Mgmt. & Analytics
Mgmt. & Analytics Overview
You need licenses to use Cloud CNM SecuManager and Cloud CNM SecuReporter. You need the SecuManager license to get a CNM ID with which you can access the SecuManager server. It is independent from the Zyxel Devices. The SecuReporter license must be activated on each Zyxel Device.
Follow the instructions on the Nebula screen to pass your Zyxel Device management to Nebula. The screen you see may vary depending on the device you’re using or the WAN settings you configured.
Cloud CNM SecuManager
Cloud CNM SecuManager is a Virtual Machine-based (VM) management system that uses the TR-069 protocol to encapsulate commands to the Zyxel Device devices for management and monitoring; these devices must have firmware that supports the TR-069 protocol.
Cloud CNM SecuManager features include:
• Batch import of managed devices at one time using one CSV file
• See an overview of all managed devices and system information in one place
• Monitor and manage devices
• Install firmware to multiple devices of the same model at one time
• Backup and restore device configuration
• View the location of managed devices on a map
• Receive notification for events and alarms, such as when a device goes down
• Graphically monitor individual devices and see related statistics
• Directly access a device for remote configuration
• Create four types of administrators with different privileges
• Perform Site-to-Site, Hub & Spoke, Fully-meshed and Remote Access VPN provisioning.
To allow Cloud CNM SecuManager management of your Zyxel Device:
• You must have a Cloud CNM SecuManager license with CNM ID number or a Cloud CNM SecuManager server URL.
• The Zyxel Device must be able to communicate with the Cloud CNM SecuManager server.
You must configure Configuration > Cloud CNM > SecuManager to allow the Zyxel Device to find the Cloud CNM SecuManager server.
The following table describes the labels in this screen.
Label | DESCRIPTION |
|---|---|
Show Advanced Settings / Hide Advanced Settings | Click this button to display a greater or lesser number of configuration fields. |
Enable | Select this to allow management of the Zyxel Device by Cloud CNM SecuManager. |
Auto | Select this if your Cloud CNM SecuManager server can access myZyxel to automatically get the VM server URL from myZyxel. You also need CNM ID from the Cloud CNM SecuManager license. |
CNM URL | myZyxel associates the CNM ID with the CNM URL which identifies the server on which Cloud CNM SecuManager is installed. Therefore you don’t need to enter the CNM URL when you select Auto. |
Custom | Select this if your Cloud CNM SecuManager server cannot access myZyxel. |
CNM URL | Select this if your VM server or Zyxel Device are in a private network, or if the VM server is behind a NAT router. You then need to manually enter the VM server URL into the Zyxel Device. Enter the IPv4 IP address of the Cloud CNM SecuManager server followed by the port number (default 7547 for HTTPS or 7549 for HTPP) followed by the CNM ID from the license in CNM URL. For example, if you installed Cloud CNM SecuManager on a server with IP address 1.1.1.1 and CNM ID V6ABQNTPYGD, then type 1.1.1.1:7547/V6ABQNTPYG or 1.1.1.1:7549/V6ABQNTPYG as the CNM URL. |
Transfer Protocol | Choose the CNM URL protocol: HTTP or HTTPS. If you enter 1.1.1.1:7547 as the CNM URL, you must choose HTTPS as the Transfer Protocol, and then the whole CNM URL is https://1.1.1.1:7547. If you enter 1.1.1.1:7549 as the CNM URL, you must choose HTTP as the Transfer Protocol, and then the whole CNM URL is http://1.1.1.1:7549. |
Periodic Inform | Enable this to have the Zyxel Device inform the Cloud CNM SecuManager server of its presence at regular intervals. |
Interval | Type how often the Zyxel Device should inform Cloud CNM SecuManager server of its presence. |
HTTPS Authentication | Select the check box if you have a HTTPS server certificate. |
Server Certificate | Select a certificate the HTTPS server (the Zyxel Device) uses to authenticate itself to the HTTPS client. |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Reset | Click Reset to return the screen to its last-saved settings. |
See the Cloud CNM SecuManager User’s Guide for more information on Cloud CNM SecuManager.Cloud CNM SecuReporter
Cloud CNM SecuReporter is a security analytics portal that collects and analyzes logs from SecuReporter-licensed Zyxel Devices in order to identify anomalies, alert on potential internal / external threats, and report on network usage. You need to buy a license for SecuReporter for your Zyxel Device and register it at myZyxel. You must be a registered user at myZyxel.
You can access the portal from a web browser and also get notifications sent to an app on your mobile phone.
How to activate and enable SecuReporter
1 Does Service Status displays Activated in the Configuration > Cloud CNM > SecuReporter screen? If not, you have to log in to myZyxel.com and activate the SecuReporter license for this Zyxel Device. The Zyxel Device must be able to communicate with the myZyxel server.
Your SecuReporter license displays in Configuration > Licensing > Registration > Service after you activate the SecuReporter license at myZyxel.
Your SecuReporter license displays in Configuration > Licensing > Registration > Service after you activate the SecuReporter license at myZyxel.
2 After the SecuReporter license is activated, go back to the Configuration > Cloud CNM > SecuReporter screen, and select the categories of logs that you want this Zyxel Device to send to the SecuReporter portal.
3 Select Enable SecuReporter. Do not go to the SecuReporter portal until after you have enabled SecuReporter on this Zyxel Device and applied the settings. You can also see license status, type, expiration date.
4 Click Apply and wait.
How to add this Zyxel Device to SecuReporter
1 Log in to the SecuReporter portal.
2 Go to Settings > Organization & Devices > Add to create an organization.
3 Add this Zyxel Device to an Organization using the hyper link under Unclaimed Device.
SecuReporter Banner
The SecuReporter banner appears when:
1 SecuReporter hasn’t been enabled before.
2 The Zyxel Device is not added to an organization yet.
Click the Continue button in the SecuReporter banner to configure the SecuReporter settings.
• Server Status: This is the connection status between the Zyxel Device and the SecuReporter server. This field shows Connected when the Zyxel Device can synchronize with the SecuReporter server. This field shows Timeout when the Zyxel Device can’t synchronize with the SecuReporter server. This field shows Fail when the connection between the Zyxel Device and the SecuReporter server is down.
• Device Name: Enter the name of the Zyxel Device. This Zyxel Device will be added to a new or existing organization.
• Organization: This field appears if you haven’t created an organization in the SecuReporter server. Type a name of up to 255 characters and description to create a new organization.
• Select from existing organization: Select an existing organization from the drop-down list box to add the Zyxel Device to the selected organization.
• Create new organization: Type a name of up to 255 characters and description to create a new organization.
• Partially Anonymous: Select this and personal data, such as user names, MAC addresses, email addresses, and host names, will be replaced with artificial identifiers in downloaded logs.
• Fully Anonymous: Select this and personal data, such as user names, MAC addresses, email addresses, and host names, will be replaced with anonymized information in downloaded logs.
• Non-Anonymous: Select this and personal data, such as user names, MAC addresses, email addresses, and host names, will be identifiable in downloaded logs.
The following table describes the labels in this screen.
Label | DESCRIPTION |
|---|---|
Enable SecuReporter | Security-related logs are sent to the SecuReporter portal. Click the General Data Protection Regulation (GDPR) privacy link below to see the Zyxel privacy policy. This must be selected to have SecuReporter collect and analyze logs from this Zyxel Device. • It’s selected by default if you have activated a SecuReporter Standard license, • You need to select this if you have a SecuReporter Trial license. • This field is not available if you do not have a SecuReporter license. |
Categories | Select the categories of logs that you want this Zyxel Device to send to SecuReporter for analysis and trend spotting. |
SecuReporter Service License Status | |
Service Status | This field displays whether a service license is enabled at myZyxel (Activated) or not (Not Activated) or expired (Expired). It displays the remaining Grace Period if your license has Expired. It displays Not Licensed if there isn’t a license to be activated for this service. |
Service Type | This field displays whether you applied for a trial application (Trial) or registered this service with your iCard’s PIN number (Standard). This field is blank when the service is not activated. |
Expiration Date | This field displays the date your service expires. |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Reset | Click Reset to return the screen to its last-saved settings. |
Nebula
Select Cloud Monitoring Mode to monitor your Zyxel Device using Nebula Control Center (NCC) but configure your Zyxel Device in On Premises Mode using the web configurator/CLI at the same time. You can allow remote access to the web configurator remotely using reverse SSH or HTTPS tunnel.
You cannot set the Zyxel Device to Cloud Monitoring Mode if Device HA is enabled on the Zyxel Device.Select Cloud Mode to manage your Zyxel Device using Nebula only. Use this mode to manage your Zyxel Device with accounts at different privilege levels. You can also manage your Zyxel Device licenses and check status through Nebula.
Your Zyxel Device uses Native Mode to register with Nebula. See Cloud Management Scenario A - Native Mode for more information on registering your Zyxel Device with Nebula using Native Mode.
Cloud Monitoring Mode
You must have created an organization and a site on Nebula first. Follow the steps below to set the Zyxel Device to Cloud Monitoring Mode.
On Premises Mode to Cloud Monitoring Mode
1 Back up the Zyxel Device configurations.
2 Select Cloud Monitoring Mode in Configuration > Mgmt. & Analytics > Nebula, then select Enable.
3 Enter the Monitor mode ID of an organization you created on Nebula. See the organization Monitor mode ID on Nebula in Organization-wide > Organization-wide manage > Organization settings.
4 Click Apply. Check the result in the Status field.
The following table explains the possible results that might display in the Status field.
N/A | You’ve not entered a Monitor mode ID on the Zyxel Device. |
Connected | The Zyxel Device is connected to Nebula. Check the Zyxel Device Device Type on Nebula in Organization-wide > License & inventory. |
Disconnected - Server is not reachable | The Zyxel Device cannot connect to Nebula. Please make sure the Zyxel Device can access Nebula at *.nebula.zyxel.com and ports 443, 4335 and 6667 are enabled. |
Disconnected - Connection failure | The Zyxel Device failed to connect to Nebula. Make sure the Zyxel Device settings match the Nebula settings. |
Disconnected - Registration failure | The email registered on myZyxel and the email registered on the Nebula organization to which you want to add the Zyxel Device are different. |
Disconnected - Operation modes mismatch | Remove the Zyxel Device from the Nebula organization and site. |
Nebula Mode to Cloud Monitoring Mode
1 Remove the Zyxel Device from the organization and site.
2 If the Zyxel Device is connected to Nebula, the Zyxel Device will automatically reset after you remove the Zyxel Device from the organization and site. If the Zyxel Device is not connected to Nebula, press the reset button.
3 After the PWR LED turns steady green, log into the Zyxel Device, select On Premises Mode, go to Configuration > Mgmt. & Analytics > Nebula, select Cloud Monitoring Mode and then follow the screen prompts.
Cloud Monitoring Mode to Nebula Mode
1 Remove the Zyxel Device in cloud monitoring mode from the organization and site.
2 Back up your current configuration in Maintenance > File Manager > Configuration File.
3 Reset the Zyxel Device to the factory default by pushing the Reset button until the port connection LEDs turn off (after about 5 seconds). Your Zyxel Device will reboot to the factory defaults.
4 Log into the Zyxel Device. Run the wizard and choose Nebula Mode.
Cloud Management Scenario A - Native Mode
You will see the following screen if:
• Your Zyxel Device supports Native Mode and you can connect to Nebula with your current WAN settings.
If the Zyxel Device meets these criteria, Nebula can use the Zyxel Device’s current WAN settings. Other settings are reset to factory defaults.
Please note that only the WAN settings that meet the criteria below will show in the Nebula Internet Access table:
• External interface - Interface that connects to an external network, such as the Internet or PPPoE. The Zyxel Device automatically adds this interface to the default WAN trunk.
• Base port - Ethernet interface on which the VLAN interface runs.
• Ethernet, VLAN or Ethernet/VLAN interface on which PPPoE interface runs.
Follow the steps below to let Nebula manage your Zyxel Device:
1 You cans select up to two WAN interfaces on the physical ports, but you cannot select two interfaces on the same port. Nebula will use one of the WAN interfaces you selected to connect to your Zyxel Device.
2 Click Test to test the connections to make sure you can access Nebula through these ports.
If you cannot access Nebula through the ports after you click Apply & Go To Nebula, you will need to access the local GUI with your support account by connecting to the LAN.3 Click Apply & Go to Nebula. The Zyxel Device will:
• Back up its current configuration (for future reference).
• Reset its configuration to factory defaults except for the WAN configuration.
• Automatically restart.
You will no longer be able to access the Zyxel Device through the WAN. You must use Nebula to manage it.4 Use the Nebula web portal or the Nebula app to create an organization and site, then add the Zyxel Device to it.
You will not see Nebula app in Register Zyxel Device on Nebula if you log into the Zyxel Device as a limited admin.The following table describes the labels in this screen.
Label | DESCRIPTION |
|---|---|
 | Select the WAN interfaces for Nebula to connect to your Zyxel Device. You can select up to two physical ports, but you cannot select two interfaces on the same port. For example, P2 and P3 stand for Port 2 and Port 3 on your Zyxel Device. You can only select one interface for each port. Nebula will use one of the WAN interfaces you selected to connect to your Zyxel Device. The settings of the WAN interfaces, including IP addresses, IP assignment and DNS servers, will be kept on Nebula. |
# | This field is a sequential value. |
Name | This field displays the name of the interface. |
Status | This field displays the current status of each interface. The possible values depend on what type of interface it is. For Ethernet interfaces: • Inactive - The Ethernet interface is disabled. • Down - The Ethernet interface does not have any physical ports associated with it or the Ethernet interface is enabled but not connected. • Speed/Duplex - The Ethernet interface is enabled and connected. This field displays the port speed and duplex setting (Full or Half). For VLAN interfaces: • Up - The VLAN interface is enabled. • Down - The VLAN interface is disabled. For PPPoE interfaces: • Connected - The PPPoE interface is connected. • Disconnected - The PPPoE interface is disconnected. |
IP Addr/Netmask | This field displays the current IP address and subnet mask assigned to the interface. If this interface is a member of an active virtual router, this field displays the IP address it is currently using. This is either the static IP address of the interface (if it is the master) or the management IP address (if it is a backup). If you set an interface static IP to 0.0.0.0, the interface will not show in the table. |
IP Assignment | This field displays how the interface gets its IP address. • Static- This interface has a static IP address. • Dynamic- This interface has a dynamic IP address. • DHCP Client- This interface gets its IP address from a DHCP server. |
DNS Server | The field displays the Domain Name System (DNS) server IP address. The DNS server maps a domain name to an IP address and vice versa. The DNS server is important because without it, you must know the IP address of a computer before you can access it. |
Connection | Click Test to check if the interface you select can access Nebula. |
Apply & Go to Nebula | Click this button to pass your Zyxel Device management to Nebula. Your Zyxel Device will automatically reset to factory defaults (except for the WAN settings) and restart. |