go to Marketplace to purchase a new license. Click See Details to go to the Zyxel web page to find more information on licenses for your Zyxel Device. USG FLEX H Series User’s Guide...
Page 72 • The number of scanned files for sandbox. • Top 5 applications that are used the most • Top 5 Categories that are detected the most Click the Refresh icon to update the information in the window right away. USG FLEX H Series User’s Guide...
Page 73: Part Ii: Technical Reference
Technical Reference...
Page 74: Monitor
101) to display and manage active IPSec SAs. • Use the VPN Status > IPSec VPN > Remote Access VPN screen (Section 5.17.2 on page 102) to display and manage remote access VPN clients. USG FLEX H Series User’s Guide...
Page 75: The Application Usage Screen
Click Traffic Statistics > Application Usage to display the following screen. This screen displays usage by application type or the IP addresses of hosts in your network. Figure 64 Traffic Statistics > Usage by Application USG FLEX H Series User’s Guide...
Page 76 This is the name of the host identified. MAC Address This is the MAC address of the host device. Usage This is how much traffic the host has used. %Usage This is the percentage of traffic the host has used. USG FLEX H Series User’s Guide...
Page 77: The Port Statistics Screen
Click TX to show or hide the TX line in the chart. This line represents the traffic received by the Zyxel Device on the selected physical port since it was last connected. Click RX to show or hide the RX line in the chart. USG FLEX H Series User’s Guide...
Page 78: The Interface Statistics Screen
The Session Monitor screen displays all established sessions that pass through the Zyxel Device for debugging or statistical analysis. It is not possible to manage sessions in this screen. The following information is displayed. USG FLEX H Series User’s Guide...
Page 79 , click + to display Add Filter, pick a filter, then click Search to display specific sessions according to the filter selected. You may select multiple filters, but just one of each type, configured one at a time. USG FLEX H Series User’s Guide...
Page 80: The Content Filter Screen
Click Buy Now to go to Marketplace to purchase a new license. Click See Details to go to the Zyxel web page to find more information on licenses for your Zyxel Device. These screens display some basic statistics on HTTP(S) traffic scan and DNS domain scan. USG FLEX H Series User’s Guide...
Page 81 This column displays whether the Zyxel Device blocks or passes the accessed URL or FQDN. URL/Domain This column displays the URL or domain name of the web site accessed. Profile This column displays the content filter profile the website belongs to. USG FLEX H Series User’s Guide...
Page 82: The Reputation Filter Screens
Details to go to the Zyxel web page to find more information on licenses for your Zyxel Device. 5.7.1 IP Reputation This screen displays IP reputation statistics. IP reputation checks the reputation of an IP address from a database. Figure 72 Security Statistics > Reputation Filter > IP Reputation USG FLEX H Series User’s Guide...
Page 83: Dns Threat Filter
This screen displays DNS threat filter statistics. DNS threat filtering inspects DNS queries made by clients on your network and compares the queries against a database of blocked or allowed Fully Qualified Domain Names (FQDNs). USG FLEX H Series User’s Guide...
Page 84 This field displays the FQDN of an infected website. Category This field displays the category of the entry. Source IP This field displays the source IP address of traffic that you want to trace. USG FLEX H Series User’s Guide...
Page 85: Url Threat Filter
This field displays the date and time the entry was created. + Allow List Select an entry and click this to add it to the URL Threat filtering allow list. This field displays the URL of an infected website. USG FLEX H Series User’s Guide...
Page 86: The Ips Screen
If you want to view more data than the past 24 hours in SecuReporter, click View More. You should already have a SecuReporter account. Pie Chart Click an item in the pie chart for more detailed information. USG FLEX H Series User’s Guide...
Page 87: The Anti-Malware Screen
Click Buy Now to go to Marketplace to purchase a new license. Click See Details to go to the Zyxel web page to find more information on licenses for your Zyxel Device. USG FLEX H Series User’s Guide...
Page 88 This column displays when you display the entries by Virus Name. This displays the name of a detected virus. Hash This column displays a hash value, MD5 (Message Digest 5)of the detected virus file. MD5 is hash algorithms used to authenticate packet data. USG FLEX H Series User’s Guide...
Page 89: The Sandbox Screen
If you want to view more data than the past 24 hours in SecuReporter, click View More. You should already have a SecuReporter account. Pie Chart Click an item in the pie chart for more detailed information. USG FLEX H Series User’s Guide...
Page 90: The Ssl Inspection Screens
5.11.1 The Summary Screen Click Security Statistics > SSL Inspection > Summary to display the following screen. This screen shows the number of SSL sessions inspected, blocked and passed. USG FLEX H Series User’s Guide...
Page 91 This shows the number of kilobytes (KB) of data that was re-encrypted after Security Service inspection and then forwarded. Blocked This shows the number of SSL sessions blocked. Passed This shows the number of SSL sessions passed. USG FLEX H Series User’s Guide...
Page 92: The Certificate Cache List Screen
This displays the cache item expiry time in seconds. The cache item is deleted when the remaining time expires. 5.12 The Interface Screen This screen lists all of the Zyxel Device’s interfaces and their information. Click Network Status > Interface to display the following screen. USG FLEX H Series User’s Guide...
Page 93 When you create a bridge interface, the Zyxel Device removes the members' entries from the routing table and adds the bridge interface's entries to the routing table. This field displays the bridge interface's members Type This field displays the type of connection the interface is using. USG FLEX H Series User’s Guide...
Page 94: The Device Insight Screen
IPSec VPN or Astra clients with or without VPN Zyxel Client software installed. The clients shown may include clients connected to the Zyxel Device: • Using wired connections. • Through access points (APs) using wired connections. • Through access points (APs) using WiFi connections. USG FLEX H Series User’s Guide...
Page 95 Click Buy Now to go to Marketplace to purchase a new license. Click See Details to go to the Zyxel web page to find more information on licenses for your Zyxel Device. USG FLEX H Series User’s Guide...
Page 96 This field displays the interface to which a client is connected directly to on the Zyxel Device. Connected to This field displays the interface to which a client is connected directly to on the Zyxel Device. Operating System (OS) This field displays the operating system of the client. USG FLEX H Series User’s Guide...
Page 97: The Login Users Screen
None: A standard or trial license has not been enabled. 5.14 The Login Users Screen Use this screen to see a list of users currently logged into the Zyxel Device. To access this screen, click Network Status > Login Users. USG FLEX H Series User’s Guide...
Page 98: The Lockout Ips Screen
Note: A user account that has exceeded the login attempt limit can still log into the Zyxel Device from another IP address that is not blocked. To access this screen, click Network Status > Login Users > Lockout IPs. USG FLEX H Series User’s Guide...
Page 99: The Dhcp Table Screen
5.16 The DHCP Table Screen Use this screen to look at a list of interfaces and their DHCP-assigned IP addresses. To access this screen, click Network Status > DHCP Table. Figure 85 Network Status > DHCP Table USG FLEX H Series User’s Guide...
Page 100 IP address is reserved. The MAC address format can be "xx:xx:xx:xx:xx:xx" or "xx- xx-xx-xx-xx-xx" VLAN ID This field displays the VLAN to which the IP address belongs, if any. Expire Time This displays the date and time the DHCP-assigned address will be renewed. USG FLEX H Series User’s Guide...
Page 101: The Ipsec Vpn Screen
This field displays the IP address of the Zyxel Device. Policy Route This field displays the content of the local and remote policies for this IPSec SA. The IP addresses, not the address objects, are displayed. USG FLEX H Series User’s Guide...
Page 102: The Remote Access Vpn Screen
Inbound (Bytes) This field displays the number of bytes received by the Zyxel Device on this connection. Outbound (Bytes) This field displays the number of bytes transmitted by the Zyxel Device on this connection. USG FLEX H Series User’s Guide...
Page 103: The Ssl Vpn Screen
VPN connection named “testabc” would match. There could be any number (of any type) of characters in front of the “abc” at the end and the VPN connection or policy name would still match. A VPN connection or policy name named “testacc” for example would not match. USG FLEX H Series User’s Guide...
Page 104 “abc” and ending in “123” matches, no matter how many characters are in between. The whole VPN connection or policy name has to match if you do not use a question mark or asterisk. USG FLEX H Series User’s Guide...
Page 105: Licensing
You can use the following Zyxel Device features without a license: Table 50 Features Available Without a License MONITOR CONFIGURATION MAINTENANCE System Statistics Network Maintenance Network Status VPN Status Security Policy Object User & Authentication USG FLEX H Series User’s Guide...
Page 106: The Licenses Screen
Purchase License Click Purchase License to go to Marketplace to renew Zyxel Device licenses. Licenses Information Service This lists the name of services or service modules that are available on the Zyxel Device. USG FLEX H Series User’s Guide...
Page 107 Scan the QR code or click Nebula under Note to register your Zyxel Device at NCC. Please note that you need to register your Zyxel Device at NCC to upgrade firmware and use security services. USG FLEX H Series User’s Guide...
Page 108: The Signature Update Screen
This field displays the type of service engine used by the Zyxel Device. Current Version This field displays the signatures version number currently used by the Zyxel Device. This number gets larger as new signatures are added. USG FLEX H Series User’s Guide...
Page 109: Signature Update
) of a service to display the following screen. Use this screen to view the service update status. Figure 92 Licensing > Signature Update > Update > Update 6.1.5 Auto Update Click the Schedule icon ( ) of a service to display the following screen. USG FLEX H Series User’s Guide...
Page 110 Select this option to have the Zyxel Device check for new signatures once a week on the day and at the time specified. Click this button to save your changes to the Zyxel Device. USG FLEX H Series User’s Guide...
Page 111: Interfaces
• Many interfaces can share the same physical port. • An interface belongs to at most one zone. • Many interfaces can belong to the same zone. Types of Interfaces You can create several types of interfaces in the Zyxel Device. USG FLEX H Series User’s Guide...
Page 112 Table 55 Features Per Interface Type ROLES EXTERNAL INTERNAL GENERAL Characteristics Ethernet PPPoE Ethernet Bridge Ethernet VLAN VLAN VLAN Bridge Bridge Configurable Zone Static IP address DHCP client DHCP server/relay Default SNAT Packet size (MTU) Connectivity Check USG FLEX H Series User’s Guide...
Page 113: Relationships Between Interfaces
MAC address is located, it sends the packet to that port. If the destination MAC address is not in the table, the bridge broadcasts the packet on every port (except the one on which it was received). USG FLEX H Series User’s Guide...
Page 114: Bridge Interface Overview
In this example, virtual Ethernet interface lan1:1 is also removed from the routing table when lan1 is added to br0. Virtual interfaces are automatically added to or remove from a bridge interface when the underlying interface is added or removed. USG FLEX H Series User’s Guide...
Page 115: Ip Address Assignment
Zyxel Device uses the one that was set up first (the first entry in the routing table). In PPPoE interfaces, the other computer is the gateway for the interface by default. In this case, you should specify the metric. USG FLEX H Series User’s Guide...
Page 116: Dhcp Settings
DHCP clients. You can specify each IP address manually (for example, a company’s own DNS server), or you can refer to DNS servers that other interfaces received from DHCP servers (for example, a DNS server at an ISP). These other interfaces have to be DHCP clients. USG FLEX H Series User’s Guide...
Page 117: Pppoe Overview
In this example, there are two physical networks and three departments A, B, and C. The physical networks are connected to hubs, and the hubs are connected to the router. Alternatively, you can divide the physical networks into three VLANs. USG FLEX H Series User’s Guide...
Page 118 Otherwise, VLAN interfaces are similar to other interfaces in many ways. They have an IP address, subnet mask, and gateway used to make routing decisions. They restrict bandwidth and packet size. They can provide DHCP services, and they can verify the gateway is available. USG FLEX H Series User’s Guide...
Page 119: Interface Screen
The following warning appears if Nebula VPN is enabled and you are removing an interface. This may disrupt Nebula VPN. Ensure you do not remove a subnet interface that is participating in the organization’s VPN in the NCC. Figure 98 Interface Removal Warning USG FLEX H Series User’s Guide...
Page 120 This field displays the current IP address and the subnet mask of the interface. If this field is empty, the interface does not have an IP address yet. VLAN ID This field displays the VLAN ID which is a 12-bit number that uniquely identifies each VLAN. USG FLEX H Series User’s Guide...
Page 121 This field displays the Ethernet interfaces and VLAN interfaces in the bridge interface. It is blank for virtual interfaces. Reference This field displays how many objects this entry uses. Edit Select an entry and click Edit to open a screen where you can modify the entry’s settings. USG FLEX H Series User’s Guide...
Page 122: External Interface Add/Edit
The more routing information is exchanged, the more efficient the routers should be. However, the routers also generate more network traffic, and some routing protocols require a significant amount of configuration and management. USG FLEX H Series User’s Guide...
Page 123 Chapter 7 Interfaces Figure 100 Network > Interface > Interface > External > Add (General) Figure 101 Network > Interface > Interface > External > Add (PPPoE Add) USG FLEX H Series User’s Guide...
Page 124 Select the zone to which this interface is to belong. You use zones to apply security settings such as security policy, IPS, remote management, anti-malware, and application patrol. Make sure to select the correct zone as otherwise traffic may be blocked by a security policy. USG FLEX H Series User’s Guide...
Page 125 Click this to add a new interface. You can add up to eight interfaces to per bridge interface. Remove To remove an interface from the bridge interface, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. USG FLEX H Series User’s Guide...
Page 126 Enter the number of seconds to wait for a response before the attempt is a failure. Check Fail Tolerance Enter the number of consecutive failures before the Zyxel Device stops routing through the gateway. USG FLEX H Series User’s Guide...
Page 127: Internal Interface
Unlike other types of interfaces, you cannot create new Ethernet interfaces nor can you delete any of them. If an Ethernet interface does not have any physical ports assigned to it, the Ethernet interface is effectively removed from the Zyxel Device, but you can still configure it. USG FLEX H Series User’s Guide...
Page 128 The more routing information is exchanged, the more efficient the routers should be. However, the routers also generate more network traffic, and some routing protocols require a significant amount of configuration and management. USG FLEX H Series User’s Guide...
Page 129 Chapter 7 Interfaces Figure 103 Network > Interface > Interface > Internal > Add /Edit (Ethernet) USG FLEX H Series User’s Guide...
Page 130 Enter the secondary IP address and subnet mask to bind to this interface. Members This is available when you select Bridge interface type. Click this to add a new interface. You can add up to eight interfaces to per bridge interface. USG FLEX H Series User’s Guide...
Page 131 DHCP Extended This table is available if you selected DHCP server. Options Configure this table if you want to send more information to DHCP clients through DHCP packets. USG FLEX H Series User’s Guide...
Page 132 Select Any if you want the check to pass if at least one of the domain names or IP addresses responds. Select All if you want the check to pass only if both domain names or IP addresses respond. Interface Parameters USG FLEX H Series User’s Guide...
Page 133: General Interface
Use a general interface to connect to either a local network or an external network. If you prefer not to use the automatic settings applied to Internal or External interfaces, you can create a General interface to specify routing policy, SNAT, and security rules. USG FLEX H Series User’s Guide...
Page 134 General is for connecting to either an external network or a local network. The rest of the screen’s options do not automatically adjust and you must manually configure a policy route to add routing and SNAT settings for the interface. USG FLEX H Series User’s Guide...
Page 135 Enter the IP address the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers on the network.for this interface. USG FLEX H Series User’s Guide...
Page 136 If this field is blank, the Pool Size must also be blank. In this case, the Zyxel Device can assign every IP address allowed by the interface’s IP address and subnet mask, except for the first address (network address), last address (broadcast address) and the interface’s IP address. USG FLEX H Series User’s Guide...
Page 137 This field is optional. Enter the IP address of another DHCP server for the network. Upstream This field is optional. Select up to two interface(s)to use for the Zyxel Device to forward/ Interface receive DHCP packets to/from the DHCP server. USG FLEX H Series User’s Guide...
Page 138: Add/Edit Dhcp Extended Options
DHCP option you select in this screen. To open the screen, click Network > Interface > Internal/General > Edit, select DHCP Mode in the DHCP Server section, and then click Add or Edit in the DHCP Extended Options table. USG FLEX H Series User’s Guide...
Page 139 CODE DESCRIPTION Time Offset This option specifies the offset of the client's subnet in seconds from Coordinated Universal Time (UTC). Time Server This option specifies a list of Time servers available to the client. USG FLEX H Series User’s Guide...
Page 140: Vti Interface
In the following example configure VPN tunnels with static IP addresses or DNS on both Zyxel Devices (or IPSec routers at the end of the tunnel). Also configure VTI and a trunk on both Zyxel Devices. USG FLEX H Series User’s Guide...
Page 141: Restrictions For Ipsec Virtual Tunnel Interface
Note: You should have created a route-based VPN tunnel for a VPN Tunnel Interface scenario first. To access this screen, click the Network > Interface > Interface > VTI > Edit. The following screen appears. USG FLEX H Series User’s Guide...
Page 142 Zyxel Device stops routing to the gateway. The Zyxel Device resumes routing to the gateway the first time the gateway passes the connectivity check. Enable Select this to turn on the connection check. USG FLEX H Series User’s Guide...
Page 143: Trunk Overview
ISP) set to passive. This way VoIP traffic goes through the interface connected to the VoIP service provider whenever the interface’s connection is up. Throughput is the moving average of traffic passing through the Zyxel Device in the last 10 seconds updated every 1 second. USG FLEX H Series User’s Guide...
Page 144: Load Balancing Algorithms
WAN interfaces are different. Similar to the Round Robin (RR) algorithm, the Weighted Round Robin (WRR) algorithm sets the Zyxel Device to send traffic through each WAN interface in turn. In addition, the USG FLEX H Series User’s Guide...
Page 145: What You Need To Know
(Section 7.7.2 on page 149) to configure the load balancing algorithm for the system default trunk. 7.6.1 What You Need to Know • Add WAN interfaces to trunks to have multiple connections share the traffic load. USG FLEX H Series User’s Guide...
Page 146: The Trunk Summary Screen
7.7 The Trunk Summary Screen Click Network > Interface > Trunk to open the Trunk screen. The following screen lists the configured trunks and the load balancing algorithm that each is configured to use. USG FLEX H Series User’s Guide...
Page 147: Configuring A User-Defined Trunk
7.7.1 Configuring a User-Defined Trunk Click Network > Interface > Trunk, in the User-Defined Trunk table click the Add (or Edit) icon to open the following screen. Use this screen to create or edit a WAN trunk entry. USG FLEX H Series User’s Guide...
Page 148 Select an entry and click Edit to modify the entry’s settings. Remove To remove a member interface, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Name Select an interface name from the drop-down list box. USG FLEX H Series User’s Guide...
Page 149: Configuring The System Default Trunk
2:1, the Zyxel Device chooses wan1 for 2 sessions’ traffic and wan2 for 1 session’s traffic in each round of 3 new sessions. The table lists the trunk’s member interfaces. This table is read-only. USG FLEX H Series User’s Guide...
Page 150: Port
Click Cancel to return the screen to its last-saved settings. 7.8 Port Use this screen to configure port settings. Click Network > Interface > Port in the navigation panel to display the configuration screen. USG FLEX H Series User’s Guide...
Page 151 This field displays the name of the port. Status This field displays the speed and the duplex mode of the Ethernet connection on the port. Type This field displays the cable type that is used on the port. USG FLEX H Series User’s Guide...
Page 152 Select an entry and click this icon to delete it. Save Changes Click this icon to save the changes in this row. Cancel Changes Click this icon to cancel the changes in this row. USG FLEX H Series User’s Guide...
Page 153: Routing
Policy Routing Traditionally, routing is based on the destination address only and the Zyxel Device takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing USG FLEX H Series User’s Guide...
Page 154: Static Routes
The DS field contains a 2-bit unused field and a 6-bit DSCP field which can define up to 64 service levels. The following figure illustrates the DS field. DSCP (6 bits) Unused (2 bits) USG FLEX H Series User’s Guide...
Page 155: Assured Forwarding (Af) Phb For Diffserv
IP protocol (ICMP, UDP, TCP, etc.) and port. The actions that can be taken include: • Routing the packet to a different gateway, outgoing interface, VTI interface, or trunk. Figure 116 Network > Routing > Policy Route USG FLEX H Series User’s Guide...
Page 156 This is the name of the source IP address (group) object, including geographic address and FQDN (group) objects. any means all IP addresses. Destination This is the name of the destination IP address (group) object, including geographic and FQDN (group) address objects. any means all IP addresses. USG FLEX H Series User’s Guide...
Page 157: Policy Route Edit Screen
Click Network > Routing to open the Policy Route screen. Then click the Add or Edit icon. The Add Policy Route or Policy Route Edit screen opens. Use this screen to configure or edit a policy route. USG FLEX H Series User’s Guide...
Page 158 Zyxel Device itself. For an interface, a tunnel, or an SSL VPN, you also need to select the individual interface, VPN tunnel, or SSL VPN connection. Source Address Select a source IP address object, including geographic address and FQDN (group) objects, from which the packets are sent. USG FLEX H Series User’s Guide...
Page 159 Zyxel Device's interface(s). Trunk This field displays when you select trunk in the Type field. Select a trunk group to have the Zyxel Device send the packets via the interfaces in the group. USG FLEX H Series User’s Guide...
Page 160: Static Route Screen
Table 78 Network > Routing > Static Route LABEL DESCRIPTION Click this to create a new static route. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. USG FLEX H Series User’s Guide...
Page 161: Static Route Add/Edit Screen
Zyxel Device's interface(s). The gateway helps forward packets to their destinations. Gateway Select the radio button to route the matched IPv6 packets through a 6to4 tunnel to the Object packets’ destination. USG FLEX H Series User’s Guide...
Page 162 0~127. In practice, 2 or 3 is usually a good number. Apply Click Apply to save your changes back to the Zyxel Device. Cancel Click Cancel to return the screen to its last-saved settings. USG FLEX H Series User’s Guide...
Page 163: Nat
166) to view and manage the list of NAT rules and see their configuration details. You can also create new NAT rules and edit or delete existing ones. 9.1.2 What You Need to Know NAT is also known as virtual server, port forwarding, or port translation. USG FLEX H Series User’s Guide...
Page 164 Interim Mail Access Protocol (IMAP) SNMP Border Gateway Protocol (BGP) TCP/UDP Lightweight Directory Access Protocol (LDAP) HTTPS Microsoft - DS LDAP over TLS/SSL (LDAPS) BIND DNS FTP over TLS/SSL (FTPS) POP3 over TLS/SSL (POP3S) USG FLEX H Series User’s Guide...
Page 165: Nat Loopback
The LAN user’s computer then sends traffic to IP address 1.1.1.1. NAT loopback uses the IP address of the Zyxel Device’s LAN interface (192.168.1.1) as the source address of the traffic going from the LAN users to the LAN SMTP server. Figure 122 LAN to LAN Traffic USG FLEX H Series User’s Guide...
Page 166: The Nat Screen
NAT rules and edit and delete existing NAT rules. To access this screen, login to the Web Configurator and click Network > NAT. The following screen appears, providing a summary of the existing NAT rules. Figure 124 Network > NAT USG FLEX H Series User’s Guide...
Page 167: The Nat Add/Edit Screen
The NAT Add/Edit screen lets you create new NAT rules and edit existing ones. To open this window, open the NAT summary screen. (See Section 9.2 on page 166.) Then, click on an Add icon or Edit icon to open the following screen. USG FLEX H Series User’s Guide...
Page 168 One many 1:1 NAT rule works like multiple 1:1 NAT rules, but it eases configuration effort since you only create one rule. Incoming Interface Select the interface on which packets for the NAT rule must be received. It can be an Ethernet, VLAN or bridge interface. USG FLEX H Series User’s Guide...
Page 169 This field is available if Mapping Type is Ports. Enter the beginning of the range of original destination ports this NAT rule supports. External End Port This field is available if Mapping Type is Ports. Enter the end of the range of original destination ports this NAT rule supports. USG FLEX H Series User’s Guide...
Page 170 A warning message will pop out when you click OK. If you click No in the warning message, the rule will apply to the Zyxel Device. You will not be able to access the web configurator through this interface. USG FLEX H Series User’s Guide...
Page 171: Bwm (Bandwidth Management)
• The upload traffic flows from the connection initiator to the connection responder. • The download traffic flows from the connection responder to the connection initiator. For example, a LAN1 to WAN connection is initiated from LAN1 and goes to the WAN. USG FLEX H Series User’s Guide...
Page 172 • The Zyxel Device uses a priority queueing scheduler to divide bandwidth among traffic flows with the same priority. • The Zyxel Device automatically treats traffic with bandwidth management disabled as priority 7 (the lowest priority). USG FLEX H Series User’s Guide...
Page 173: Configured Rate Effect
The default bandwidth management policy is the one with the priority of “default”. It is the last policy the Zyxel Device checks if traffic does not match any other bandwidth management policies you have configured. You cannot remove, activate, deactivate or move the default bandwidth management policy. USG FLEX H Series User’s Guide...
Page 174 (group) objects, for whom this policy applies. If any displays, the policy is effective for every source. Destination This is the destination address or address group, including geographic address and FQDN (group) objects, for whom this policy applies. If any displays, the policy is effective for every destination. USG FLEX H Series User’s Guide...
Page 175: The Bandwidth Management Add/Edit Screen
To access this screen, go to the Network > BWM screen (see Section 10.2 on page 173), and click either the Add icon or an Edit icon. Figure 129 Network > BWM > Edit (For the Default Policy) USG FLEX H Series User’s Guide...
Page 176 Select a destination address or address group, including geographic address and FQDN (group) objects, for whom this policy applies. Use Create new Object if you need to configure a new one. Select any if the policy is effective for every destination. USG FLEX H Series User’s Guide...
Page 177 If the sum of the bandwidths for routes using the same next hop is higher than the actual transmission speed, lower priority traffic may not be sent if higher priority traffic uses all of the actual bandwidth. USG FLEX H Series User’s Guide...
Page 178: Adding Objects For The Bwm Policy
Type a password for the user object. The password can consist of alphanumeric characters, the underscore, and some punctuation marks (+-/*= :; .! @$&%#~ ‘ \ () ), and it can be up to eight characters long. Retype Retype the password to confirm. USG FLEX H Series User’s Guide...
Page 179 ()+/:+?!*#@$_%- characters, and it can be up to 60 characters long. Member List Select the users or user groups that will be in this user group. Save Click Save to save the setting. Cancel Click Cancel to return the screen to its last-saved settings. USG FLEX H Series User’s Guide...
Page 180: Address Objects
Click Save to save the setting. Cancel Click Cancel to return the screen to its last-saved settings. 10.2.2.4 Address Group Objects Figure 134 Network > BWM > Create New Object > Add Address Group USG FLEX H Series User’s Guide...
Page 181: Example: Prioritize A Specific Application
Go to Network > BWM . Click Add to create a bandwidth management rule using the parameters given Table 91 on page 181. Select Teams under Application Group. Click Apply to save your changes. USG FLEX H Series User’s Guide...
Page 182 Chapter 10 BWM (Bandwidth Management) The traffic for Teams is now at the highest priority to use the Zyxel Device bandwidth. USG FLEX H Series User’s Guide...
Page 183: Alg
When the active interface’s connection fails, the client needs to re-initialize the connection through the second interface (that was set to passive) in order to have the connection go through the second interface. USG FLEX H Series User’s Guide...
Page 184: Before You Begin
• Configure the port numbers to which they apply. Note: If the Zyxel Device provides an ALG for a service, you must enable the ALG in order to use the application patrol on that service’s traffic. USG FLEX H Series User’s Guide...
Page 185 Select this option to have the Zyxel Device apply SIP media and signaling inactivity time out limits. These timeouts will take priority over the SIP session time out “Expires” value in a SIP registration response packet. USG FLEX H Series User’s Guide...
Page 186 A signaling connection is used to set up the SIP connection. Signaling Connection Enable this if you want signaling connections to only arrive from the IP address(es) you registered with. Signaling connections from other IP addresses will be dropped. USG FLEX H Series User’s Guide...
Page 187: Ipsec Vpn
Diffie–Hellman key exchange algorithm to generate a shared secret key to encrypt IKE communications. This negotiation results in one single bi- directional ISAKMP Security Association (SA). The authentication can be performed using either pre- USG FLEX H Series User’s Guide...
Page 188: Ipsec Vpn Background Information
To set up an IKE SA, you have to specify the IP addresses of the Zyxel Device and remote IPSec router. You can usually enter a static IP address or a domain name for either or both IP addresses. Sometimes, USG FLEX H Series User’s Guide...
Page 189: Ike Sa Proposal
Some Zyxel Devices also offer stronger forms of AES that apply 192-bit or 256-bit keys to 128-bit blocks of data. In most Zyxel Devices, you can select one of the following authentication algorithms for each proposal. The algorithms are listed in order from weakest to strongest. USG FLEX H Series User’s Guide...
Page 190: Diffie-Hellman (Dh) Key Exchange
Remote IPSec router identity, consisting of - ID type You have to create (and distribute) a pre-shared key. The Zyxel Device and remote IPSec router use it in the authentication process, though it is not actually transmitted or exchanged. USG FLEX H Series User’s Guide...
Page 191: Additional Topics For Ike Sa
This section provides more information about IKE SA. Negotiation Mode There are two negotiation modes for IKEv1--main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster. Main mode takes six steps to establish an IKE SA. USG FLEX H Series User’s Guide...
Page 192: Vpn, Nat, And Nat Traversal
• Configure the NAT router to forward packets with the extra header unchanged. (See the field description for detailed information about the extra header.) The extra header may be UDP port 500 or UDP port 4500, depending on the standard(s) the Zyxel Device and remote IPSec router support. USG FLEX H Series User’s Guide...
Page 193: Ipsec Sa Overview
Note: The Zyxel Device and remote IPSec router must use the same encapsulation. These modes are illustrated below. Figure 141 VPN: Transport and Tunnel Mode Encapsulation Original Packet IP Header TCP Header Data USG FLEX H Series User’s Guide...
Page 194: Ipsec Sa Proposal And Perfect Forward Secrecy
For authentication, the Zyxel Device and remote IPSec router use the SPI, instead of pre-shared keys, ID type and content. The SPI is an identification number. Note: The Zyxel Device and remote IPSec router must use the same SPI. USG FLEX H Series User’s Guide...
Page 195: What You Can Do In This Chapter
Between routers X and Y, the data is protected by tunneling, encryption, authentication, and other security features of the IPSec SA. The IPSec SA is secure because routers X and Y established the IKE SA first. USG FLEX H Series User’s Guide...
Page 196: Application Scenarios
VPN connection (each IPSec SA). Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. USG FLEX H Series User’s Guide...
Page 197: The Site To Site Vpn Add/Edit Screen- Wizard
To access this screen, go to the VPN > Site to Site VPN screen, and click either the Add icon or an Edit icon. Select Site-to-Site in VPN > Site to Site VPN> Add/Edit > Scenario > Type to create a VPN rule using the wizard. USG FLEX H Series User’s Guide...
Page 198 None/ Local Site: The remote IPSec device has a static IP address or a domain name. This Zyxel Device can initiate the VPN tunnel. Remote Site: The remote IPSec device has a dynamic IP address. Only the remote IPSec device can initiate the VPN tunnel. USG FLEX H Series User’s Guide...
Page 199 Go to Security Policy > Policy Control to make sure that a security policy will not block traffic going to the zone you select. 12.3.1.3 Authentication Use this screen to configure the authentication type and settings. USG FLEX H Series User’s Guide...
Page 200: Policy & Routing
Use this screen to configure the IP addresses of the computer on your network and the computer behind the remote IPSec device. Figure 147 VPN > Site to Site VPN > Add/Edit > Policy & Routing (Route-Based) USG FLEX H Series User’s Guide...
Page 201 This must match the local IP address configured on the remote IPSec device. 12.3.1.5 Summary Use this screen to view a summary of the VPN tunnel configurations. You can click Edit to change the VPN tunnel configuration settings. USG FLEX H Series User’s Guide...
Page 202: The Site To Site Vpn Add/Edit Screen - Custom
VPN rule with advanced settings. Section 12.1 on page 187 for more information on phase 1 and phase 2 settings; see Section 12.2 on page 188 for more information on IKE SA proposals. USG FLEX H Series User’s Guide...
Page 203 Type the IP address of a computer on your network that can use the tunnel. You can also specify a subnet. This must match the remote IP address configured on the remote IPSec device. USG FLEX H Series User’s Guide...
Page 204 If the Zyxel Device and remote IPSec router use certificates, there is one more choice. Subject Name - the remote IPSec router is identified by the subject name in the certificate Phase 1 Settings This establishes a secure tunnel between the Zyxel Device and the peer site. USG FLEX H Series User’s Guide...
Page 205 Zyxel Device transmits the data. If the remote IPSec router does not respond, the Zyxel Device shuts down the IKE SA. This field applies for IKEv1 only. DPD is always performed when you use IKEv2. USG FLEX H Series User’s Guide...
Page 206 The Zyxel Device and the remote IPSec router must both have at least one proposal that uses use the same encryption and the same key. Longer keys are more secure, but require more processing power, resulting in increased latency and decreased throughput. USG FLEX H Series User’s Guide...
Page 207 IP address (192.168.168.0/24) for Phase 2. NAT rules need to be configured to translate the source IP addresses of sites A and B to an IP address in the 192.168.168.0/24 range before entering the IPsec tunnel. USG FLEX H Series User’s Guide...
Page 208 Mapped IP). After data exiting the VPN tunnel, router B translates the destination IP address (set in Mapped IP) back to the Origin IP. Note: The Mapped IP of IPSec router A and B must not be in conflict. Figure 152 Policy Based VPN - 1:1 NAT Example Scenario USG FLEX H Series User’s Guide...
Page 209: The Remote Access Vpn Screen
SecuExtender VPN client installed on his device and uses a supported computer operating system. Make sure the settings configured on the IPSec VPN client matches the settings you configured on the Zyxel Device. Click VPN > IPSec VPN > Remote Access VPN to open the following screen. USG FLEX H Series User’s Guide...
Page 210 Chapter 12 IPSec VPN Figure 153 VPN > IPSec VPN > Remote Access VPN USG FLEX H Series User’s Guide...
Page 211 Enter an IPv4 address in CIDR notation, for example, type 192.168.1.1/24. Traffic going to the Internet from this IP address is encrypted. Traffic going to the Internet from the remote client does not go through the Zyxel Device is not encrypted. Client Network USG FLEX H Series User’s Guide...
Page 212 SHA is generally considered stronger than MD5, but it is also slower. The Zyxel Device and the remote IPSec router must both have a proposal that uses the same authentication algorithm. USG FLEX H Series User’s Guide...
Page 213: Remote Access Vpn Setup Example
Provides high security. OpenVPN Windows, macOS, • VPN account username and password May have lower Connect Linux, iOS, Android • OVPN configuration file connection speed and stability. SecuExtender Windows, macOS • VPN account username and password USG FLEX H Series User’s Guide...
Page 214: Zyxel Device Setup
Set a VPN user name and password, then click Apply to save your changes. Note down the account name and password for the home user who will use this for future remote access authentication. USG FLEX H Series User’s Guide...
Page 215 Chapter 12 IPSec VPN To configure SSL VPN on the Zyxel Device, go to VPN > SSL VPN. USG FLEX H Series User’s Guide...
Page 216 Select the user account you created in step 2 to allow SSL VPN access Click Apply to save the changes. To allow the Zyxel Device to access VPN traffic from WAN, go to Object > Service > Service Group. Select Default_Allow_WAN_To_ZyWALL and click Edit. USG FLEX H Series User’s Guide...
Page 217 Search for SSL VPN under Available and click > to add it to the allow list of traffic from the WAN to the Zyxel Device. Then, click Apply to save the changes. IKEv2 Go to User & Authentication > User/Group > User, and click Add under User to create a VPN user account. USG FLEX H Series User’s Guide...
Page 218 Set a VPN user name and password, then click Apply to save your changes. Note down the account name and password for future remote access authentication. To configure IKEv2 VPN on the Zyxel Device, go to VPN > IPSec VPN > Remote Access VPN and enable IKEv2 VPN. USG FLEX H Series User’s Guide...
Page 219 Internet through the Zyxel Device. User Select the user account you created in step 2 to allow IKEv2 VPN access Click Apply to save your changes. Send authentication details to the home user. USG FLEX H Series User’s Guide...
Page 220: Home User Setup
Gateway Address Enter the WAN IP address of the Zyxel Device. Authentication Set as Login + Password. Login/Password Enter the username and password the Zyxel Device administrator gave. The following screen appears, click OK. USG FLEX H Series User’s Guide...
Page 221 Right click on the VPN policy you just created, then click Open tunnel to establish a remote VPN connection. Re-enter the user name and password, then click OK. The icon next to the VPN policy turns green. You can now access the office network through the Zyxel Device. USG FLEX H Series User’s Guide...
Page 222 • The OVPN configuration file: They should get this from the Zyxel Device administrator, who downloads it from the VPN > SSL VPN screen. Go to the OpenVPN Connect website and download the OpenVPN Connect client for your computer’s operation system. USG FLEX H Series User’s Guide...
Page 223 Run the OpenVPN Connect client on your computer. Click Browse and import the .OVPN file provided by Zyxel Device administrator. In the Username field, enter the VPN user name the Zyxel Device administrator set. Click Connect to connect your computer to the office network. USG FLEX H Series User’s Guide...
Page 224 Chapter 12 IPSec VPN Enter the VPN user password provided by the Zyxel Device administrator. USG FLEX H Series User’s Guide...
Page 225 Unzip and open the configuration file, then double-click on the .bat file to set up the certificate for the VPN connection. A command-line interface will appear, showing the status of the VPN connection. To connect to the office network, click the Internet access icon, then click Connect next to the RemoteAccess network. USG FLEX H Series User’s Guide...
Page 226 Chapter 12 IPSec VPN Enter the username and password provided by the administrator in the pop-up window, then click OK. The following screen indicates you are now connected to the office network. USG FLEX H Series User’s Guide...
Page 227: Test The Vpn Connection
To test if the home user’s computer can successfully connect to the office’s network, they should open the Command Prompt and ping the IP address of a device in the LAN. If the connection is successful, the following result will appear. USG FLEX H Series User’s Guide...
Page 228: Ssl Vpn
In split tunnel mode, only the traffic going to the networks behind the Zyxel Device is encrypted. Traffic going to the Internet from the remote client does not go through the Zyxel Device and is not encrypted. USG FLEX H Series User’s Guide...
Page 229: The Ssl Vpn Screen
Please note that you cannot delete an object that is referenced by other settings. 13.2 The SSL VPN Screen Configure the settings in this screen to create a new or edit an existing SSL access policy. USG FLEX H Series User’s Guide...
Page 230 • macOS 10.15 and later versions. Make sure the settings configured on the SSL VPN client matches the settings you configured on the Zyxel Device. Click VPN > SSL VPN to open the following screen. USG FLEX H Series User’s Guide...
Page 231 Chapter 13 SSL VPN Figure 157 VPN > SSL VPN USG FLEX H Series User’s Guide...
Page 232 Select a specified RADIUS server from the drop-down list box for the Zyxel Device to use for Secondary Server authentication. User Select a user or user group to associate the user or user group to this SSL access policy. Advanced Settings USG FLEX H Series User’s Guide...
Page 233 SSL VPN clients have to update their SSL VPN settings so their SSL VPN settings match the Zyxel Device SSL VPN settings. Apply Click Apply to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving. USG FLEX H Series User’s Guide...
Page 234: Security Policy
Figure 158 Default Directional Security Policy Example 14.2 What You Can Do in this Chapter • Use the Policy Control screens (Section 14.3 on page 236) to enable or disable policies, asymmetrical routes, and manage and configure policies. USG FLEX H Series User’s Guide...
Page 235: What You Need To Know
Policies with Device as the To Zone apply to traffic going to the Zyxel Device itself. By default: • The Security Policy allows only LAN, or WAN computers to access or manage the Zyxel Device. • The Zyxel Device allows DHCP traffic from any interface to the Zyxel Device. USG FLEX H Series User’s Guide...
Page 236: The Security Policy Screen
By putting LAN 1 and the alternate gateway (A in the figure) in different subnets, all returning network traffic must pass through the Zyxel Device to the LAN. The following steps and figure describe such a scenario. USG FLEX H Series User’s Guide...
Page 237: Configuring The Security Policy Control Screen
LAN IP address as the destination. • The ordering of your policies is very important as policies are applied in sequence. The following screen shows the Policy Control summary screen. USG FLEX H Series User’s Guide...
Page 238 After copying it, edit it to change it from the one copied. Search Type an item in the search box, then click this to display all sessions in the table below according to the item you typed. USG FLEX H Series User’s Guide...
Page 239: The Policy Control Add/Edit Screen
Click the icon to edit the profile directly. 14.3.2 The Policy Control Add/Edit Screen In the Policy Control screen, click the Edit or Add icon to display the Policy Control Edit or Add screen. USG FLEX H Series User’s Guide...
Page 240 Note: If you select an FQDN address with a wildcard in this field, the rule might not be applied because an FQDN with a wildcard cannot cache IP addresses using DNS queries on the Zyxel Device. USG FLEX H Series User’s Guide...
Page 241: Example: Allow A Server To Ping The Zyxel Device Without Creating Logs
A server on the LAN pings the Zyxel Device every 15 seconds to check if the Zyxel Device is connected to the Internet. The Zyxel Device creates a log every time the server pings it. You want to allow the server to ping the Zyxel Device without creating so many logs. USG FLEX H Series User’s Guide...
Page 242 Configure the settings using the parameters given in Table 116 on page 242. Set Log to no so when the server pings the Zyxel Device, the Zyxel Device will not create logs. Click Apply to save your changes. USG FLEX H Series User’s Guide...
Page 243: Dos Prevention Overview
Note: First, create a DoS prevention profile in the In the Security Policy > DoS Prevention > Profile screen. Then, apply the profile to traffic originating from a specific zone in the Security Policy > DoS Prevention >DoS Prevention Policy screen. USG FLEX H Series User’s Guide...
Page 244: The Dos Prevention Policy Screen
The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. Priority This is the rank in the list of anomaly profile policies. The list is applied in order of priority. Name This is the name of the anomaly profile policy. USG FLEX H Series User’s Guide...
Page 245: The Dos Prevention Profile Screen
DoS prevention profiles consist of traffic anomaly profiles. To create a new profile, click Add. Type a new profile name, enable or disable individual policies and then edit the default log options and actions. Click Security Policy > DoS Prevention > Profile to view the following screen. USG FLEX H Series User’s Guide...
Page 246: The Dos Prevention Profile Add/Edit Screen
DoS prevention looks for abnormal behavior such as scan or flooding attempts. In the Security Policy > DoS Prevention > Profile screen, click the Edit or Add icon to create or edit an existing profile. USG FLEX H Series User’s Guide...
Page 247 Chapter 14 Security Policy Figure 164 Security Policy > DoS Prevention > Profile > Add/Edit USG FLEX H Series User’s Guide...
Page 248 The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. Name This is the name of the anomaly policy. Click the Name column heading to sort in ascending or descending order according to the protocol anomaly policy name. USG FLEX H Series User’s Guide...
Page 249: Ip Spoofing Prevention Overview
Figure 165 Trusted IP/MAC Pair Example 14.5.1 The IP Spoofing Prevention Screen Click Security Policy > IP Spoofing Prevention to display the IP Spoofing Prevention screen. Use this screen to configure an interface’s IP to MAC address binding settings. USG FLEX H Series User’s Guide...
Page 250 Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. Object Name This is the name of the IP address object to allow traffic. USG FLEX H Series User’s Guide...
Page 251: The Trusted Ip Add / Edit Screen
NAT/Security Policy sessions a client can use. You can apply a default limit for all users and individual limits for specific users, addresses, or both. The individual limit takes priority if you apply both. USG FLEX H Series User’s Guide...
Page 252: The Session Control Add/Edit Screen
Click Security Policy > Session Control and the Add or Edit icon to display the Add or Edit screen. Use this screen to configure rules that define a session limit for specific users or addresses. USG FLEX H Series User’s Guide...
Page 253 Otherwise, select any and there is no need for user logging. Note: If you specified an IP address (or address group) instead of any in the field below, the user’s IP address should be within the IP address range. USG FLEX H Series User’s Guide...
Page 254: Security Policy Example Applications
You do not need to specify a schedule since you need the Security Policy to always be in effect. The following figure shows the results of this policy. Figure 170 Blocking All LAN to WAN IRC Traffic Example USG FLEX H Series User’s Guide...
Page 255 Figure 171 Limited LAN to WAN IRC Traffic Example Your security policy would have the following configuration. Table 125 Limited LAN1 to WAN IRC Traffic Example 1 USER SOURCE DESTINATION SCHEDULE SERVICE ACTION 172.16.1.7 Allow USG FLEX H Series User’s Guide...
Page 256 The policy for the CEO must come before the policy that blocks all LAN1 to WAN IRC traffic. If the policy that blocks all LAN1 to WAN IRC traffic came first, the CEO’s IRC traffic would match that policy and the Zyxel Device would drop it and not check any other security policies. USG FLEX H Series User’s Guide...
Page 257: Object
The Address screen provides a summary of all addresses in the Zyxel Device. To access this screen, click Object > Address > Address. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. USG FLEX H Series User’s Guide...
Page 258 The Object > Address > Address > Add/Edit screen allows you to create a new address or edit an existing one. To access this screen, go to the Address screen (see Section 15.1.2 on page 257), and click either the Add icon or an Edit icon in the IPv4 Address Configuration section. USG FLEX H Series User’s Guide...
Page 259 Starting IP This field is only available if the Address Type is RANGE. This field cannot be blank. Enter the Address beginning of the range of IP addresses that this address object represents. USG FLEX H Series User’s Guide...
Page 260: Address Group Summary Screen
The Address Group screen provides a summary of all address groups. To access this screen, click Object > Address > Address Group. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. USG FLEX H Series User’s Guide...
Page 261: Address Group Add/Edit Screen
The Address Group Add/Edit screen allows you to create a new address group or edit an existing one. To access this screen, go to the Address Group screen (see Section 15.1.3 on page 260), and click either the Add icon or an Edit icon in the IPv4 Address Group Configuration section. USG FLEX H Series User’s Guide...
Page 262 Note: Only objects of the same address type can be added to a address group. Apply Click Apply to save your customized settings and exit this screen. Cancel Click Cancel to return the screen to its last-saved settings. USG FLEX H Series User’s Guide...
Page 263: Geo Ip Summary Screen
Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 176 Object > Address > Geo IP USG FLEX H Series User’s Guide...
Page 264 Chapter 15 Object Figure 177 Object > Address > Geo IP > Region vs. Continent USG FLEX H Series User’s Guide...
Page 265 This screen allows you to create a new geography-to-IP address mapping. To access this screen, go to the Geo IP screen (see Section 15.1.4 on page 263), and click the Add icon in the Custom IPv4 to Geography Rules section. Figure 178 Geo IP > Add USG FLEX H Series User’s Guide...
Page 266: Service Overview
Then, the connection is terminated. In contrast, computers use UDP to send short messages to each other. There is no guarantee that the messages arrive in sequence or that the messages arrive at all. USG FLEX H Series User’s Guide...
Page 267 This identifies the object for which the configuration settings that use it are displayed. Click the object’s name to display the object’s configuration screen in the main window. This field is a sequential value, and it is not associated with any entry. USG FLEX H Series User’s Guide...
Page 268: The Service Summary Screen
To access this screen, log in to the Web Configurator, and click Object > Service > Service. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. USG FLEX H Series User’s Guide...
Page 269 Select an entry and click Reference to check which settings use the entry. Name This field displays the name of each service. Content This field displays a description of each service. Reference This displays the number of times an object reference is used in a profile. USG FLEX H Series User’s Guide...
Page 270: The Service Add/Edit Screen
Enter the number of the next-level protocol (IP protocol). Allowed values are 1 - 255. Apply Click Apply to save your customized settings and exit this screen. Cancel Click Cancel to return the screen to its last-saved settings. USG FLEX H Series User’s Guide...
Page 271: The Service Group Summary Screen
Object > Service > Service Group > Default_Allow_WAN_To_ZyWALL service group, which is used in the WAN_to_Device security policy. To access this screen, click Object > Service > Service Group. Figure 182 Object > Service > Service Group USG FLEX H Series User’s Guide...
Page 272: The Service Group Add/Edit Screen
Service Group screen (see Section 15.2.3 on page 271), and click either the Add icon or an Edit icon. Figure 183 Object > Service > Service Group > Add/Edit USG FLEX H Series User’s Guide...
Page 273: Zone Overview
Zones cannot overlap. Each Ethernet interface, VLAN interface, bridge interface, PPPoE/PPTP interface and VPN tunnel can be assigned to at most one zone. Virtual interfaces are automatically assigned to the same zone as the interface on which they run. USG FLEX H Series User’s Guide...
Page 274: What You Need To Know
274, traffic to or from computer C is extra-zone traffic. • Some zone-based security and policy settings may apply to extra-zone traffic, especially if you can set the zone attribute in them to Any or All. See the specific feature for more information. USG FLEX H Series User’s Guide...
Page 275: The Zone Screen
The Zone Edit screen allows you to add or edit a zone. To access this screen, go to the Zone screen (see Section 15.4.2 on page 277), and click the Add icon or an Edit icon. USG FLEX H Series User’s Guide...
Page 276 Apply Click Apply to save your customized settings and exit this screen. Cancel Click Cancel to return the screen to its last-saved settings. USG FLEX H Series User’s Guide...
Page 277: Schedule Overview
Recurring schedules are useful for defining the workday and off- work hours. 15.4.2 The Schedule Screen The Schedule screen provides a summary of all schedules in the Zyxel Device. To access this screen, click Object > Schedule. USG FLEX H Series User’s Guide...
Page 278: The One-Time Schedule Add/Edit Screen
The One-Time Schedule Add/Edit screen allows you to define a one-time schedule or edit an existing one. To access this screen, go to the Schedule screen (see Section 15.4.2 on page 277), and click either the Add icon or an Edit icon in the One Time section. USG FLEX H Series User’s Guide...
Page 279 • Hour - 1-12 AM/PM • Minute - 0 - 59 Apply Click Apply to save your customized settings and exit this screen. Cancel Click Cancel to return the screen to its last-saved settings. USG FLEX H Series User’s Guide...
Page 280: The Recurring Schedule Add/Edit Screen
• Hour - 1-12 AM/PM • Minute - 0 - 59 Apply Click Apply to save your customized settings and exit this screen. Cancel Click Cancel to return the screen to its last-saved settings. USG FLEX H Series User’s Guide...
Page 281: The Schedule Group Screen
The Schedule Group Add/Edit screen allows you to define a schedule group or edit an existing one. To access this screen, go to the Schedule screen (see), and click either the Add icon or an Edit icon in the Schedule Group section. USG FLEX H Series User’s Guide...
Page 282 Move any members you do not want included to the list on the left. Apply Click Apply to save your customized settings and exit this screen. Cancel Click Cancel to return the screen to its last-saved settings. USG FLEX H Series User’s Guide...
Page 283: Application Patrol
Use policies to link profiles to traffic flows based on criteria such as source zone, destination zone, source address, destination address, schedule, user. USG FLEX H Series User’s Guide...
Page 284: Application Patrol Profile
A profile is an application object(s) or application group(s) that has customized action and log settings. Click Security Service > App Patrol to open the following screen. Click the Application Patrol icon for more information on the Zyxel Device’s security features. USG FLEX H Series User’s Guide...
Page 285 Go to the Security Policy > Policy Control screen to check the result. Signature Information The following fields display information on the current signature set that the Zyxel Device is using. Current Version This field displays the App Patrol signature set version number. USG FLEX H Series User’s Guide...
Page 286: Application Patrol Profile > Add/Edit - Application Management
Type a description for the profile rule to help identify the purpose of rule. You may use 1-31 alphanumeric characters, underscores ( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive. This field is optional. Click Add to create a new profile. USG FLEX H Series User’s Guide...
Page 287: Example: Block An Application
In this example, you want to block clients on the Zyxel Device LAN from accessing a specific application (for example, TikTok). You also want to receive a log and an alert when traffic going out from the LAN tries to access TikTok. USG FLEX H Series User’s Guide...
Page 288 Click Add under Application Management to open the Add Application screen. Search for TikTok in Category and Application and select the checkbox. Set Log to Log Alert and Action to Reject. Click Add to save your changes. USG FLEX H Series User’s Guide...
Page 289 Chapter 16 Application Patrol Click Apply to save the app patrol profile. USG FLEX H Series User’s Guide...
Page 290 Chapter 16 Application Patrol Go to Security Policy > Policy Control. Select LAN_Outgoing then click Edit. Set Application Patrol to BlockMedia and Log to by profile. Click Apply to save your changes. USG FLEX H Series User’s Guide...
Page 291 BlockMedia profile has been applied to the LAN_Outgoing security policy. You can also check the logs in Log & Report > Log / Events. The Zyxel Device will create logs if the clients on the Zyxel Device LAN try to access TikTok. USG FLEX H Series User’s Guide...
Page 292 Chapter 16 Application Patrol USG FLEX H Series User’s Guide...
Page 293: Content Filtering
Note: If the user’s web browser is using encryption, then you must enable SSL Inspection for HTTP(S) Traffic Scan to work. Content Filtering Policies A content filter policy allows you to do the following. • Use schedule objects to define when to apply a content filter profile. USG FLEX H Series User’s Guide...
Page 294: Content Filtering Profiles
For example, with the URL www.zyxel.com.tw/news/pressroom.php, the Zyxel Device would find “tw” in the domain name (www.zyxel.com.tw). It would also find “news” in the file path (news/pressroom.php) but it would not find “tw/news”. USG FLEX H Series User’s Guide...
Page 295 The web site’s address and category are then stored in the Zyxel Device’s content filter cache. USG FLEX H Series User’s Guide...
Page 296: Content Filtering General Screen
The keyword match is for the domain name only. Enable Block Page Use this field to have the Zyxel Device display a warning page instead of a blank page when an HTPPS connection is redirected. USG FLEX H Series User’s Guide...
Page 297 Content Filterilg can query a category by full URL string (for example, http:// www.google.com/picture/index.html), but HTTPS domain filter can only query a category by domain name (www.google.com), so the category may be different in the query result. URL to test displays both results in the test. USG FLEX H Series User’s Guide...
Page 298: Content Filtering Add Profile
Click Apply to save your changes back to the Zyxel Device. Cancel Click Cancel to return the screen to its last-saved settings. 17.2.1 Content Filtering Add Profile Click Security Service > Content Filtering > Add or Edit to open the following screen. USG FLEX H Series User’s Guide...
Page 299 When external database content filtering blocks access to a web page, it displays the denied access message that you configured in the Content Filter General screen along with the category of the blocked web page. USG FLEX H Series User’s Guide...
Page 300 This category does not include text translation. Art Culture Heritage Web pages that contain virtual art galleries, artist sites (including sculpture and photography), museums, ethnic customs, and country customs. This category does not include online photograph albums. USG FLEX H Series User’s Guide...
Page 301 Web pages that provide networking for online dating, matchmaking, escort services, or introductions to potential spouses. This category does not include sites that provide social networking that might include dating, but are not specific to dating. USG FLEX H Series User’s Guide...
Page 302 Web pages that allow users to wager or place bets online, or provide gambling software that allows online betting, such as casino games, betting pools, sports betting, and lotteries. This category does not include web pages related to gambling that do not allow betting online. USG FLEX H Series User’s Guide...
Page 303 Illegal UK Web pages that contain child sexual abuse content hosted anywhere in the world, and criminally obscene and incitement to racial hatred content hosted in the UK. USG FLEX H Series User’s Guide...
Page 304 This category also includes corporate web pages that list job openings, salary comparison sites, temporary employment, and company job-posting sites. This category does not include make-money-at-home sites. USG FLEX H Series User’s Guide...
Page 305 Web pages from charitable or educational groups that fulfill a stated mission, benefiting the larger community, such as clubs, lobbies, communities, non-profit organizations, labor unions, and advocacy groups. Examples are Masons, Elks, Boy and Girl Scouts, or Big Brothers. USG FLEX H Series User’s Guide...
Page 306 This category might also include information on how to distribute illegal content, perpetrate fraud, or consumer scams. This category does not include computer-related fraud. USG FLEX H Series User’s Guide...
Page 307 This category includes sites that allow you to browse model homes. This category does not include content related to personal finance, such as credit applications. USG FLEX H Series User’s Guide...
Page 308 Search Engines Web pages that provide search results that enable users to find information on the Internet based on key words. This category does not include site-specific search engines. USG FLEX H Series User’s Guide...
Page 309 Although users can post any type of content, these forums tend to present less risk of containing offensive content. Sites that offer a variety of forums with themes, including technical and business content, are only in the categories of Forum/Bulletin Boards or Chat. USG FLEX H Series User’s Guide...
Page 310 This category is intended to block advertisements on web pages, not the companies that provide the advertisements or advertising services. This category does not include aggressive advertising adware. See the Spyware/ Adware category. USG FLEX H Series User’s Guide...
Page 311: Content Filtering Profile (Allow List)
Zyxel Device to generate logs. Click this to create a new entry. Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. USG FLEX H Series User’s Guide...
Page 312: Content Filtering Profile (Block List)
Zyxel Device generate logs at the alert level. Select no if you don’t want the Zyxel Device to generate logs. Click this to create a new entry. Edit Select an entry and click this to be able to modify it. USG FLEX H Series User’s Guide...
Page 313: Content Filtering Profile (Blocked Url Keywords)
URLs that contain certain keywords in the domain name or IP address. Use this part of the screen to add or remove specific URL keywords from the filter list. Figure 200 Security Service > Content Filtering > Add/Edit Profile (Blocked URL Keywords) USG FLEX H Series User’s Guide...
Page 314: Content Filtering Profile (Test Web Site Category)
Click Security Service > Content Filter > Add/Edit to open the profile screen and scroll to the Test Web Site Category part.Use this part of the screen to check which category a web page belongs to. USG FLEX H Series User’s Guide...
Page 315: Content Filtering Example: Block Lan Users
A and computer B are connected to the TeamViewer server (S). Client C1 could access computer B using TeamViewer. Client C2 could access computer A using TeamViewer. TeamViewer only works if computer A and computer B are both connected to the TeamViewer server (S). USG FLEX H Series User’s Guide...
Page 316 Table 158 Security Policy Configuration Example FROM CONTENT FILTERING PROFILE By Profile NoRemoteAccess Go to Security Service > Content Filtering and click Add. Configure the profile settings using the parameters given in Table 156 on page 316. USG FLEX H Series User’s Guide...
Page 317 Select the Remote Access checkbox under Managed Categories. Set the block list log action to log alert. Click Add to add a block list rule using the parameters given in Table 157 on page 316. USG FLEX H Series User’s Guide...
Page 318 Click Apply to save your changes. Go to Security Policy > Policy Control. Select LAN_Outgoing then click Edit. Set Content Filter to NoRemoteAccess and Log to by profile. Click Apply to save your changes. USG FLEX H Series User’s Guide...
Page 319 NoRemoteAccess profile has been applied to the LAN_Outgoing security policy. You can also check the logs in Log & Report > Log / Events. The Zyxel Device will create logs if the clients on the Zyxel Device LAN try to access TeamViewer. USG FLEX H Series User’s Guide...
Page 320 Chapter 17 Content Filtering USG FLEX H Series User’s Guide...
Page 321: Reputation Filter
The Zyxel Device will respond when there are packets coming from an IPv4 address with bad reputation. Supported formats are: • Single IP 4.4.4.4 • CIDR 192.168.1.0/32 • IP range (1.2.3.4-1.2.3.100) USG FLEX H Series User’s Guide...
Page 322: Allow List
Use this screen to enable IP reputation and specify the action the Zyxel Device takes when it detects a suspicious activity or a connection attempt to or from an IPv4 address with bad reputation. The priority for IP Reputation checking is as follows: USG FLEX H Series User’s Guide...
Page 323 Select this action to have the Zyxel Device deny the packets and send a TCP RST to both the sender and receiver when a packet comes from an IPv4 address with bad reputation. USG FLEX H Series User’s Guide...
Page 324 Scanners These are sites that run unauthorized system vulnerabilities scan to look for vulnerabilities in website visitors’ devices. Spam Sources These are sites that have been promoted through spam techniques. USG FLEX H Series User’s Guide...
Page 325: Ip Reputation Allow List
Use this to create allow list entries. The Zyxel Device will allow packets coming from the Internet and going out from the local network that match the listed IPv4 addresses. Click Security Service > Reputation Filter > IP Reputation (Allow List) to display the configuration screen as shown next. USG FLEX H Series User’s Guide...
Page 326: Ip Reputation Block List
Use this to create block list entries. The Zyxel Device will block packets coming from the Internet and going out from the local network that match the listed IPv4 addresses. Click Security Service > Reputation Filter > IP Reputation (Block List) to display the configuration screen as shown next. USG FLEX H Series User’s Guide...
Page 327: Ip Reputation Secureporter Allow List
SecuReporter. The Zyxel Device will allow packets coming from the Internet and going out from the local network that match the listed IPv4 addresses. Click Security Service > Reputation Filter > IP Reputation (SecuReporter Allow List) to display the configuration screen as shown next. USG FLEX H Series User’s Guide...
Page 328 Click this link to go to the screen you can use to download signatures from the update server. Apply Click Apply to save your changes. Cancel Click Cancel to return the screen to its last-saved settings. USG FLEX H Series User’s Guide...
Page 329: Dns Threat Filter Screen
The priority for DNS Threat Filter checking is as follows: Allow List SecuReporter Allow List Block List External Block List Cloud Query Cache Cloud Query Click Security Service > Reputation Filter > DNS Threat Filter to display the configuration screen as shown next. USG FLEX H Series User’s Guide...
Page 330 IP address when a DNS query packet contains an FQDN with a bad reputation. The default IP is the dnsft.cloud.zyxel.com IP address. If you select custom- defined IP, then enter a valid IPv4 address in the text box. USG FLEX H Series User’s Guide...
Page 331: Dns Threat Filter Allow List
IP address when a DNS query packet contains an FQDN in the allow list. Click Security Service > Reputation Filter > DNS Threat Filter (Allow List) to display the configuration screen as shown next. USG FLEX H Series User’s Guide...
Page 332: Dns Threat Filter Block List
Redirect IP and log is always log alert. Click Security Service > Reputation Filter > DNS Threat Filter (Block List) to display the configuration screen as shown next. USG FLEX H Series User’s Guide...
Page 333: Dns Threat Filter Secureporter Allow List
IP address when a DNS query packet contains an FQDN in the allow list. Click Security Service > Reputation Filter > DNS Threat Filter_SecuReporter Allow List to display the configuration screen as shown next. USG FLEX H Series User’s Guide...
Page 334: Url Threat Filter Screen
You can have the Zyxel Device allow, block, warn and/or log access to web sites or hosts based on these categories. The priority for URL Threat checking is as follows: Allow List SecuReporter Allow List Block List External Block List USG FLEX H Series User’s Guide...
Page 335 Select this action to have the Zyxel Device block access to the web pages that match the categories that you select above. pass: Select this action to have the Zyxel Device allow access to the web pages that match the categories that you select above. USG FLEX H Series User’s Guide...
Page 336 Test URL Threat Category URL to test Enter a URL using http://domain or https://domain and click the Query button to check if the domain belongs to a URL threat category. USG FLEX H Series User’s Guide...
Page 337: Url Threat Filter Allow List
URL Threat filtering. Description Enter a description for this profile. Edit Select an entry and click this icon to modify it. Remove Select an entry and click this icon to delete it. USG FLEX H Series User’s Guide...
Page 338: Url Threat Filter Block List
Enter an IP address (with CIDR or a range) or a domain name (wildcard permitted) that will be blocked without URL Threat filtering. Description Enter a description for this profile. Edit Select an entry and click this icon to modify it. USG FLEX H Series User’s Guide...
Page 339: Url Threat Filter Secureporter Allow List
This field displays the status of SecuReporter allow list entries: Success, Parse message error, HTTP error, Connection timeout and Error. If an error is received, make sure the Zyxel Device has Internet access and can connect to the SecuReporter portal. USG FLEX H Series User’s Guide...
Page 340 Table 171 Security Services > Reputation Filter > URL Threat Filter_SecuReporter Allow List (continued) LABEL DESCRIPTION Apply Click Apply to save your changes. Cancel Click Cancel to return the screen to its last-saved settings. USG FLEX H Series User’s Guide...
Page 341: Anti-Malware
Figure 215 Zyxel Device Anti-Malware Example The Zyxel Device queries the Defend Center database by sending the file’s has value (A) and receiving the scan results (B) through the Defend Center (DC). Figure 216 Cloud Query USG FLEX H Series User’s Guide...
Page 342 Before going through the Anti-Malware scan, the Zyxel Device first identifies the packets sent by the following four major protocols with corresponding standard ports: • FTP (File Transfer Protocol) • HTTP (Hyper Text Transfer Protocol) USG FLEX H Series User’s Guide...
Page 343 Enabling Cloud Query may affect file transfer speeds. The Zyxel Device does not scan the following file/traffic types: • Simultaneous downloads of a file using multiple connections. For example, when you use FlashGet to download sections of a file simultaneously. USG FLEX H Series User’s Guide...
Page 344: What You Can Do In This Chapter
If Destroy infected file is disabled, any malicious file found can still be executed by the end user after it is forwarded. The administrator would have to inform the user if there is an infected file. USG FLEX H Series User’s Guide...
Page 345 When you select this check box, if a malware signature is matched, the Zyxel Device overwrites the infected portion of the file with zeros before being forwarded to the user. The uninfected portion of the file will pass through unmodified. USG FLEX H Series User’s Guide...
Page 346: The Allow List Screen
Click Security Service > Anti-Malware > Allow List to display the following screen. Use Add to put a new entry in the list or Edit to change an existing one or Remove to delete an existing entry. Figure 218 Security Service > Anti-Malware > Allow List USG FLEX H Series User’s Guide...
Page 347 Click the column icon to select the fields you want to show in the table. Uncheck the checkbox if you want to hide a field in the table. Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. USG FLEX H Series User’s Guide...
Page 348: The Block List Screen
Click Security Service > Anti-Malware > Block List to display the following screen. Use Add to put a new entry in the list or Edit to change an existing one or Remove to delete an existing entry. USG FLEX H Series User’s Guide...
Page 349 Enter the hash pattern for this entry. Specify a pattern to identify the names of files that the Zyxel Device should not scan for viruses. Edit Select an entry and click this icon to modify it. Remove Select an entry and click this icon to delete it. USG FLEX H Series User’s Guide...
Page 350: Anti-Malware Technical Reference
Click this icon to save the changes in this row. Cancel Click this icon to cancel the changes in this row. Changes 19.5 Anti-Malware Technical Reference Types of Anti-Malware Scanner The section describes two types of anti-malware scanner: host-based and network-based. USG FLEX H Series User’s Guide...
Page 351 • NAM scanners stop malware threats at the network edge before they enter or exit a network. • NAM scanners reduce computing loading on computers as the read-time data traffic inspection is done on a dedicated security device. USG FLEX H Series User’s Guide...
Page 352: Sandbox
Events. We suggest you to inform your client not to open the file until sandbox has completed checking. If the client already opened it, then please urge the client to run an up-to-date anti-malware scanner. USG FLEX H Series User’s Guide...
Page 353: Sandbox Screen
Details to go to the Zyxel web page to find more information on licenses for your Zyxel Device. Use this screen to enable sandbox and specify the actions the Zyxel Device takes when malicious or suspicious files are detected. USG FLEX H Series User’s Guide...
Page 354 Specify whether the Zyxel Device deletes (destroy) or forwards (allow) suspicious files. File Suspicious files are files given a medium score for malware characteristics by the cloud. You can check the medium score for malware characteristics given by the cloud in the logs. USG FLEX H Series User’s Guide...
Page 355 Select All Select this to select all file types in the table. Apply Click Apply to save your changes. Cancel Click Cancel to return the screen to its last-saved settings. USG FLEX H Series User’s Guide...
Page 356: Ips
While IPS signatures have the Zyxel Device respond instantaneously, Rate Based Signatures are IPS signatures that allow the Zyxel Device to just respond after a number of occurrences (Count) within a certain time period (Period) you set. Figure 222 IPS Signatures Example USG FLEX H Series User’s Guide...
Page 357: Before You Begin
Details to go to the Zyxel web page to find more information on licenses for your Zyxel Device. Note: You must register for the IPS signature service (at least the trial) before you can use it. See the Licensing screens. USG FLEX H Series User’s Guide...
Page 358 Chapter 21 IPS Figure 224 Security Service > IPS USG FLEX H Series User’s Guide...
Page 359 If you do not want the Zyxel Device to respond instantaneously for each suspicious packet detected, use rate based signatures to only respond after a number of occurrences (Count) within a certain time period (Period). See Section 21.1.2 on page for more information on rate based signatures. USG FLEX H Series User’s Guide...
Page 360 The Zyxel Device generates a log. log an alert- The Zyxel Device generates a log and alerts the users. no- The Zyxel Device will neither generate a log nor alert the users. USG FLEX H Series User’s Guide...
Page 361 Intruders could run codes in the overflow buffer region to obtain control of the system, install a backdoor or use the victim to launch attacks on other devices. USG FLEX H Series User’s Guide...
Page 362 This method allows users to send small requests messages that result in the streaming of large media objects, providing an opportunity for malicious users to exhaust resources in the system with little effort expended on their part. USG FLEX H Series User’s Guide...
Page 363: Query Example
MISC_EXPLOIT MISC_DDOS MISC_BACKDOOR MISC IMAP ICMP FINGER 21.2.1 Query Example This example shows a search with these criteria: • Severity: Severe • Classification Type: Misc • Platform: Windows • Service: Any • Actions: Any USG FLEX H Series User’s Guide...
Page 364: The Allow List Screen
Click Security Services > IPS > Allow List to display the following screen. Use Add to put a new item in the list or Edit to change an existing one or Remove to delete an existing entry. USG FLEX H Series User’s Guide...
Page 365: Ips Technical Reference
Disadvantages of host IPSs are that you have to install them on each device (that you want to protect) in your network and due to the necessarily tight integration with the host operating system, future operating system upgrades could cause problems. USG FLEX H Series User’s Guide...
Page 366: Network Intrusions
Typical “network-based intrusions” are SQL slammer, Blaster, Nimda MyDoom etc. Note: The Zyxel Device IPS protects your network against network-based intrusions. USG FLEX H Series User’s Guide...
Page 367: Ip Exception
Figure 228 IP Exception Bypass Destination Example IP Exception supports bypassing the following security services: • Anti-Malware • URL Threat Filter • IPS (Intrusion Prevention System) USG FLEX H Series User’s Guide...
Page 368: The Ip Exception Screen
IP address. Service to Bypass This field displays which services will not inspect matched packets. This field displays if the Zyxel Device will generate a log when the incoming traffic is in the exception list. USG FLEX H Series User’s Guide...
Page 369: The Ip Exception Add/Edit Screen
The Zyxel Device does not inspect packets with the selected service if you select Yes. The Zyxel Device will also generate a log when the incoming traffic is in th exception list. Otherwise, select No. USG FLEX H Series User’s Guide...
Page 370: Example: Bypass A Website
Figure 231 Bypass Security Services Flow This example uses the parameters given below. Table 184 Address Object Configuration Example NAME ADDRESS TYPE IP ADDRESS TrustedWebsite Host 1.1.1.1 USG FLEX H Series User’s Guide...
Page 371 370. Click Apply to save your changes. Go to Security Service > IP Exception and click Add. Configure the settings using the parameters given in Table 185 on page 371. Click Apply to save your changes. USG FLEX H Series User’s Guide...
Page 372 Chapter 22 IP Exception USG FLEX H Series User’s Guide...
Page 373: Ssl Inspection
380) to update the latest certificates of servers using SSL connections to the Zyxel Device network 23.1.2 What You Need To Know SSL Inspection supports the following TLS protocols and encryption algorithms • TLS1.0 AES-CBC USG FLEX H Series User’s Guide...
Page 374: What You Can Do In This Chapter
An SSL Inspection profile is a template with pre-configured certificate, action and log. Click Security Service > SSL Inspection > Profile to open this screen. Figure 233 Security Service > SSL Inspection > Profile USG FLEX H Series User’s Guide...
Page 375 Client 1 - sessions will not be processed (pass) by SSL inspection • Client 2 - RSA-2048 • Client 3 - ECDSA-256. Statistics Enable this to have the Zyxel Device collect SSL inspection statistics. Profile Management Click Add to create a new profile. USG FLEX H Series User’s Guide...
Page 376: Add/Edit Ssl Inspection Profiles
Click Security Service > SSL Inspection > Profile > Add to create a new profile or select an existing profile and click Edit to change its settings. Figure 234 Security Service > SSL Inspection > Profile > Add / Edit USG FLEX H Series User’s Guide...
Page 377 Click this to send the email to the email address you configured. Send Email Click this to close the screen. SSL/TLS version Minimum SSL / TLS connections using versions lower than this setting are blocked. Support USG FLEX H Series User’s Guide...
Page 378 Apply Click Apply to save your settings to the Zyxel Device, and return to the profile summary page. Reset Click Reset to return to the profile summary page without saving any changes. USG FLEX H Series User’s Guide...
Page 379: Exclude List Screen
Use this part of the screen to create, edit, or delete items in the SSL Inspection exclusion list. Address Settings Click this to create a new entry. Edit Select an entry and click this to be able to modify it. Remove Select a row and click this to delete it. USG FLEX H Series User’s Guide...
Page 380: Certificate Update Screen
D (3) and also to U (4). D’s latest certificate is stored at myZyxel (M) along with other server certificates and can be downloaded to the Zyxel Device. Figure 236 SSL Inspection Certificate Update Overview Click Security Services > SSL Inspection > Certificate Update to display the following screen. USG FLEX H Series User’s Guide...
Page 381: Install A Ca Certificate In A Browser
Certificates used in SSL Inspection profiles should be installed in user web browsers. Do the following steps to install a certificate in a computer with a Windows operating system (PC). First, save the certificate to your computer. Run the certificate manager using certmgr.msc. USG FLEX H Series User’s Guide...
Page 382 Chapter 23 SSL Inspection Go to Trusted Root Certification Authorities > Certificates. From the main menu, select Action > All Tasks > Import and run the Certificate Import Wizard to install the certificate on the PC. USG FLEX H Series User’s Guide...
Page 383: Firefox Browser
Click Tools > Options > Advanced > Encryption > View Certificates, click Import and enter the filename of the certificate you want to import. See the browser's help for further information. USG FLEX H Series User’s Guide...
Page 384: External Block Lists
Click Buy Now to go to Marketplace to purchase a new license. Click See Details to go to the Zyxel web page to find more information on licenses for your Zyxel Device. USG FLEX H Series User’s Guide...
Page 385 To turn off an entry, select it and click Active. The Status light changes accordingly. Inactive To turn off an entry, select it and click Inactive. The Status light changes accordingly. Status This icon is lit when the entry is active and dimmed when the entry is inactive. USG FLEX H Series User’s Guide...
Page 386: Dns / Url Threat Filter External Block List Screen
Zyxel Device will block incoming and outgoing packets from the block list entries in this file. Supported formats are: • hostname (www.google.com) • URL http - check full url (http://xxx.yyy.zzz/qqq/wwww) • URL https - only check hostname (https://xxx.) USG FLEX H Series User’s Guide...
Page 387 Profile Management Click this to create a new DNS/URL threat filter external block list entry. Remove Select an entry and click this to delete it. USG FLEX H Series User’s Guide...
Page 388 Select this option to have the Zyxel Device check for new signatures once a week on the day and at the time (am/pm) specified. Apply Click Apply to save your changes back to the Zyxel Device. Cancel Click Cancel to return the screen to its last-saved settings. USG FLEX H Series User’s Guide...
Page 389: User & Authentication
Change the Zyxel Device settings (web, CLI) WWW, SSH, FTP, Console viewer Look at the Zyxel Device settings (web, CLI) WWW, SSH, Console Perform basic diagnostics (CLI) Access Users user Access network services ext-user External user account USG FLEX H Series User’s Guide...
Page 390: User/Group User Summary Screen
The sequence of members in a user group is not important. 25.1.2 User/Group User Summary Screen The User screen provides a summary of all user accounts. To access this screen, click User & Authentication > User/Group > User. USG FLEX H Series User’s Guide...
Page 391 - this user account is maintained in a remote server, such as RADIUS or LDAP. See Ext-User Accounts on page 390 for more information about this type. Description This field displays the description for each user. Created Date This field displays the date the account is created. USG FLEX H Series User’s Guide...
Page 392: User Add/Edit Screen
'BOB' not ‘bob’. • User names have to be different than user group names. To access this screen, go to the User screen, and click either the Add icon or an Edit icon. USG FLEX H Series User’s Guide...
Page 393 Chapter 25 User & Authentication Figure 241 User & Authentication > User/Group > User > Add/Edit (Local Administrator) USG FLEX H Series User’s Guide...
Page 394 Enter a password consisting of 4 to 63 characters for this user account, including [0-9] [a-z] [A-Z] [’(){}<>^‘+/:!*#@&=$\.~%,|;-”]. If the Password Policy is enabled in the User & Authentication > User/Group > Setting screen, the password criteria might be different. See Section 25.1.5.1 on page 400 for more information. USG FLEX H Series User’s Guide...
Page 395: User/Group Group Summary Screen
The Group screen provides a summary of all user groups. In addition, this screen allows you to add, edit, and remove user groups. To access this screen, login to the Web Configurator, and click User & Authentication > User/Group > Group. Figure 243 User & Authentication > User/Group > Group USG FLEX H Series User’s Guide...
Page 396: Group Add/Edit Screen
The Group Add/Edit screen allows you to create a new user group or edit an existing one. To access this screen, go to the Group screen, and click either the Add icon or an Edit icon. Figure 244 User & Authentication > User/Group > Group > Add USG FLEX H Series User’s Guide...
Page 397: User/Group Setting Screen
Zyxel Device. You can also use this screen to specify when users must log in to the Zyxel Device before it routes traffic for them. To access this screen, login to the Web Configurator, and click User & Authentication > User/Group > Setting. USG FLEX H Series User’s Guide...
Page 398 You can still manually configure any user account’s authentication timeout settings. Edit Select an entry and click this icon to modify it. Save Changes Click this icon to save the changes in this row. USG FLEX H Series User’s Guide...
Page 399 Enable to set a limit on the number of simultaneous logins by admin users. If you logons enable do not select this, admin users can login as many times as they want at the same time using the same or different IP addresses. USG FLEX H Series User’s Guide...
Page 400 To access this screen, go to the User & Authentication > User/Group > Setting screen, and click the Setting icon under Password Policy. Figure 246 User & Authentication > User/Group > Setting > Password Policy Setting USG FLEX H Series User’s Guide...
Page 401: User Authentication Overview
RADIUS (Remote Authentication Dial-In User Service) authentication is a popular protocol used to authenticate users by means of an external or built-in RADIUS server. RADIUS authentication allows you to validate a large number of users from a central location. USG FLEX H Series User’s Guide...
Page 402: Directory Structure
A base DN specifies a directory. A base DN usually contains information such as the name of an organization, a domain name and/or country. For example, o=MyCompany, c=UK where o means organization and c means country. USG FLEX H Series User’s Guide...
Page 403: Aaa Server Overview
Use the AAA Server screen to manage AD servers, LDAP servers and RADIUS servers the Zyxel Device can use in authenticating users. Click User & Authentication > AAA Server to display the following screen. USG FLEX H Series User’s Guide...
Page 404 Note: The Zyxel Device can only be joined to one AD domain at a time. Adding a new AD domain will replace existing domain associations. Note: Ensure that the Domain Zone Forwarder configuration in the System > DNS & DDNS > DNS screen is correct before joining a domain. USG FLEX H Series User’s Guide...
Page 405: Add An Ad Server
Click User & Authentication > AAA Server > AD Server Summary > Add to display the following screen. Use this screen to create a new AD server entry or edit an existing one. Figure 250 User & Authentication > AAA Server > AD Server Summary > Add USG FLEX H Series User’s Guide...
Page 406 For example you could have an attribute named “memberOf” with values like “sales”, “RD”, and “management”. Then you could also create a ext-group-user user object for each group. One with “sales” as the group identifier, another for “RD” and a third for “management”. Configuration Validation USG FLEX H Series User’s Guide...
Page 407: Join An Ad Domain
The name must begin with a letter and cannot exceed 15 characters. Valid characters are [0-9][a-z][A-Z][_-.]. User Name Enter the user name for the Zyxel Device to access the AD server. The value must be 1 to 20 characters long. Valid characters are [0-9][a-z][A-Z][_(){}<>[]^`+/:!*#@&=$\?.~%,|;-'" ]. USG FLEX H Series User’s Guide...
Page 408: Add An Ldap Server
Click User & Authentication > AAA Server > LDAP Server Summary > Add to display the following screen. Use this screen to create a new LDAP server entry or edit an existing one. Figure 252 User & Authentication > AAA Server > LDAP Server Summary > Add USG FLEX H Series User’s Guide...
Page 409 “management”. Then you could also create a ext-group-user user object for each group. One with “sales” as the group identifier, another for “RD” and a third for “management”. Apply Click Apply to save the changes. Cancel Click Cancel to return the screen to its last-saved settings. USG FLEX H Series User’s Guide...
Page 410: Add A Radius Server
Specify the port number on the RADIUS server to which the Zyxel Device sends authentication Port requests. Enter a number between 1 and 65535. Backup Server If the RADIUS server has a backup server, enter its address here. Address USG FLEX H Series User’s Guide...
Page 411: Two-Factor Authentication Overview
25.4 Two-Factor Authentication Overview Use two-factor authentication to have double-layer security for local users in the Zyxel Device database to access the Zyxel Device or a secured network behind the Zyxel Device via a VPN tunnel. USG FLEX H Series User’s Guide...
Page 412 • You get a Google Authenticator verification error. You must enter the code within the time displayed in Google Authenticator. The time on your cellphone and the time on the Zyxel Device must be the same. USG FLEX H Series User’s Guide...
Page 413: User Authentication Two-Factor Authentication
Zyxel Device via a VPN tunnel. Go to User & Authentication > User Authentication > Two-factor Authentication and configure the following screen as shown. Figure 254 User & Authentication > User Authentication > Two-factor Authentication USG FLEX H Series User’s Guide...
Page 414 Zyxel Devices will contain the new port number. You must configure a security policy to allow access to this port from the WAN. Apply Click Apply to save the changes. Cancel Click Cancel to return the screen to its last-saved settings. USG FLEX H Series User’s Guide...
Page 415: System
Use the Settings screen to configure the hostname, system time, the Zyxel Device connection settings and language settings. 26.2.1 System Settings Use this section to configure the Zyxel Device host name. A host name is the unique name by which a device is known on a network. USG FLEX H Series User’s Guide...
Page 416: System Time
Each user is also forced to log in the Zyxel Device for authentication again when the reauthentication time expires. You can change the timeout settings in the User/Group screens. USG FLEX H Series User’s Guide...
Page 417 Note: To allow an SSH connection to the Zyxel Device, add SSH in the Object > Service > Service Group > Default_Allow_WAN_To_ZyWALL service group which defines the default services allowed in the WAN_to_Device security policy. USG FLEX H Series User’s Guide...
Page 418: Settings
Section 5.13 on page 94 for more information. 26.2.4 Settings Use this section to select a display language for the Zyxel Device’s Web Configurator screens. Click System > Settings to open the following screen. USG FLEX H Series User’s Guide...
Page 419 Chapter 26 System Figure 257 System > Settings USG FLEX H Series User’s Guide...
Page 420 If you choose a port already in use, you will see a port conflict message telling you to choose another port. USG FLEX H Series User’s Guide...
Page 421: Device Ha (High Availability)
Device HA lets a passive (secondary) Zyxel Device automatically take over if the active (primary) Zyxel Device fails. Both Zyxel Devices must be the same model with the same firmware version. Device HA pairing occurs when Device HA is set up successfully on both Zyxel Devices. USG FLEX H Series User’s Guide...
Page 422: What You Can Do In These Screens
Device B through a dedicated link that is used for heartbeat control, configuration synchronization and troubleshooting. All links on Zyxel Device B are down except for the dedicated heartbeat link. Figure 258 Device HA Overview USG FLEX H Series User’s Guide...
Page 423: Firmware Upgrade On Paired Zyxel Devices
If both Zyxel Devices are turned on at the same time with Device HA enabled, then they may send the heartbeat at the same time. In this case, the Zyxel Device with the Primary (License Controller) role becomes the active Zyxel Device. USG FLEX H Series User’s Guide...
Page 424: Using Ncc To Manage Device Ha
After you have configured Device HA in System > Device HA > HA Configuration go to this screen to view Device HA synchronization and failover status. Go to System > Device HA > HA Status to view the following screen. USG FLEX H Series User’s Guide...
Page 425 Devices. This field displays one of the following: • Pairing, indicating that Device HA is in progress • Paired, indicating that Device HA has completed successfully • Error, showing the reason that Device HA failed. USG FLEX H Series User’s Guide...
Page 426: Ha Configuration
This displays the date and time the failover occurred. 26.3.8 HA Configuration Configure Device HA on the Zyxel Device in System > Device HA > HA Configuration. Figure 260 System > Device HA > HA Configuration USG FLEX H Series User’s Guide...
Page 427: Ha Log
Use this screen to see Device HA logs on the local and peer Zyxel Devices. The local Zyxel Device is the Zyxel Device that you are currently logged into. Go to System > Device HA > HA Log to display the following screen. USG FLEX H Series User’s Guide...
Page 428 Device that you are currently logged into, that is, the Device HA peer. Refresh Click Refresh to update information in this screen. The following is an example HA log screen when logging into the active Zyxel Device. USG FLEX H Series User’s Guide...
Page 429: Disabling Device Ha
See the listed websites for details about the DNS services offered by each. Table 210 DDNS Service Providers PROVIDER SERVICE TYPES SUPPORTED WEBSITE DynDNS Dynamic DNS, Static DNS, and Custom DNS www.dyndns.com Dynu Basic, Premium www.dynu.com USG FLEX H Series User’s Guide...
Page 430: Dns Server Address Assignment
When the DNS server sends the DNS record response, it is sent to the victim. Attackers can request as much information as possible to maximize the amplification effect. USG FLEX H Series User’s Guide...
Page 431 An FQDN consists of a host and domain name. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the third-level domain, “com” is the second-level domain, and “tw” is the top level domain. Click this to create a new entry. USG FLEX H Series User’s Guide...
Page 432 A hyphen (-) displays for the default domain zone forwarder record. The default record is not configurable. The Zyxel Device uses this default record if the domain zone that needs to be resolved does not match any of the other domain zone forwarder records. USG FLEX H Series User’s Guide...
Page 433: Address/Ptr Record
26.4.4 Adding an Address/PTR Record Click the Add icon in the Address/PTR Record table to add an IPv4 address/PTR record. Figure 264 System > DNS & DDNS > DNS > Address/PTR Record > Add USG FLEX H Series User’s Guide...
Page 434: Cname Record
Click the Add icon in the CNAME Record table to add a record. Use “*.” as a prefix for a wildcard domain name. For example *.zyxel.com. Figure 265 System > DNS & DDNS > DNS > CNAME Record > Add USG FLEX H Series User’s Guide...
Page 435: Mx Record
Save changes Click the Save changes icon to save your customized settings and exit this screen. Cancel changes Click the Cancel changes icon to exit this screen without saving. USG FLEX H Series User’s Guide...
Page 436: Domain Zone Forwarder
DNS server. Save changes Click the Save changes icon to save your customized settings and exit this screen. Cancel changes Click the Cancel changes icon to exit this screen without saving. USG FLEX H Series User’s Guide...
Page 437: Security Option Control
Apply Click Apply to save your customized settings and exit this screen. Cancel Click Cancel to return the screen to its last-saved settings. USG FLEX H Series User’s Guide...
Page 438: The Ddns Screen
-The DDNS server checks the source IP address of the packets from the Zyxel Device for the IP address to use for the domain name. custom - The IP address is static. USG FLEX H Series User’s Guide...
Page 439: The Ddns Add/Edit Screen
The DDNS Add/Edit screen allows you to add a domain name to the Zyxel Device or to edit the configuration of an existing domain name. Click System > DNS & DDNS > DDNS and then an Add or Edit icon to open this screen. USG FLEX H Series User’s Guide...
Page 440 Chapter 26 System Figure 270 System > DNS & DDNS > DDNS > Add/Edit USG FLEX H Series User’s Guide...
Page 441 Zyxel Device. Backup Address Use these fields to set an alternate interface to map the domain name to when the interface specified by the Primary Interface settings is not available. USG FLEX H Series User’s Guide...
Page 442 DynDNS holds onto your email if your mail server is not available. Once your mail server is available again, the DynDNS server delivers the mail to you. See www.dyndns.org for more information about this service. USG FLEX H Series User’s Guide...
Page 443: Snmp
SNMP itself is a simple request/response protocol based on the manager/agent model. The manager issues a request and the agent returns responses using the following protocol operations: • Get - Allows the manager to retrieve an object variable from the agent. USG FLEX H Series User’s Guide...
Page 444: Snmpv3 And Security
This trap carries the disconnected tunnel’s IKE SA name. vpnTunnelSPI 1.3.6.1.4.1.890.1.6.22.2.2.1.3 This trap is sent along with the vpnTunnelDisconnected trap. This trap carries the security parameter index (SPI) of the disconnected VPN tunnel. USG FLEX H Series User’s Guide...
Page 445: Configuring Snmp
Select the SNMP version for the Zyxel Device. The SNMP version on the Zyxel Device must match the version on the SNMP manager. SNMP Community USG FLEX H Series User’s Guide...
Page 446: Add Snmp V3 User
Click Add under SNMP V3 User Configuration in System > SNMP to create an SNMPv3 user for authentication with managers using SNMP v3. Use the username and password of the login accounts you specify in this screen to create accounts on the SNMP v3 manager. USG FLEX H Series User’s Guide...
Page 447: Notification
Click Apply to save your changes back to the Zyxel Device. Cancel Click Cancel to return the screen to its last-saved settings. 26.6 Notification Use these screens to configure the mail server settings and alert settings. USG FLEX H Series User’s Guide...
Page 448: The Mail Server Screen
Enable this if the mail server uses SSL or TLS for encrypted communications between the mail server and the Zyxel Device. Authenticate Enable this if the Zyxel Device authenticates the mail server in the TLS handshake. Server USG FLEX H Series User’s Guide...
Page 449: The Alert Screen
Click Apply to save your changes back to the Zyxel Device. Cancel Click Cancel to return the screen to its last-saved settings. 26.6.2 The Alert Screen Click System > Notification > Alert to display the following screen. Figure 275 System > Notification > Alert USG FLEX H Series User’s Guide...
Page 450 This field displays the type(s) of log to send an email notification. Description This field displays the profile’s description. 26.6.2.1 The Event Notification Add/Edit Screen Click System > Notification > Alert > Event Notification Add/Edit to display the following screen. USG FLEX H Series User’s Guide...
Page 451 '()+,./:=?;!*#@$_%-. If you leave this field blank, the email subject will be the event name(s). Send From Enter the email address from which the outgoing email is delivered. This address is used in replies. USG FLEX H Series User’s Guide...
Page 452 Enter the email address from which the outgoing email is delivered. This address is used in replies. Recipients Enter up to 83 characters for the email address of the receiver. It may consist of letters, numbers, and the following special characters: /=?^_.{|}~w-!#$%*+. You can enter up to five recipients. USG FLEX H Series User’s Guide...
Page 453: Certificate Overview
A certification path is the hierarchy of certification authority certificates that validate a certificate. The Zyxel Device does not trust a certificate if any certificate on its path has expired or been revoked. USG FLEX H Series User’s Guide...
Page 454: Verifying A Certificate
You can do this using the certificate’s fingerprint. A certificate’s fingerprint is a message digest calculated using the MD5 or SHA1 algorithm. The following procedure describes how to check a certificate’s fingerprint to verify that you have the actual certificate. USG FLEX H Series User’s Guide...
Page 455: My Certificates
HTTPS connection. 26.8 My Certificates Click System > My Certificates to open the My Certificates screen. This is the Zyxel Device’s summary list of certificates and certification requests. Figure 279 System > My Certificates USG FLEX H Series User’s Guide...
Page 456 Send Email: Click this to send the selected certificate. Figure 280 Email Certificate Import Click Import to open a screen where you can save the certificate of a certification authority that you trust, from your computer to the Zyxel Device. USG FLEX H Series User’s Guide...
Page 457: The My Certificates Add Screen
Certificates screen after you click Apply. Make sure that the certification authority information is correct and that your Internet connection is working properly if you want the Zyxel Device to enroll a certificate online. USG FLEX H Series User’s Guide...
Page 458 Chapter 26 System Figure 282 System > My Certificates > Add USG FLEX H Series User’s Guide...
Page 459 Server Authentication Select this to have Zyxel Device generate and store a request for server authentication certificate. Client Authentication Select this to have Zyxel Device generate and store a request for client authentication certificate. USG FLEX H Series User’s Guide...
Page 460: The My Certificates Edit Screen
26.8.2 The My Certificates Edit Screen Click System > My Certificates and then the Edit icon to open the My Certificate Edit screen. You can use this screen to view in-depth certificate information and change the certificate’s name. USG FLEX H Series User’s Guide...
Page 461 This field displays the certificate’s identification number given by the certification authority or generated by the Zyxel Device. Subject This field displays information that identifies the owner of the certificate, such as Common Name (CN), Organizational Unit (OU), Organization (O), State (ST), and Country (C). USG FLEX H Series User’s Guide...
Page 462: The My Certificates Import Screen
26.8.3 The My Certificates Import Screen Click System > Certificate > My Certificates > Import to open the Import Certificates screen. Follow the instructions in this screen to save an existing certificate to the Zyxel Device. USG FLEX H Series User’s Guide...
Page 463 This field only applies when you import a binary PKCS#12 format file. Type the file’s password that was created when the PKCS #12 file was exported. Click OK to save the certificate on the Zyxel Device. USG FLEX H Series User’s Guide...
Page 464: Trusted Certificates
This field displays identifying information about the certificate’s issuing certification authority, such as a common name, organizational unit or department, organization or company and country. With self-signed certificates, this is the same information as in the Subject field. USG FLEX H Series User’s Guide...
Page 465: The Trusted Certificates Edit Screen
Click System > Certificate > Trusted Certificates > Edit icon to open the Trusted Certificates Edit screen. Use this screen to view in-depth information about the certificate. Figure 287 System > Certificate > Trusted Certificates > Edit USG FLEX H Series User’s Guide...
Page 466 MD5 Fingerprint It is a unique 128-bit checksum value generated by the MD5 hashing algorithm, used to verify data integrity and identify cryptographic keys, though it is no longer considered secure. USG FLEX H Series User’s Guide...
Page 467: The Trusted Certificates Import Screen
Follow the instructions in this screen to save a trusted certificate to the Zyxel Device. Note: You must remove any spaces from the certificate’s filename before you can import the certificate. Figure 288 System > Certificate > Trusted Certificates > Import USG FLEX H Series User’s Guide...
Page 468: Advanced
Description This field displays the description of the system information. Value This field displays the value of the system information. Click the Edit icon to modify the value. Additional Features USG FLEX H Series User’s Guide...
Page 469 LAN. Enable this feature to allow your Zyxel Device to share its identity and capabilities on the local network. Description This field displays what the feature does. USG FLEX H Series User’s Guide...
Page 470: Log And Report
Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. The Web Configurator saves the filter settings if you leave the Log/Events screen and return to it later. USG FLEX H Series User’s Guide...
Page 471 Source Address This displays when you show the filter. Type the source IP address of the incoming packet that generated the log message. Do not include the port in this filter. USG FLEX H Series User’s Guide...
Page 472 = #$% @ ; the period, double quotes, and brackets are not allowed. Filter Click this icon to display specific types of logs. Select a type or type a keyword depending on the filter chosen. USG FLEX H Series User’s Guide...
Page 473 Action This field displays whether packets were dropped, blocked or if no action was taken as a result of the log. It should correspond to the action configured in Security Policy > Policy Control. USG FLEX H Series User’s Guide...
Page 474: Log Details
Note: Only connect one USB device. It must allow writing (it cannot be read-only) and use the FAT16, FAT32, EXT2, or EXT3 file system. To access this screen, click Log & Report > Log Settings. USG FLEX H Series User’s Guide...
Page 475 Chapter 27 Log and Report Figure 291 Log & Report > Log Settings USG FLEX H Series User’s Guide...
Page 476 Enable this to send log information according to the information in this section. Log Format This field displays the format of the log information. It is read-only. Syslog - syslog compatible format. CEF/Syslog - Common Event Format, syslog-compatible format. USG FLEX H Series User’s Guide...
Page 477: Secureporter
Click Buy Now to go to Marketplace to purchase a new license. Click See Details to go to the Zyxel web page to find more information on licenses for your Zyxel Device. Figure 292 SecuReporter Application Scenario USG FLEX H Series User’s Guide...
Page 478 It’s selected by default if you have activated a SecuReporter license. Categories Select the categories of logs that you want this Zyxel Device to send to SecuReporter for analysis and trend spotting. You need an active license for the Security categories. USG FLEX H Series User’s Guide...
Page 479: Email Daily Report
Note: Data collection may decrease the Zyxel Device’s traffic throughput rate. Click Log & Report > Email Daily Report to display the following screen. Configure this screen to have the Zyxel Device email you system statistics at the specified time. USG FLEX H Series User’s Guide...
Page 480 Reset counters Select Reset counters after sending report successfully if you only want to see statistics for a 24 after sending hour period. report successfully USG FLEX H Series User’s Guide...
Page 481: Example Reports
Click Cancel to return the screen to its last-saved settings. 27.5.1 Example Reports The following screens are an example of a email daily report. Figure 295 Email Daily Report: System Resource Usage Figure 296 Email Daily Report- Licensing USG FLEX H Series User’s Guide...
Page 482 Chapter 27 Log and Report Figure 297 Email Daily Report: Threat Report Figure 298 Email Daily Report: DHCP Table USG FLEX H Series User’s Guide...
Page 483: Firmware/File Manager
• If there is not a startup-config.conf when you restart the Zyxel Device, the Zyxel Device uses the system-default.conf configuration file with the Zyxel Device’s default settings. The Zyxel Device will apply the system-default.conf when it boots without a startup-config.conf, even if you have a lastgood.conf. USG FLEX H Series User’s Guide...
Page 484: The Configuration File Screen
Once your Zyxel Device is configured and functioning properly, it is highly recommended that you back up your configuration file before making further configuration changes. The backup configuration file will be useful in case you need to return to your previous settings. USG FLEX H Series User’s Guide...
Page 485 Chapter 28 Firmware/File Manager Figure 300 Maintenance > Firmware/File Manager > Configuration File Do not turn off the Zyxel Device while configuration file upload is in progress. USG FLEX H Series User’s Guide...
Page 486 Click a configuration file’s row to select it and click Apply to have the Zyxel Device use that configuration file. The following screen displays. Click OK to have the Zyxel Device start applying the configuration file or click Cancel to close the screen. Apply a Configuration File USG FLEX H Series User’s Guide...
Page 487 Remember that you must decompress compressed (.zip) files before you can upload them. Upload Click Upload to begin the upload process. This process may take up to two minutes. Cancel Click this to close the screen. USG FLEX H Series User’s Guide...
Page 488 Enable this to send the backed up configuration file to the email address(es) you configured. Encryption For security, enter a password for the recipient to unzip the compressed backup Password configuration file. Use 1 to 128 characters. [" \] are invalid. USG FLEX H Series User’s Guide...
Page 489 Click Backup to save the backup ZIP file to the Zyxel Device. File Name This displays the name of the backup ZIP file that will be downloaded to your computer. You can rename the file when you are saving it to your computer. USG FLEX H Series User’s Guide...
Page 490: Example: Back Up And Restore Zyxel Device Configuration
• The lastgood.conf is the most recently used (valid) configuration file that was saved when the device last restarted. Back Up the Current Configuration Follow these steps to save the current configuration file from the Zyxel Device to your computer: USG FLEX H Series User’s Guide...
Page 491 Click Browse... to locate the .conf file on your computer to restore, then click Upload. Note: The configuration file must have a “.conf” filename extension. You cannot upload a file named system-default.conf, startup-config.conf, or lastgood.conf. USG FLEX H Series User’s Guide...
Page 492: Firmware Management
See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it. USG FLEX H Series User’s Guide...
Page 493: Cloud Helper
The Zyxel Device will reboot automatically when it finishes uploading. 28.3.2 The Firmware Management Screen Click Maintenance > Firmware/File Manager > Firmware Management to open the Firmware Management screen. Note: The Zyxel Device automatically reboots when you upload new firmware. USG FLEX H Series User’s Guide...
Page 494 The time format is the 24 hour clock, so ‘0’ means midnight for example. Weekly Select this option to have the Zyxel Device check for new firmware once a week on the day and at the time specified. USG FLEX H Series User’s Guide...
Page 495 Table 240 Maintenance > Firmware/File Manager > Firmware Management (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the Zyxel Device. Cancel Click Cancel to return the screen to its last-saved settings. USG FLEX H Series User’s Guide...
Page 496: Diagnostics
This screen also lists the files of diagnostic information the Zyxel Device has collected and stored on the Zyxel Device or in a connected USB storage device. You may need to send these files to customer support for troubleshooting. USG FLEX H Series User’s Guide...
Page 497 Busy on device: The Zyxel Device is generating a diagnostic file containing its own configuration and diagnostic information. Collect Now Click this to have the Zyxel Device run the uploaded script and create a new diagnostic file. Please wait until the collection finishes. USG FLEX H Series User’s Guide...
Page 498: The Packet Capture Screen
(also known as a network or protocol analyzer) such as Wireshark. Figure 303 Maintenance > Diagnostics > Packet Capture USG FLEX H Series User’s Guide...
Page 499: The Packet Capture Edit Screen
Click Maintenance > Diagnostics > Packet Capture > Edit to open the packet capture screen. Note: New capture files overwrite existing files of the same name. Change the File Suffix field’s setting to avoid this. USG FLEX H Series User’s Guide...
Page 500 Select the version of IP for which to capture packets. Select any to capture packets for all IP versions. Protocol Type Select the protocol of traffic for which to capture packets. Select any to capture packets for all types of traffic. USG FLEX H Series User’s Guide...
Page 501 Note: The Zyxel Device reserves some USB storage space as a buffer. Save data to ftp server Select this to have the Zyxel Device store packet capture entries on the defined FTP site. The available storage size is displayed as well. USG FLEX H Series User’s Guide...
Page 502: The Cpu / Memory Status Screen
Click Maintenance > Diagnostics > CPU / Memory Status to open the CPU/Memory Status screen. Use this screen to view the CPU and memory performance of various applications on the Zyxel Device. Figure 305 Maintenance > Diagnostics > CPU / Memory Status USG FLEX H Series User’s Guide...
Page 503: The System Log Screen
Click Maintenance > Diagnostics > System Log to open the System Log screen. This screen lists the files of diagnostic information the Zyxel Device has collected and stored on a connected USB storage device. You may need to send these files to customer support for troubleshooting. USG FLEX H Series User’s Guide...
Page 504 This column displays the label that identifies the file. Size This column displays the size (in bytes) of a file. Modified Time This column displays the date and time that the individual files were saved. USG FLEX H Series User’s Guide...
Page 505: The Network Tool Screen
Use this screen to perform various network tests. Click Maintenance > Diagnostics > Network Tool to display this screen. Figure 307 Maintenance > Diagnostics > Network Tool Figure 308 Maintenance > Diagnostics > Network Tool > IPSec Trace Log USG FLEX H Series User’s Guide...
Page 506 This screen displays if the test passes. This screen displays if the test fails. Domain Name or IP Type the IP address that you want to use to for the NSLOOKUP, PING and TRACEROUTE Address network tools. USG FLEX H Series User’s Guide...
Page 507 “-w waittime” (where waittime is a time period in seconds) to set how long the Zyxel Device waits for a response to a probe before running another traceroute. Test Click this button to start the test. Reset Click this button to return the screen to its last-saved settings. USG FLEX H Series User’s Guide...
Page 508: Packet Flow Explore
Zyxel Device will prioritize Policy Route over Direct Route for packets routing. Dynamic/SiteToSite VPN This is where packets are forwarded according to the criteria you configure in VPN > IPSec VPN > Site to Site VPN. USG FLEX H Series User’s Guide...
Page 509 Routing Table This section shows the corresponding settings according to the function box you click in the Routing Flow section. This field is a sequential value, and it is not associated with any entry. USG FLEX H Series User’s Guide...
Page 510: Policy Route
This is the trunk name if the next hop type is Trunk. Policy Route Enter the priority of the rule on the Zyxel Device. The Zyxel Device uses this priority to determine Priority which rule to apply. The lower the number, the higher the priority. USG FLEX H Series User’s Guide...
Page 511: Static Route
This is the route’s priority among the displayed routes. The lower the number, the higher the priority. Nebula Static Route This is the static route created when you are using Nebula VPN. Figure 314 Maintenance > Packet Flow Explore > Routing Status (Nebula Static Route) USG FLEX H Series User’s Guide...
Page 512 This is the IP address of the gateway in the same network of the outgoing interface. NAT Rule This is the name of an activated 1:1 or Many 1:1 NAT rule in the NAT table. USG FLEX H Series User’s Guide...
Page 513 (and so on). Member This displays the trunk member’s interface(s). Main Route This is the default routing table of the Zyxel Device system kernel where packets are forwarded onto the destination IP address. USG FLEX H Series User’s Guide...
Page 514: The Snat Status Screen
• Enable/disable Default SNAT in the Network > Interface > Edit External interface screen. SitetoSite VPN SNAT SNAT for policy-based SitetoSite IPsec VPN maps all internal private IP addresses of a site to a single IP address for outbound traffic. USG FLEX H Series User’s Guide...
Page 515 This is where packets are forwarded according to the criteria you configured in Network > Routing > Policy Route, with the private source IP address of the sender replaced with a public IP address for outbound traffic. Figure 319 Maintenance > Packet Flow Explore > SNAT Status (Policy Route SNAT) USG FLEX H Series User’s Guide...
Page 516 Zyxel Device. Click a function box to display the related settings in the SNAT Table section. SNAT Table The table fields in this section vary depending on the function box you select in the SNAT Flow section. USG FLEX H Series User’s Guide...
Page 517 Interface IP means that the Zyxel Device uses the IP address of the outgoing interface as the source IP address for the matched packets it sends out through this rule. NAT Rule This is the name of an activated NAT rule which uses SNAT and enables NAT loopback. USG FLEX H Series User’s Guide...
Page 518 This indicates which source IP address the SNAT rule uses finally. For example, Outgoing Interface IP means that the Zyxel Device uses the IP address of the outgoing interface as the source IP address for the matched packets it sends out through this rule. USG FLEX H Series User’s Guide...
Page 519: Reboot/Shutdown
Use Test in Maintenance > Firmware/File Manager > Configuration to check that startup-config.conf does not have an error. See Section 28.1.3 on page 483 for details on which configuration files are used at start-up. Figure 323 Maintenance > Reboot/Shutdown USG FLEX H Series User’s Guide...
Page 520 • Select Monthly to have the Zyxel Device automatically restart once a month on the day and at the time specified. Click Shutdown to prepare the Zyxel Device to turn off. Wait for the PWR/SYS LED to turn off before you remove the Zyxel Device power cable. USG FLEX H Series User’s Guide...
Page 521: Part Iii: Appendices And Troubleshooting
Appendices and Troubleshooting...
Page 522: Troubleshooting
(such as a DSL modem) is working properly. • Check the WAN interface's status in the Dashboard. Use the installation setup wizard again and make sure that you enter the correct settings. Use the same case as provided by your ISP. USG FLEX H Series User’s Guide...
Page 523 The Zyxel Device checks the policy routes in the order that they are listed. So make sure that your custom policy route comes before any other routes that the traffic would also match. The Zyxel Device is not applying the custom security policy I configured. USG FLEX H Series User’s Guide...
Page 524 Zyxel Device modified the file by checking the logs. The Zyxel Device sent an alert that a malware-infected file has been found, but the file was still forwarded to the user and could still be executed. USG FLEX H Series User’s Guide...
Page 525 If they are, make sure you select their corresponding check box. Sandbox detected a malicious file, but the file still went through the Zyxel Device and is still usable. USG FLEX H Series User’s Guide...
Page 526 You may see the following error message if Device HA fails. • Device firmware or model mismatch detected. Check that both Zyxel Devices are the same model with the same firmware version. Update both Zyxel Devices to the latest firmware available. USG FLEX H Series User’s Guide...
Page 527 • The Zyxel Device may not determine the proper IP address if there is an HTTP proxy server between the Zyxel Device and the DDNS server. I cannot get the application patrol to manage FTP traffic. Make sure you have the FTP ALG enabled in Network > ALG. USG FLEX H Series User’s Guide...
Page 528 • It is also helpful to have a way to look at the packets that are being sent and received by the Zyxel Device and remote IPSec router (for example, by using a packet sniffer). USG FLEX H Series User’s Guide...
Page 529 I configured application patrol to allow and manage access to a specific service but access is blocked. If you want to use a service, make sure the security policy allows Security Service application patrol to go through the Zyxel Device. USG FLEX H Series User’s Guide...
Page 530 PKCS #12 file is within a password-encrypted envelope. The file’s password is not connected to your certificate’s public or private passwords. Exporting a PKCS #12 file creates this and you must provide it to decrypt the contents when you import the file into the Zyxel Device. USG FLEX H Series User’s Guide...
Page 531 File Size or the time period specified in the Duration field expires. My earlier packet capture files are missing. New capture files overwrite existing files of the same name. Change the File Suffix field’s setting to avoid this. USG FLEX H Series User’s Guide...
Page 532 I cannot remove a client in Network Status > Device Insight. Clients that are blocked cannot be removed. Please make sure to unblock the client you want to remove first. My USB storage device is not compatible with the Zyxel Device. USG FLEX H Series User’s Guide...
Page 533: Reserved System Ports
Note: You cannot change a service port to a reserved system port. Table 260 Reserved System Ports TCP PORTS UDP PORTS 2601 2602 2603 1812 2604 1813 2605 3799 2616 4500 5432 5246 7681 5247 7682 18121 USG FLEX H Series User’s Guide...
Page 534: Resetting The Zyxel Device
Type atkz -b and press Enter to reset the Zyxel Device to the factory defaults. Type atgo and press Enter to restart the Zyxel Device. All configurations on the Zyxel Device are now reset to the factory defaults. USG FLEX H Series User’s Guide...
Page 535: Restarting The Zyxel Device
Log in first. Type the command copy running startup to save the current configurations as the startup configurations. Type cmd reboot force and press Enter to restart the Zyxel Device. USG FLEX H Series User’s Guide...
Page 536: Getting More Troubleshooting Help
Chapter 32 Troubleshooting 32.4 Getting More Troubleshooting Help Go to support.zyxel.com to find other information on the Zyxel Device USG FLEX H Series User’s Guide...
Page 537: Appendix A Customer Support
Corporate Headquarters (Worldwide) Taiwan • ZyXEL Communications (Taiwan) Co., Ltd. • https://www.zyxel.com Asia China • ZyXEL Communications Corporation–China Office • https://www.zyxel.com/cn/sc India • ZyXEL Communications Corporation–India Office • https://www.zyxel.com/in/en-in Kazakhstan • ZyXEL Kazakhstan • https://www.zyxel.com/ru/ru USG FLEX H Series User’s Guide...
Page 538 • ZyXEL Thailand Co., Ltd. • https://www.zyxel.com/th/th Vietnam • ZyXEL Communications Corporation–Vietnam Office • https://www.zyxel.com/vn/vi Europe Belarus • ZyXEL Communications Corp. • https://www.zyxel.com/ru/ru Belgium (Netherlands) • ZyXEL Benelux • https://www.zyxel.com/nl/nl • https://www.zyxel.com/fr/fr Bulgaria • ZyXEL Bulgaria USG FLEX H Series User’s Guide...
Page 539 • ZyXEL Hungary & SEE • https://www.zyxel.com/hu/hu Italy • ZyXEL Communications Italy S.r.l. • https://www.zyxel.com/it/it Norway • ZyXEL Communications A/S • https://www.zyxel.com/no/no Poland • ZyXEL Communications Poland • https://www.zyxel.com/pl/pl Romania • ZyXEL Romania • https://www.zyxel.com/ro/ro USG FLEX H Series User’s Guide...
Page 540 • ZyXEL Turkey A.S. • https://www.zyxel.com/tr/tr • ZyXEL Communications UK Ltd. • https://www.zyxel.com/uk/en-gb Ukraine • ZyXEL Ukraine • https://www.zyxel.com/ua/uk-ua South America Argentina • ZyXEL Communications Corp. • https://www.zyxel.com/co/es-co Brazil • ZyXEL Communications Brasil Ltda. USG FLEX H Series User’s Guide...
Page 541 • ZyXEL Communications Corp. • https://www.zyxel.com/co/es-co South America • ZyXEL Communications Corp. • https://www.zyxel.com/co/es-co Middle East Israel • ZyXEL Communications Corp. • https://il.zyxel.com North America • ZyXEL Communications, Inc. – North America Headquarters https://www.zyxel.com/us/en-us USG FLEX H Series User’s Guide...
Page 542: Appendix B Product Features
Max. Admin User Max. User Group Max. User In One User Group Max. Concurrent Device Login On-Cloud Max. Concurrent Device Login Max. Device Insight Entry HTTPd Max. HTTPd Number Objects Address Object Address Group USG FLEX H Series User’s Guide...
Page 543 Maximum SIP Signaling Port Application Patrol Max. App Patrol Profile Number Max. Nebula App Patrol Profile Number (Org-wide) Max. Custom Signatures SSL Inspection Max. SSL Inspection Profile Max. Exclude List Content Filtering Max. Content Filtering Profile Number USG FLEX H Series User’s Guide...
Page 544 Policy Route Rules Reserved Sessions for Managed Devices Trunk Max. Trunk Number (System Default) Max. Trunk Number (User Define) Max. Member Number Per Trunk Sessions Max. TCP Concurrent Sessions (Forwarding, 600,000 600,000 1,000,000 2,000,000 NAT/Firewall) USG FLEX H Series User’s Guide...
Page 545 A Record CNAME Record NS Record (DNS Domain Zone Forward) MX Record Max. DHCP Network Pool (vlan+brg+ethernet) Max. DHCP Host Pool (Static DHCP) 1,024 Max. DHCP User Defined (Custom) Extended Options (per Pool Server-Global) USG FLEX H Series User’s Guide...
Page 546 Max. External Block List DB Number IP Exception Max. IP Exception Number Anti-Malware Max. Statistic Number 1024 1024 1024 1024 Max. Allow List Rule Max. Block List Rule Max. Nebula Allow / Block List Rule (Org- wide) USG FLEX H Series User’s Guide...
Page 547 Sandboxing Support protocol HTTP/SMTP/POP3/FTP HTTP/SMTP/POP3/FTP HTTP/SMTP/POP3/FTP HTTP/SMTP/POP3/FTP Concurrent File Collect Capability Upload File Size Up to 10MB per file Up to 10MB per file Up to 10MB per file Up to 10MB per file USG FLEX H Series User’s Guide...
Page 548: Appendix C Legal Information
• Consult the dealer or an experienced radio/TV technician for assistance Canada The following information applies if you use the product within Canada area Innovation, Science and Economic Development Canada ICES statement CAN ICES-003 (B)/NMB-003(B) USG FLEX H Series User’s Guide...
Page 549: Safety Warnings
Do not leave a battery in an extremely high temperature environment or surroundings since it can result in an explosion or the leakage of flammable liquid or gas. • Do not subject a battery to extremely low air pressure since it may result in an explosion or the leakage of flammable liquid or gas. USG FLEX H Series User’s Guide...
Page 550: Disposal And Recycling Information
återvinningsstation. Vid tiden för kasseringen bidrar du till en bättre miljö och mänsklig hälsa genom att göra dig av med den på ett återvinningsställe. 台灣安全警告 - 為了您的安全，請先閱讀以下警告及指示 : • 請勿將此產品接近水、火焰或放置在高溫的環境。 • 避免設備接觸 : - 任何液體 - 切勿讓設備接觸水、雨水、高濕度、污水腐蝕性的液體或其他水份。 - 灰塵及污物 - 切勿接觸灰塵、污物、沙土、食物或其他不合適的材料。 • 雷雨天氣時，不要安裝或維修此設備。有遭受電擊的風險。 USG FLEX H Series User’s Guide...
Page 551: About The Symbols
To obtain the services of this warranty, contact your vendor. You may also refer to the warranty policy for the region in which you bought the device at https://www.zyxel.com/global/en/support/warranty-information. Registration Register your product online at www.zyxel.com to receive email notices of firmware upgrades and related information. USG FLEX H Series User’s Guide...
Page 552: Open Source Licenses
Appendix C Legal Information Trademarks ZyNOS (Zyxel Network Operating System) and ZON (Zyxel One Network) are registered trademarks of Zyxel Communications, Inc. Other trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners.
Page 553 AWG ground wire. Do this before you make other connections. If your device has no earthing screw, but has a 3-prong power plug, make sure to connect the plug to a 3-hole earthed socket. USG FLEX H Series User’s Guide...
Page 554 återvinningsställe. 台灣警告使用者 • 這是甲類的資訊產品，在居住的環境中使用時，可能會造成射頻干擾，在這種情況下，使用者會被要求採取某些適當的對策。 • 為避免電磁干擾，本產品不應安裝或使用於住宅環境。安全警告 – 為了您的安全，請先閱讀以下警告及指示 : • 請勿將此產品接近水、火焰或放置在高溫的環境。 • 避免設備接觸 : - 任何液體 - 切勿讓設備接觸水、雨水、高濕度、污水腐蝕性的液體或其他水份。 - 灰塵及污物 - 切勿接觸灰塵、污物、沙土、食物或其他不合適的材料。 • 雷雨天氣時，不要安裝或維修此設備。有遭受電擊的風險。 • 切勿重摔或撞擊設備，並勿使用不正確的電源變壓器。 • 若接上不正確的電源變壓器會有爆炸的風險。 USG FLEX H Series User’s Guide...
Page 555 Register your product online at www.zyxel.com to receive email notices of firmware upgrades and related information. Open Source Licenses This product may contain in part some free software distributed under GPL license terms and/or GPL like licenses. USG FLEX H Series User’s Guide...
Page 556 Appendix C Legal Information To request the source code covered under these licenses, please go to: https://www.zyxel.com/form/gpl_oss_software_notice.shtml USG FLEX H Series User’s Guide...
Page 557: Index
183, 184 user 389, 401 H.323 accounting server see also VoIP pass through active protocol Anomaly Detection and Prevention, see ADP USG FLEX H Series User’s Guide...
Page 558 Brute Force Attack access control buffer overflow backdoor buffer overflow attacks buffer overflow DoS/DDoS scan trapdoor trojan virus 342, 362 USG FLEX H Series User’s Guide...
Page 559 Chrome 65, 416 and schedules setting manually Reference Guide time server commands current user list Common Event Format (CEF) customer support 537, 542 computer names computer virus see also virus configuration information USG FLEX H Series User’s Guide...
Page 560 External Block List domain name to IP address DNS/URL Threat Filter IP address to domain name IP Reputation Mail eXchange (MX) records pointer (PTR) records DNS Filter 322, 329, 386 Priority USG FLEX H Series User’s Guide...
Page 561 Instant Messenger (IM) 283, 362 over SSL, see HTTPS managing vs HTTPS interfaces HTTPS and DNS servers and certificates and layer-3 virtualization authenticating clients and NAT vs HTTP and physical ports and policy routes USG FLEX H Series User’s Guide...
Page 562 UDP, see UDP key pairs IP Reputation External Black List IP static routes, see static routes IP/MAC binding IPSec authentication 205, 207, 212 lastgood.conf 484, 488, 490 basic troubleshooting LDAP encryption 205, 206, 212 and users USG FLEX H Series User’s Guide...
Page 563 Ethernet interface 125, 130, 135 No-IP range managed web pages management access troubleshooting Management Information Base (MIB) 443, 444 objects managing the device AAA server using SNMP. See SNMP. addresses and address groups maximum distance USG FLEX H Series User’s Guide...
Page 564 146, 159 Relative Distinguished Name (RDN) and user groups 158, 174, 177 Remote Authentication Dial-In User Service, see and users 158, 174, 177 RADIUS and VPN connections remote management USG FLEX H Series User’s Guide...
Page 565 IDP Scanners service objects schedule and IP protocols troubleshooting and policy routes schedules and security policy and content filtering 293, 294 service subscription status USG FLEX H Series User’s Guide...
Page 566 3 and security versions Source Network Address Translation, see SNAT Spam Sources Spam URLs spillover (for load balancing) connections SQL Injection port numbers SQL slammer throughput rate 417, 418 troubleshooting client requirements USG FLEX H Series User’s Guide...
Page 567 389, 401 routing access, see also access users schedules admin (type) security policy admin, see also admin users security settings and AAA servers SNAT and authentication method objects throughput rate USG FLEX H Series User’s Guide...
Page 568 235, 239 VLAN interfaces 112, 118 and VPN and Ethernet interfaces 118, 524 extra-zone traffic VoIP pass through inter-zone traffic see also ALG intra-zone traffic types of traffic active protocol USG FLEX H Series User’s Guide...

This manual is also suitable for:

Usg flex 50h Usg flex 50hp Usg flex 100h Usg flex 100hp Usg flex 200h Usg flex 200hp ... Show all