Introduction

Overview

Zyxel Device refers to these models as outlined below.

• USG FLEX 100

• USG FLEX 100W

• USG FLEX 200

• USG FLEX 500

• USG FLEX 700

Model Feature Differences

Note the following differences between the USG FLEX models:

USG FLEX Model Feature Comparison
FEATURE/model	USG FLEX 100	USG FLEX 100W	USG FLEX 200	USG FLEX 500	USG FLEX 700
Microsoft Azure	YES	YES	YES	YES	YES
Amazon VPC	CLI only	CLI only	CLI only	CLI only	CLI only
Anomaly Detection & Prevention	YES	YES	YES	YES	YES
Email Security (Anti-Spam)	YES	YES	YES	YES	YES
IPS (IDP)	YES	YES	YES	YES	YES
Anti-Malware	YES	YES	YES	YES	YES
App Patrol	YES	YES	YES	YES	YES
Web Filtering (Content Filtering)	YES	YES	YES	YES	YES
SecuReporter	YES	YES	YES	YES	YES
Reputation Filter (IP and DNS)	NO	NO	NO	NO	NO
URL Threat Filter	YES	YES	YES	YES	YES
Sandboxing	NO	NO	NO	NO	NO
IP Exception	YES	YES	YES	YES	YES
AP Controller	YES	YES	YES	YES	YES
Device HA Pro	NO	NO	NO	YES	YES
Hotspot Management	NO	NO	YES	YES	YES
LAG	NO	NO	NO	YES	YES
Port Group	YES	YES	YES	YES	YES
Port Role	YES	YES	YES	YES	YES
SD-WAN Mode	NO	NO	NO	NO	NO
SSL Application	YES	YES	YES	YES	YES
SSL encrypted traffic inspection	YES	YES	YES	YES	YES
Bundled UTM Feature License Validity	1 year	1 year	1 year	1 year	1 year
Virtual Server Load Balancing	YES	YES	YES	YES	YES
Built-in WiFi	NO	YES	NO	NO	NO
Management by Nebula Control Center (NCC)	YES	YES	YES	YES	YES

• Not all models support all features. See USG FLEX Model Feature Comparison for the specific features that your model supports.

Security Feature List
• Application Security	• Intrusion Prevention System (IPS)
• Anomaly Detection & Prevention (ADP)	• Web Filtering
• Malware Blocker	• Email Security
• Secure Socket Layer (SSL) encrypted traffic Inspection

The following security features work without a security license:

• Configuration > Content Filter > Trusted Web Sites

• Configuration > IPS > Custom Signatures

• Configuration > Anti-Virus > Black/White List

• Configuration > Anti-Spam/Email Security > Block/Allow List

For information on interface names by model, default port or interface name mapping, and default interface or zone mapping please see Default Zones, Interfaces, and Ports.

See the product’s datasheet for detailed information on a specific model.

On Premises Mode

When you log into the Web Configurator for the first time or when you reset the Zyxel Device to its default configuration, the Initial Setup Wizard screen displays. Choose On Premises Mode to manage your Zyxel Device directly using either the browser-based Web Configurator or the Command Line Interface (CLI).

Follow the wizard to configure the Zyxel Device network settings to manage your Zyxel Device directly. Note that once you complete the device registration step and register your Zyxel Device at portal.myzyxel.com, you cannot change to Nebula Mode unless you reset the Zyxel Device.

Nebula Mode

When you log into the Web Configurator for the first time or when you reset the Zyxel Device to its default configuration, the Initial Setup Wizard screen displays. Choose Nebula Mode to manage your Zyxel Device remotely using Nebula Control Center (NCC). Select this mode if you want to configure and monitor one or more Zyxel Devices through the cloud.

Follow the wizard to configure the Zyxel Device network settings to connect to NCC. Note that once you complete th WAN configuration step, you cannot change to On Premises Mode unless you reset the Zyxel Device.

Nebula Control Center (NCC) is an Internet portal that allows you to configure and monitor groups of Zyxel Devices in organizations. You cannot manage a Zyxel Device directly through the Web Configurator or Command Line Interface (CLI) when NCC is managing the Zyxel Device. See USG FLEX Model Feature Comparison to see which Zyxel Devices can be managed by NCC.

Follow this procedure to have NCC manage your Zyxel Device.

NCC Portal

You should already have created an account at myZyxel.com. Follow these steps at the NCC portal.

1 Log into Nebula (https://nebula.zyxel.com) with your myZyxel account. If you do not have a myZyxel account, you will be redirected to another screen to create one.

2 After you log in, click Go under Nebula Control Center and then Let’s Start to run the Nebula setup wizard. Create an organization and a site or select an existing site.

3 Add the Zyxel Device to this site by entering its MAC address and serial number. You’ll find the MAC address and serial number of the Zyxel Device on its label or scan the QR code using the Nebula app.

4 Configure the WAN interface that the Zyxel Device will use to connect to Nebula through the Internet.

5 If you’re given a choice, select Native Mode. If you cannot select Native Mode, configure the email address of the person who will configure the Zyxel Device for management by Nebula. An email will be sent to this person containing an activation link that allows automatic management of the Zyxel Device by Nebula (Zero Touch Provisioning (ZTP)).

Your Zyxel Device

The person who will configure the Zyxel Device for management by Nebula should follow this procedure.

1 Use an Ethernet cable to connect the WAN port of the Zyxel Device (P1 or P2) to the Ethernet port of a device that will provide Internet access.

2 Use another Ethernet cable to connect the LAN port of the Zyxel Device (P3 or P4) to your computer. Make sure your computer can receive an IP address automatically. This is the default for all computers, so the computer should be fine unless you changed it.

3 Connect the power port to an appropriate power source and turn on the Zyxel Device. Wait for the SYS LED to turn solid green.

4 Back up your current configuration before passing management to Nebula. Log into the web configurator, and go to Maintenance > File Manager > Configuration File. Select startup-config.conf, then click Download.

5 If you cannot select Native Mode, reset the Zyxel Device to the factory defaults. Push the Reset button until the port connection LEDs turn off (after about 5 seconds). Your Zyxel Device will reboot to the factory defaults and all previous configurations will be erased.

Skip this step if you did not configure your Zyxel Device before (including just logging in and changing the default password.). You must reset the Zyxel Device if it does not have the factory default configuration.

Your Email Account for ZTP

If you cannot select Native Mode in the Nebula setup wizard, do the following after the Zyxel Device is on:

1 Check your mailbox for an email from Nebula. You may need to check your spam folder

2 Follow the instructions in the email if you did not complete the instructions above. Look for an activation link in the email. Click the activation link or copy the link to your web browser. You will see a screen saying that Nebula registration is in process. Please wait.

3 When you see a screen saying Nebula registration has succeeded, management of your Zyxel Device has passed to Nebula Control Center. The Nebula administrator can now configure and manage your device.

Change the Mode

Follow the steps below to change your Zyxel Device from On Premises Mode to Nebula Mode or from Nebula Mode to On Premises Mode.

From Nebula Mode to On Premises Mode

Follow this procedure if you want to manage the Zyxel Device directly.

1 Log into Nebula (https://nebula.zyxel.com) with your myZyxel account.

2 Go to Organization-wide > Configuration > Inventory.

3 Select the Zyxel Device you want to remove from Nebula.

4 Click Remove.

5 Nebula will automatically reset your Zyxel Device. The Zyxel Device will reboot to the factory defaults. All Nebula configurations for the Zyxel Device will be erased.

6 Log into the Zyxel Device. Run the wizard and choose On Premises Mode.

7 To restore your previous configuration, log into the web configurator, and go to Maintenance > File Manager > Configuration File.

8 Under Upload Configuration File, click Browse, select the startup-config.conf on your computer that you backed up previously and click Upload. The Zyxel Device will then return to the previous settings.

From On Premises Mode to Nebula Mode

1 Back up your current configuration in Maintenance > File Manager > Configuration File.

2 Reset the Zyxel Device to the factory default by pushing the Reset button until the port connection LEDs turn off (after about 5 seconds). Your Zyxel Device will reboot to the factory defaults.

3 Log into the Zyxel Device. Run the wizard and choose Nebula Mode.

4 If you have a choice of Native Mode or ZTP, select Native Mode.

Registration at myZyxel

myZyxel is Zyxel’s online services center where you can register your Zyxel Device and manage subscription services available for your Zyxel Device (see Configuration > Licensing > Registration > Service for services available for your Zyxel Device).

• For Zyxel Devices that already have firmware version 4.25 or later, you have to register your Zyxel Device and activate the corresponding service at myZyxel (through your Zyxel Device).

• For Zyxel Devices upgrading to firmware version 4.25 or later, you may skip registering your Zyxel Device and activating the corresponding service at myZyxel (through your Zyxel Device). However, it is highly recommended to at least register your Zyxel Device. At the time of writing, the Firmware Upgrade license providing Cloud Helper new firmware notifications, is free when you register your Zyxel Device.

Note: You need to create a myZyxel account at http://portal.myZyxel.com before you can register your device and activate the services at myZyxel. You may need your Zyxel Device’s serial number and LAN MAC address to register it at myZyxel. See the label at the back of the Zyxel Device’s for details.

Grace Period

SecuReporter and service licenses have a 15-day grace period after a license expires. Services will continue to work in this period during which you will receive notifications to renew your licenses. New licenses are valid for 1 year from the date of purchase.

Applications

These are some Zyxel Device application scenarios.

Security Router

Security includes a Stateful Packet Inspection (SPI) firewall.

IPv6 Routing

The Zyxel Device supports IPv6 Ethernet, PPP, VLAN, and bridge routing. You may also create IPv6 policy routes and IPv6 objects. The Zyxel Device can also route IPv6 packets through IPv4 networks using different tunneling methods.

VPN Connectivity

Set up VPN tunnels with other companies, branch offices, telecommuters, and business travelers to provide secure access to your network. AS is an Authentication Server in the below figure.

SSL VPN Network Access

SSL VPN lets remote users use their web browsers for a very easy-to-use VPN solution. A user just browses to the Zyxel Device’s web address and enters his user name and password to securely connect to the Zyxel Device’s network. Here full tunnel mode creates a virtual connection for a remote user and gives him a private IP address in the same subnet as the local network so he can access network resources in the same way as if he were part of the internal network.

User-Aware Access Control

Set up security policies to restrict access to sensitive information and shared resources based on the user who is trying to access it.

Load Balancing

Set up multiple connections to the Internet on the same port, or different ports, including cellular interfaces. In either case, you can balance the traffic loads between them.

Management Overview

Web Configurator

The Web Configurator allows easy Zyxel Device setup and management using an Internet browser.

Command-Line Interface (CLI)

The CLI allows you to use text-based commands to configure the Zyxel Device. Access it using remote management (for example, SSH or Telnet) or via the physical or Web Configurator console port. See the Command Reference Guide for CLI details. The default settings for the console port are:

Console Port Default Settings
Setting	Value
Speed	115200 bps
Data Bits	8
Parity	None
Stop Bit	1
Flow Control	Off

Web Configurator

The Web Configurator is an HTML-based management interface that allows easy system setup and management through Internet browser. Use a browser that supports HTML5, such as Microsoft Edge, Internet Explorer 11, Mozilla Firefox, or Google Chrome.

In order to use the Web Configurator you need to allow:

• Web browser pop-up windows from your device.

• JavaScript (enabled by default).

• Java permissions (enabled by default).

The recommended minimum screen resolution is 1024 x 768 pixels.

Note: Screenshots and graphics in this book may differ slightly from your product due to differences in product features or Web Configurator brand style.

Web Configurator Access

1 Make sure your Zyxel Device hardware is properly connected. See the Quick Start Guide.

2 In your browser go to http://192.168.1.1. By default, the Zyxel Device automatically routes this request to its HTTPS server, and it is recommended to keep this setting. The Login screen appears.

If you want to change the display language for the Zyxel Device’s Web Configurator screens, select from the drop-down list box. You can also change the display language in Configuration> System> Language

3 Type the user name (default: “admin”) and password (default: “1234”).

4 Click Login. After you log in for the first time using the default user name and password, you must change the default admin password in the Update Admin Info screen. Enter a new password of from 1 to 64 characters.

In Configuration > Object > User/Group > Setting, you can enable Password Complexity to require a new password to consist of at least 8 characters and at most 64, where at least 1 character must be a number, at least 1 a lower case letter, at least 1 an upper case letter and at least 1 a special character from the keyboard, such as !@#$%^&*()_+. You can also require periodic changing of the password in that screen by configuring Password must changed every (days).

Make a note of your new password, enter it in the following screen, then click Apply.

5 A Terms of Use screen displays. Read the statement, then click Acknowledge to proceed.

Note: If you are using an Internet Explorer browser, the Terms of Use will be downloaded automatically.

6 The Password Change Notification screen displays. Use this screen to view all the admin accounts expiry information. We recommend you to change your password regularly in Configuration> Object> User/Group> User. Select how often to display the screen and click OK.

7 The Network Risk Warning screen displays any unregistered or disabled security services. If your Zyxel Device is not registered, you will see a prompt to register it. Select how often to display the screen and click OK.

8 Follow the directions in the Update Admin Info screen. If you change the default password, the Login screen appears after you click Apply. If you click Ignore, the Installation Setup Wizard opens if the ZyWALL is using its default configuration; otherwise the dashboard appears.

Security Check for Web Interface Overview

Use this screen to configure settings to secure your Zyxel Device. You can configure:

• Secure SSL access from the Internet to the Zyxel Device.

• Secure SSL access from the Internet to the network behind the Zyxel Device.

• The default port that IPSec VPN clients use to retrieve VPN rule settings from the Zyxel Device.

• The default port for two-factor authentication for VPN clients to access the network behind the Zyxel Device.

Secure SSL Access from the Internet to the Zyxel Device

You can configure up to 3 trusted computers to access the Zyxel Device using secure SSL. The default HTTPS SSL port is 443. If you change this, remote connections from the Internet must use this port. For example, if you change this to port 8800 and the Zyxel Device is using IP address 1.1.1.1, then remote users must use htttps://1.1.1.1:8800.

Configure a new port between 1024 to 65535 that is not in use by other services.

Secure SSL VPN Access from the Internet to the Network Behind the Zyxel Device

The default SSL VPN port is 443. If you change the default SSL VPN port on the Zyxel Device, make sure to make the same change to SecuExtender, the SSL VPN client software. Configure a new port between 1024 to 65535 that is not in use by other services.

You can also restrict SSL VPN access to up to 3 locations on the Internet.

Change the Default IPSec VPN Provisioning Port

Change the default port that IPSec VPN clients use to retrieve VPN rule settings from the Zyxel Device. The default is 443 which is already in use for remote management by default. If you change the default IPSec VPN port on the Zyxel Device, make sure to make the same change to the Zyxel IPSec VPN client.

Configure a new port between 1024 to 65535 that is not in use by other services.

Note: The remote management port, the SSL VPN port and the IPSec VPN port all use 443 by default. If you do not change the default ports, then only 3 connections of the remote management and SSL VPN will be allowed at one time.

Change the Default Port for Two-Factor VPN Access Authentication

Change the default port for two-factor authentication for VPN clients to access the network behind the Zyxel Device. VPN clients do not need to change the port number on their devices, because the link to access the network behind the Zyxel Devices will contain the new port number. For example, if you change this to port 8008 and the link is using a.b.c.d, then VPN clients will see this link in their email or SMS to retrieve settings: htttps://a.b.c.d:8008.

You can also change this port in Object > Auth. Method > Two-factor Authentication > VPN Access. See Two-Factor Authentication for more information on two-factor authentication.

Configure a new port between 1024 to 65535 that is not in use by other services.

Overall Port Configuration Example

Below is an example of configuring these ports to avoid port conflict.

Port Configuration Example
remote management	ssl vpn	ipsec vpn provisioning	two-factor vpn access authentication
8800	8080	443 (default)	8008

Other Security Measures

New firmware contains patches to enhance security. Make sure to check for new firmware regularly and update firmware in Maintenance > Firmware Management.

Change admin passwords regularly. Select Enable Password Complexity in Object > User/Group > Setting to require the user to use a password that's not easy to guess. The password must include:

• at least 8 characters

• at least one upper case alphabetic character and at least one lower case alphabetic character

• one numeric character

• one special character such as @#$%^

Security Check for Web Interface

The following screen appears when the Zyxel Device detects a rule that allows traffic such as HTTP, HTTPS, SSL and so on to access to your Zyxel Device from any IPv4 source on the WAN. This may expose your Zyxel Device to a security risk. Configure settings in this screen to allow access only from specified IP addresses, FQDNs or regions to secure your Zyxel Device.

The following table describes the labels in this screen.

Security Check for Web Interface
Label	Description
Allow secure remote management from WAN	Select this to allow access to the Zyxel Device remotely only from specified IP addresses or Fully Qualified Domain Names (FQDNs), such as 1.1.1.1 or www.zyxel.com. See Secure SSL Access from the Internet to the Zyxel Device for more information.
Port	Configure a new port between 1024 to 65535 to use it to access the web configurator. Do not use a port number that has been used. For example, use https://1.1.1.1:8800 if you changed the default HTTPS port to 8800.
Trusted Host 1-3	Configure the IP addresses or FQDNs that are allowed to access the Zyxel Device.
Allow SSL VPN access from WAN	Select this to allow SSL VPN clients to access the Zyxel Device only from specified regions. See Secure SSL VPN Access from the Internet to the Network Behind the Zyxel Device for more information.
Port	Configure a new port between 1024 to 65535 to use it to access the web configurator using SSL VPN. Do not use a port number that has been used. The port you configure here must be the same as the port you use in SecuExtender. See Secure SSL VPN Access from the Internet to the Network Behind the Zyxel Device for more information on SecuExtender.
Trusted Geolocation 1-3	Select the regions that are allowed to access the Zyxel Device from the drop-down list box.
Change Two-Factor Authentication Port	Select this to change the port VPN clients use to access the Zyxel Device LAN with two-factor authentication. See Change the Default Port for Two-Factor VPN Access Authentication for more information. Configure a new port between 1024 to 65535. Do not use a port number that has been used.
Change Zyxel IPSec VPN Client Provisioning Port	Select this to change the port IPSec VPN clients use to retrieve VPN rule settings from the Zyxel Device. See Change the Default IPSec VPN Provisioning Port for more information. Configure a new port between 1024 to 65535. Do not use a port number that has been used. The port you configure here must be the same as the port you use when logging in as a Zyxel IPSec VPN client.
Please remind me	Select how often to display the screen from the drop-down list box.
OK	Click OK to save your changes back to the Zyxel Device.
Cancel	Click Cancel to exit this screen without saving your changes.

Remote Access to the Zyxel Device Networks

Your Zyxel Device keeps your networks safe while allowing external access by applying the security measures below:

• Two-Factor Authentication: Use two-factor authentication to have double-layer security to access a secured network behind the Zyxel Device. The first layer is the VPN client/Zyxel Device’s login user name / password. The second layer is an authorized SMS (via mobile phone number) or email address. See Two-Factor Authentication for more information on two-factor authentication.

• Device Insight: The Zyxel Device can identify and display the basic information and status of clients that are connected to the Zyxel Device networks in Monitor > Network Status > Device Insight. See Device Insight for more information on viewing the device insight.

Create device insight profiles in Configuration > Object > Device Insight to block specified clients from accessing the Internet or the Zyxel Device. See Device Insight for more information on creating and using the device insight profiles.

• IPSec VPN: You can create highly secure connections with IKEv2 or EAP authentication to access networks behind the Zyxel Device. For example, home workers can securely access company resources if they have proper authentication. See IPSec VPN for more information on IPSec VPN.

• Upload Bandwidth Limit: Zyxel subscription-based SecuExtender IPSec VPN clients with Windows version 5.6.80.007 or later or macOS version 1.2.0.7 or later support upload bandwidth limit. Use this to set the maximum bandwidth for uploading traffic from IPSec VPN clients over IPSec VPN tunnels. See Zyxel Device IPSec VPN Client Configuration Provisioning for more information on upload bandwidth limit.

Web Configurator Screens Overview

The Web Configurator screen is divided into these parts:

Title Bar

The title bar icons in the upper right corner provide the following functions.

Title Bar: Web Configurator Icons
Label	Description
SecuReporter	This icon shows when SecuReporter is enabled and the Zyxel Device is added to an organization. Click this to open the SecuReporter portal page.
Web Console	Click this to open one or multiple console windows from which you can run command line interface (CLI) commands. You will be prompted to enter your user name and password. See the Command Reference Guide for information about the commands. Logging in to the Zyxel Device with HTTPS, so you can open one or multiple console windows.
CLI	Click this to open a popup window that displays the CLI commands sent by the Web Configurator to the Zyxel Device.
Reference	Click this to check which configuration items reference an object.
Site Map	Click this to see an overview of links to the Web Configurator screens.
Forum	Go to https://businessforum.zyxel.com for product discussions.
Help	Click this to open the help page for the current screen.
Notification	Only Admin or Limited Admin can see notifications. Notifications display what’s new in the Zyxel Device firmware (ZLD), information on security services about to expire. Slide the switch to Off if you don’t want notifications. Click an item to see more details on it. Click the Refresh icon or refresh the browser page to update notifications. The latest notification appears at the top. An item is removed once it has been read. Up to five notifications can be shown here. If there are more than five notifications, then click All Notifications to see them.
About	Click this to display basic information about the Zyxel Device.
Logout	Click this to log out of the Web Configurator.

About

Click About to display basic information about the Zyxel Device.

This table describes the fields in this screen.

About
Label	Description
Current Version	This shows the firmware version of the Zyxel Device.
Released Date	This shows the date (yyyy-mm-dd) and time (hh:mm:ss) when the firmware is released.
OK	Click this to close the screen.

Site Map

Click Site MAP to see an overview of links to the Web Configurator screens.

Web Console

Click Web Console to open one or multiple console windows from which you can run CLI commands. You will be prompted to enter your user name and password. See the Command Reference Guide for information about the commands. Logging in to the Zyxel Device with HTTPS, so you can open one or multiple console windows.

Reference

Select the type of object and the individual object and click Refresh to show which configuration settings reference the object.

The fields vary with the type of object. This table describes labels that can appear in this screen.

Reference
Label	Description
Type	Select an object type to see the services.
Name	This identifies the object for which the configuration settings that use it are displayed. Click the object’s name to display the object’s configuration screen in the main window.
#	This field is a sequential value, and it is not associated with any entry.
Service	This is the type of setting that references the selected object. Click a service’s name to display the service’s configuration screen in the main window.
Priority	If it is applicable, this field lists the referencing configuration item’s position in its list, otherwise N/A displays.
Name	This field identifies the configuration item that references the object.
Description	If the referencing configuration item has a description configured, it displays here.
Refresh	Click this to update the information in this screen.
Cancel	Click Cancel to close the screen.

CLI Messages

Click CLI to look at the CLI commands sent by the Web Configurator. Open the pop-up window and then click some menus in the Web Configurator to display the corresponding commands.

Navigation Panel

Use the navigation panel menu items to open status and configuration screens. Click the arrow in the middle of the right edge of the navigation panel to hide the panel or drag to resize it. The following sections introduce the Zyxel Device’s navigation panel menus and their screens.

Dashboard

The dashboard displays general device information, system status, system resource usage, licensed service status, and interface status in widgets that you can re-arrange to suit your needs.

Monitor Menu

The monitor menu screens display status and statistics information.

Monitor Menu Screens Summary
Folder or Link	Tab	Function
Traffic Statistics
Port Statistics	Port Statistics	Displays packet statistics for each physical port.
Interface Status	Interface Summary	Displays general interface information and packet statistics.
Traffic Statistics	Traffic Statistics	Collect and display traffic statistics.
Session Monitor	Session Monitor	Displays the status of all current sessions.
Network Status
DHCP Table	DHCP Table	Displays a list of interfaces and their DHCP-assigned IP addresses.
Device Insight	Device Insight	Displays a list of WiFi and wireless clients connected to the Zyxel Device networks.
Login Users	Login Users	Lists the users currently logged into the Zyxel Device.
Dynamic Guest	Dynamic Guest	List the dynamic guest accounts in the Zyxel Device’s local database. These are accounts that are created automatically and allowed to access the Zyxel Device’s services for a certain period of time.
IGMP Statistics	IGMP Statistics	Collect and display IGMP statistics.
DDNS Status	DDNS Status	Displays the status of the Zyxel Device’s DDNS domain names.
IP/MAC Binding	IP/MAC Binding	Lists the devices that have received an IP address from Zyxel Device interfaces using IP/MAC binding.
Cellular Status	Cellular Status	Displays details about the Zyxel Device’s mobile broadband connection status.
UPnP Port Status	Port Statistics	Displays details about UPnP connections going through the Zyxel Device.
USB Storage	Storage Information	Displays details about USB device connected to the Zyxel Device.
Ethernet Neighbor	Ethernet Neighbor	View and manage the Zyxel Device’s neighboring devices via Smart Connect (Layer Link Discovery Protocol (LLDP)). Use the Zyxel One Network (ZON) utility to view and manage the Zyxel Device’s neighboring devices via the Zyxel Discovery Protocol (ZDP).
FQDN Object	FQDN Object	Displays FQDN (Fully Qualified Domain Name) object cache lists used in DNS queries.
Virtual Server LB	Virtual Server Load Balancer Status	Displays traffic statistics between a client and a real server.
Wireless
AP Information	AP List	Lists APs managed by the Zyxel Device.
	Radio List	Lists wireless details of APs managed by the Zyxel Device.
	Built-in AP	Displays associated wireless client usage and number. (For Zyxel Device model names containing ‘W’.)
	Top N APs	Lists managed APs with the most wireless traffic usage and most associated wireless stations.
	Single AP	Lists APs wireless traffic usage and associated wireless stations for a managed AP.
ZyMesh	ZyMesh Link Info	Display statistics about ZyMesh wireless connections between managed APs.
SSID Info	SSID Info	Display information about the AP’s wireless clients.
Station Info	Station List	Lists wireless clients associated with the APs managed by the Zyxel Device.
	Top N Stations	Lists wireless stations with the most wireless traffic usage.
	Single Station	Lists wireless traffic usage for an associated wireless station.
Detected Device	Detected Device	Display information about suspected rogue APs.
Wireless Health	Wireless Health	Displays information about health or wireless networks for your APs and connected wireless clients.
Printer Status	Printer Status	Display information about the connected statement printers.
VPN Monitor
IPSec	IPSec	Displays and manages the active IPSec SAs.
SSL	SSL	Lists users currently logged into the VPN SSL client portal. You can also log out individual users and delete related session information.
L2TP over IPSec	L2TP over IPSec	Displays details about current L2TP sessions.
Remote AP VPN	Remote AP VPN	Displays and manages the active remote APs.
Security Statistics
App Patrol	Summary	Displays application patrol statistics.
Content Filter	Web Content Filter	Collect and display web content filter statistics.
Content Filter	DNS Content Filter	Collect and display DNS content filter statistics.
Anti-Malware	Summary	Collect and display statistics on the malware that the Zyxel Device has detected.
Reputation Filter	Summary	Displays counts and URLs that are blocked by the Zyxel Device.
IPS	Summary	Collect and display statistics on the intrusions that the Zyxel Device has detected.
Email Security	Summary	Collect and display spam statistics.
Email Security	Status	Displays how many mail sessions the ZyWALL is currently checking and DNSBL (Domain Name Service-based spam Black List) statistics.
CDR	Containment List	Displays what clients are currently contained by Collaborative Detection & Response (CDR).
CDR	History	Displays what clients were and are contained by Collaborative Detection & Response (CDR).
SSL Inspection	Summary	Collect and display SSL Inspection statistics.
SSL Inspection	Certificate Cache List	Displays traffic to destination servers using certificates.
Log	View Log	Lists log entries.
	View AP Log	Lists AP log entries.
	Dynamic Users Log	Lists the Zyxel Device’s dynamic guest account log messages.

Configuration Menu

Use the configuration menu screens to configure the Zyxel Device’s features.

Configuration Menu Screens Summary
Folder or Link	Tab	Function
Quick Setup		Quickly configure WAN interfaces or VPN connections.
Licensing
Registration	Registration	Register the device and activate trial services.
Registration	Service	View the licensed service status and upgrade licensed services.
Signature Update	Signature	Update signatures immediately or by a schedule.
Wireless
Built-in AP	General	Allow WiFi clients to access your Zyxel Device wirelessly to connect to the network.
Controller	Configuration	Configure manual or automatic controller registration.
AP Management	Mgnt AP List	Edit or remove entries in the lists of APs managed by the Zyxel Device.
	AP Policy	Configure the AP controller’s IP address on the managed APs and determine the action the managed APs take if the current AP controller fails.
	AP Group	Create groups of APs, define their radio, VLAN, port and load balancing settings.
	Firmware	Update the firmware on APs connected to your Zyxel Device.
Rogue AP	Rogue/Friendly AP List	Configure how the Zyxel Device monitors rogue APs.
Wireless Health	Wireless Health	Enable wireless health to improve the APs wireless network performance in Zyxel Device networks.
Auto Healing	Auto Healing	Enable auto healing to extend the wireless service coverage area of the managed APs when one of the APs fails.
RTLS	Real Time Location System	Use the managed APs as part of an Ekahau RTLS to track the location of Ekahau WiFi tags.
Network
Interface	Port Port Role/Port Configuration	Use this screen to set the Zyxel Device’s flexible ports such as LAN, OPT, WLAN, or DMZ.
	Ethernet	Manage Ethernet interfaces and virtual Ethernet interfaces.
	PPP	Create and manage PPPoE and PPTP interfaces.
	Cellular	Configure a cellular Internet connection for an installed mobile broadband card.
	Tunnel	Configure tunneling between IPv4 and IPv6 networks.
	VLAN	Create and manage VLAN interfaces and virtual VLAN interfaces.
	Bridge	Create and manage bridges and virtual bridge interfaces.
	LAG	Configure interface and LAG parameters for each LAG interface.
	VTI	Configure IP address assignment and interface parameters for VTI (Virtual Tunnel Interface).
	Trunk	Create and manage trunks (groups of interfaces) for load balancing.
Routing	Policy Route	Create and manage routing policies.
	Static Route	Create and manage IP static routing information.
	RIP	Configure device-level RIP settings.
	OSPF	Configure device-level OSPF settings, including areas and virtual links.
	BGP	Configure exchange of Border Gateway Protocol (BGP) information over an IPSec tunnel.
DDNS	DDNS	Define and manage the Zyxel Device’s DDNS domain names.
NAT	NAT	Set up and manage port forwarding rules.
NAT	Virtual Server Load Balancer	Configure virtual server load balancer rules that distribute incoming connection requests to a virtual server between multiple real (physical) servers
Redirect Service	Redirect Service	Set up and manage HTTP and SMTP redirection rules.
ALG	ALG	Configure SIP, H.323, and FTP pass-through settings.
UPnP	UPnP	Configure interfaces that allow UPnP and NAT-PMP connections.
IP/MAC Binding	Summary	Configure IP to MAC address bindings for devices connected to each supported interface.
IP/MAC Binding	Exempt List	Configure ranges of IP addresses to which the Zyxel Device does not apply IP/MAC binding.
Layer 2 Isolation	General	Enable layer-2 isolation on the Zyxel Device and the internal interfaces.
Layer 2 Isolation	Allow List	Enable and configure the allow list.
DNS Inbound LB	DNS Load Balancing	Configure DNS Load Balancing.
VPN
IPSec VPN	VPN Connection	Configure IPSec tunnels.
	VPN Gateway	Configure IKE tunnels.
	Concentrator	Combine IPSec VPN connections into a single secure network
	Configuration Provisioning	Set who can retrieve VPN rule settings from the Zyxel Device using the Zyxel Device IPSec VPN Client.
SSL VPN	Access Privilege	Configure SSL VPN access rights for users and groups.
SSL VPN	Global Setting	Configure the Zyxel Device’s SSL VPN settings that apply to all connections.
L2TP VPN	L2TP VPN	Configure L2TP over IPSec tunnels.
Remote AP VPN	Remote AP VPN	Configure the IP address pool for the Zyxel Device to assign an IP address to the outgoing interface of each RAP IPSec tunnel.
BWM	BWM	Enable and configure bandwidth management rules.
Web Authentication	Web Authentication General/Authentication Type/Custom Web Portal File/Custom User Agreement File/Facebook WiFi	Define a web portal and exempt services from authentication.
Web Authentication	SSO	Configure the Zyxel Device to work with a Single Sign On agent.
Hotspot
Billing	General	Configure the general billing settings, such as the accounting method.
	Billing Profile	Configure the billing profiles for the web-based account generator and each button on the connected statement printer.
	Discount	Configure discount price plans.
	Payment Service	Enable online payment service and configure the service pages.
Printer Manager	General	Configure the printer list, enable printer management and customize the account printout.
Printer Manager	Printout Configuration	Detect the connected statement printers, change their IP addresses and/or add them to the managed printer list.
Free Time	Free Time	Allow users to get a free account for Internet surfing during the specified time period.
IPnP	IPnP	Enable IPnP on the Zyxel Device and the internal interfaces.
Walled Garden	Walled Garden General/URL Base/Domain/IP Base	Create walled garden links that display in the login screen.
Advertisement	Advertisement	Enable and set advertisement links.
Security Policy
Policy Control	Policy	Create and manage level-3 traffic rules and apply Security Service profiles.
ADP	General	Display and manage ADP bindings.
	Profile	Create and manage ADP profiles.
	Allow List	Create an allow list for certain IP or services to let them pass the ADP flood detection.
Session Control	Session Control	Limit the number of concurrent client NAT/security policy sessions.
Security Service
AppPatrol	Profile	Manage different types of traffic in this screen. Create App Patrol template(s) of settings to apply to a traffic flow using a security policy.
Content Filter	Web Content Filter: General	Create and manage the detailed filtering rules for content filtering profiles and then apply to a traffic flow using a security policy.
	Web Content Filter: Trusted Web Sites	Create a list of allowed web sites that bypass content filtering policies.
	Web Content Filter: Forbidden Web Sites	Create a list of web sites to block regardless of content filtering policies.
	DNS Content Filter: General	Create and manage the detailed filtering rules for DNS content filtering profiles and then apply to a traffic flow using a security policy.
	DNS Content Filter: Allow List	Create a list of allowed web sites that bypass DNS content filtering policies.
	DNS Content Filter: Block List	Create a list of web sites to block regardless of content filtering policies.
Anti-Malware	Anti-Malware	Enable, specify actions to take when encountering malware or compressed files, and set up a black list to identify files with malware file patterns and a white list to identify files that should not be checked for malware.
	Block/Allow List	Set up a block list to identify spam and an allow list to identify legitimate email.
	Signature	Search for particular signatures to get more information about them.
Reputation Filter	URL Threat Filter General/Profile/Allow List/Block List/External Block List	Enable URL filtering and specify what action the Zyxel Device takes when a access attempt to a blocked website is detected. You can also set up an allow list to identify which IPv4 addresses and/or URLs should be allowed, and a block list to identify which IPv4 addresses and/or URLs should be blocked. Set up an external block list which uses block list entries stored in a file on a web server that supports HTTP or HTTPS and is reachable from the Zyxel Device. The Zyxel Device will block incoming and outgoing packets from the black list entries in this file.
IPS	IPS	Enable and configure IPS settings. Create, import, or export custom signatures.
IPS	Allow List	Configure signatures that will be exempted from IPS inspection.
Email Security	Email Security	Turn email security on or off and manage email security policies. Create email security templates of settings to apply to a traffic flow using a security policy.
Email Security	Block/Allow List	Set up a block list to identify spam and an allow list to identify legitimate email.
CDR	Collaborative Detection & Response	Turn CDR on or off and manage CDR policies. Create CDR templates of settings to apply to a traffic flow using a security policy.
CDR	Exempt List	Configure IPv4 and/or MAC addresses of devices that are exempt from CDR checking.
SSL Inspection	Profile	Decrypt HTTPS traffic for Security Service inspection. Create SSL Inspection templates of settings to apply to a traffic flow using a security policy.
	Exclude List	Configure services to be excluded from SSL Inspection.
	Certificate Update	Use this screen to update the latest certificates of servers using SSL connections to the Zyxel Device network.
IP Exception	IP Exception	Use this screen to view the IP exception list for the anti-malware and IPS (Intrusion Prevention System) features. The Zyxel Device will not intercept nor inspect the incoming packets that match the rules in the IP exception list for the anti-malware and/or IPS (Intrusion Prevention System) features.
Object
Device Insight	Device Insight	Configure profiles to block specified clients from accessing the Internet or the Zyxel Device.
Zone	Zone	Configure zone templates used to define various policies.
User/Group	User	Create and manage users.
	Group	Create and manage groups of users.
	Setting	Manage default settings for all users, general settings for user sessions, and rules to force user authentication.
	MAC Address	Configure the MAC addresses of wireless clients for MAC authentication using the local user database.
AP Profile	Radio	Create templates of radio settings to apply to policies as an object.
AP Profile	SSID	Create templates of wireless settings to apply to radio profiles or policies as an object.
MON Profile	MON Profile	Create and manage rogue AP monitoring files that can be associated with different APs.
ZyMesh Profile	ZyMesh Profile	Create and manage ZyMesh files that can be associated with different APs.
Address/Geo IP	Address	Create and manage host, range, and network (subnet) addresses.
	Address Group	Create and manage groups of addresses to apply to policies as a single objects.
	Geo IP	Update the database of country-to-IP address mappings and manually configure country-to-IP address mappings for geographic address objects that can be used in security policies.
Service	Service	Create and manage TCP and UDP services.
Service	Service Group	Create and manage groups of services to apply to policies as a single object.
Schedule	Schedule	Create one-time and recurring schedules.
Schedule	Schedule Group	Create and manage groups of schedules to apply to policies as a single object.
AAA Server	Active Directory	Configure the Active Directory settings.
	LDAP	Configure the LDAP settings.
	RADIUS	Configure the RADIUS settings.
Auth. Method	Authentication Method	Create and manage ways of authenticating users.
Auth. Method	Two-factor Authentication	Configure SMS or email authentication to access a secured network behind the Zyxel Device via a VPN tunnel.
Certificate	My Certificates	Create and manage the Zyxel Device’s certificates.
Certificate	Trusted Certificates	Import and manage certificates from trusted sources.
ISP Account	ISP Account	Create and manage ISP account information for PPPoE/PPTP interfaces.
DHCPv6	Request	Configure IPv6 DHCP request type and interface information.
DHCPv6	Lease	Configure IPv6 DHCP lease type and interface information.
Device HA	Device HA Status	See the license status for Device HA Pro, and see the status of the active and passive devices.
	Device HA Pro	Configure Device HA Pro global settings, monitored interfaces and synchronization settings.
	View Log	See logs of the active and passive devices
Cloud CNM	SecuManager	Enable and configure management of the Zyxel Device by a Central Network Management system.
Cloud CNM	SecuReporter	Enable SecuReporter logging and access the SecuReporter security analytics portal that collects and analyzes logs from your Zyxel Device in order to identify anomalies, alert on potential internal or external threats, and report on network usage.
System
Host Name	Host Name	Configure the system and domain name for the Zyxel Device.
USB Storage	Settings	Configure the settings for the connected USB devices.
Date/Time	Date/Time	Configure the current date, time, and time zone in the Zyxel Device.
Console Speed	Console Speed	Set the console speed.
DNS	DNS	Configure the DNS server and address records for the Zyxel Device.
WWW	Service Control	Configure HTTP, HTTPS, and general authentication.
WWW	Login Page	Configure how the login and access user screens look.
SSH	SSH	Configure SSH server and SSH service settings.
TELNET	TELNET	Configure telnet server settings for the Zyxel Device.
FTP	FTP	Configure FTP server settings.
SNMP	SNMP	Configure SNMP communities and services.
Auth. Server	Auth. Server	Configure the Zyxel Device to act as a RADIUS server.
Notification	Mail Server	Configure a mail server with authentication to send reports and password expiration notification emails.
	SMS	Enable the SMS service to send dynamic guest account information in text messages and authorization for VPN tunnel access to a secured network.
	Response Message	Create a web page when access to a website is restricted due to a security service.
Language	Language	Select the Web Configurator language.
IPv6	IPv6	Enable IPv6 globally on the Zyxel Device here.
ZON	ZON	Use the Zyxel One Network (ZON) utility to view and manage the Zyxel Device’s neighboring devices via the Zyxel Discovery Protocol (ZDP).
Log & Report
Email Daily Report	Email Daily Report	Configure where and how to send daily reports and what reports to send.
Log Settings	Log Settings	Configure the system log, email logs, and remote syslog servers.

Maintenance Menu

Use the maintenance menu screens to manage configuration and firmware files, run diagnostics, and reboot or shut down the Zyxel Device.

Maintenance Menu Screens Summary
Folder or Link	Tab	Function
File Manager	Configuration File	Manage and upload configuration files for the Zyxel Device.
	Firmware Management	View the current firmware version and upload firmware. Reboot with your choice of firmware.
	Shell Script	Manage and run shell script files for the Zyxel Device.
Diagnostics	Diagnostics	Collect diagnostic information. This screen includes the sub-tabs below: • Controller • AP • Filer
	Packet Capture	Capture packets for analysis. This screen includes the sub-tabs below: • Capture • Capture on AP • Files • Remote Capture
	CPU/Memory Status	View CPU and memory usage statistics.
	System Log	Connect a USB device to the Zyxel Device and archive the Zyxel Device system logs to it here.
	Network Tool	Identify problems with the connections. You can use Ping or Traceroute to help you identify problems.
	Routing Traces	Configure traceroute to identify where packets are dropped for troubleshooting.
	Wireless Frame Capture	Capture wireless frames from APs for analysis.
Packet Flow Explore	Routing Status	Check how the Zyxel Device determines where to route a packet.
Packet Flow Explore	SNAT Status	View a clear picture on how the Zyxel Device converts a packet’s source IP address and check the related settings.
Shutdown/ Reboot	Shutdown/ Reboot	Turn off or restart the Zyxel Device.

Tables and Lists

Web Configurator tables and lists are flexible with several options for how to display their entries.

Click a column heading to sort the table’s entries according to that column’s criteria.

Click the down arrow next to a column heading for more options about how to display the entries. The options available vary depending on the type of fields in the column. Here are some examples of what you can do:

• Sort in ascending or descending (reverse) alphabetical order

• Select which columns to display

• Group entries by field

• Show entries in groups

• Filter by mathematical operators (<, >, or =) or searching for text

Select a column heading cell’s right border and drag to re-size the column.

Select a column heading and drag and drop it to change the column order. A green check mark displays next to the column’s title when you drag the column to a valid new location.

Use the icons and fields at the bottom of the table to navigate to different pages of entries and control how many entries display at a time.

The tables have icons for working with table entries. You can often use the [Shift] or [Ctrl] key to select multiple entries to remove, activate, or deactivate.

Here are descriptions for the most common table icons.

Common Table Icons
Label	Description
Add	Click this to create a new entry. For features where the entry’s position in the numbered list is important (features where the Zyxel Device applies the table’s entries in order like the security policy for example), you can select an entry and click Add to create a new entry after the selected entry.
Edit	Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. In some tables you can just click a table entry and edit it directly in the table. For those types of tables small red triangles display for table entries with changes that you have not yet applied.
Remove	To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.
Activate	To turn on an entry, select it and click Activate.
Inactivate	To turn off an entry, select it and click Inactivate.
Connect	To connect an entry, select it and click Connect.
Disconnect	To disconnect an entry, select it and click Disconnect.
References	Select an entry and click References to check which settings use the entry.
Move	To change an entry’s position in a numbered list, select it and click Move to display a field to type a number for where you want to put that entry and press [ENTER] to move the entry to the number that you typed. For example, if you type 6, the entry you are moving becomes number 6 and the previous entry 6 (if there is one) gets pushed up (or down) one.

Working with Lists

When a list of available entries displays next to a list of selected entries, you can often just double-click an entry to move it from one list to the other. In some lists you can also use the [Shift] or [Ctrl] key to select multiple entries, and then use the arrow button to move them to the other list.