Zyxel USG Flex 100W Unified Security Gateway

Overview:

The latest USG FLEX series provides one single management platform on the cloud while expanding and strengthening the protection from firewalls to access points with automatic responses. The newly designed USG FLEX Series is capable of minimizing computing power usage and maximizing firewall performance, delivering up to 5x UTM performance with cloud flexibility and collaborative protection to help connect and secure small or mid-sized business users.

Flexibility to adapt to on-premises or Nebula cloud management

Optional Gold Security Pack unlocks Sandboxing and Reputation Filter

High assurance multi-layered protection

DNS and URL content filter ensures the web security

Device Insight provides better visibility and control

Automatically contains threats at the network edge

Secure WiFi guarantees remote work security

Add two-factor authentication for an extra layer of protection

Features:

Comprehensive Reputation Filtering Service

USG FLEX Firewall delivers enhanced Reputation filtering functionality and security through its powerful combination of both reputation and category-based filtering.
When it comes to the Zyxel Reputation Filter, we are talking about three services: IP Reputation, DNS threat Filter, and URL threat filter.

IP Reputation

Provides a database of known malicious public IP addresses that enables the gateway to take action on receiving traffic from/to an IP address on the list.

URL Threat Filter

Helps mitigate malware and phishing attacks by blocking malicious webpages by filtering the malicious traffic based on URL category.

DNS Threat Filter

If a domain has been known to be e.g. phishing before, the firewall will automatically block that domain. DNS Threat Filter is effective against any IP protocol.

Same Security Across Networks

We offer a wide array of products that allow different remote access options including firewalls for headquarters and branch offices, remote access points with Secure WiFi andVPN clientfor off-site employees, extending endpoint protection.

Safeguarding Remote Connectivity to Your Corporate Network

Businesses striking a balance on productivity and security protection becomes a priority with growing number of devices. Whether it is a wired, wireless, or a IoT device, the Secure WiFi service is used to build a secure L2 tunnel for Work-From-Home user to extend the working experience easily and securely, as if you were in the office with the safety of both two-factor authentication and secure tunnel, which boosts up productivity and eases IT support. The Secure WiFi service also unlocks the number of managed APs to maximum for the USG FLEX firewall.

Deep Insight Into All Your Devices

Device Insight gives you more visibility of your networks including wired, wireless, BYOD, and IoT devices. You can create access policy with device contextual such as OS version or device category to enforce network segmentation. This reduces the attack surface and prevents threats from spreading. It also helps SMB(s) reduce time spent on investigation. Continuing with our goal of providing our customers with increased visibility, ZyxelSecuReportergives your organization comprehensive endpoint inventory dashboard.

Level Up Security with 2FA Network Access

Password is not enough to secure your network access. You need a second form of authentication to ensure unauthorized users can’t access your company’s databases, email accounts and more. Google Authentication allows your organizations to authenticate the identities of users accessing your networks through remote desktops and personal mobile devices.

Comprehensive Web Filtering Service

USG FLEX Firewall delivers enhanced web filtering functionality and security through its powerful combination of both reputation and category-based filtering. The dynamic content categorization analyzes the content of a previously unknown website and domain, then determines if it belongs to an undesirable category including gambling, pornography, games, and many others. A newly added DNS content filter offers a better approach to inspect web access, particularly when the website is deploying ESNI (Encrypted Server Name Indication) where the traditional URL filtering is not applicable to the destination domain.

Stay Ahead of Threats with CDR

Collaborative Detection & Response (CDR) is used to identify threats and risks posed in the more complex organization workforce, workload, and workplace. USG FLEX firewalls to Nebula provides network admins with a rule-based security policy. The firewalls detect a threat on any of the connected clients and will sync with the Nebula control center, then automatically respond to cyber threats and contain the device(s) at the edge (Wireless Access Point) of your network. It is a perfect fit for IT to address the requirements of a decentralized network infrastructure and provide automatic protection.

Analytics Report and Enhanced Insights

USG FLEX series dashboard gives user-friendly traffic summary and threat statistic visuals. UtilizeSecuReporterfor further threat analysis with correlation feature design, making it easy to proactively trackback network status to prevent the next threat event. Centralized visibility of network activities for you to easily manage multiple clients.

Comprehensive Connectivity

ZyWALL USG FLEX series not only protects your network, but it also support hospitality features including hotspot and concurrent device upgrade. You can buy time-based bundle, so only pay what you need. We also provide Wireless Health Monitor giving you visibility into the connection state of client and access point issues, allowing network administrators to easily troubleshoot issues.

Why USG FLEX:

USGFLEX Flexible Deployment with Precise Protection

The latest USG FLEX 100 provides one single management platform on the cloud while expanding and strengthening the protection from firewalls to access points with automatic responses. The newly designed USG FLEX Series is capable of minimizing computing power usage and maximizing firewall performance, delivering up to 5x UTM performance with cloud flexibility and collaborative protection to help connect and secure small or mid-sized business users.

Nebula Together

USG FLEX firewalls, the new addition to theNebula cloud managementfamily, strongly empowers the full-blown Zyxel Security Matrix in Nebula, further optimizing Nebula with holistic security and protection for SMB business networks. Zyxel provides a centralized provisioning security policy to the remote workforce from Nebula and traffic shaping eliminating the network bottleneck to fuel the best business productivity.

Zero Trust Networks Security

Remote working is here to stay, USG FLEX series applies the principles of zero trust access. It ensures the same security controls are applied to HQ, branch offices, home, or wherever your remote workers reside. Create access policy with device contextual such as OS version or device category to enforce network segmentation. This reduces the attack surface and prevents threats from spreading.

USG FLEX minimizes risk by adding granular policies and access authentication for the ever-growing needs of a secure workplace. Improve protection across identities, devices, applications, and network. Reduce risk and build trust across your entire digital assets.

High Assurance Multi-layered Protection

USG FLEX is designed with multi-layer protection against multiple types of threats from in and out. Multiple security services empower you to restrict users' inappropriate application usage or web access. Zyxel offers leading-industry DNS content filter, eliminating blind spots in all encrypted traffic with TLS 1.3 without the need to deploy SSL inspection. All together safeguarding your network without any unattended gaps.

Simplified and Unified Licensing Experience

We know the experience from license purchase and renewals are equally important to our partners. We've optimized the licensing management platform and brought a consistent migration path between on-premise and our cloud platform. We make sure our partners can quickly adapt to a secure environment without the hassle but retaining the flexibility for those who need to practice the same security across networks scenarios.

Just Connect with Nebula

Just connect with a single vendor
Resellers, Managed Service Providers (MSPs) and network Administrators will find Simplicity, Scalability, Flexibility, reduced IT risk and reduced costs through Zyxel’s Cloud Networking Management platform, Nebula a single-vendor approach.

Just Connect without the complexity
Nebula offers powerful, effortless and scalable network connectivity that works together to remove the complexity and security risks often associated with having a mixed vendor approach to networking.

Launch an entire network in minutes
Connect, protect and manage Security, Switch, Wireless and LTE/5G connectivity via our centralized Cloud platform, Nebula.

Just Connect, with an unmatched portfolio
Serving customers with over 80 Nebula enabled devices via an ever-growing portfolio, Zyxel is unmatched in its approach to onboarding new and existing products via NebulaFlex. From Deploying a home office to delivering connectivity to distributed network configurations, Zyxel’s Portfolio of Nebula enabled products can accommodate all types of budgets, functionality and scalability for now and for the future.

Specifications:

Model	*USG FLEX 100^11**	USG FLEX 100AX	USG FLEX 100W	USG FLEX 200	USG FLEX 500	USG FLEX 700
Hardware Specifications
WiFi standard	N/A	802.11 ax/ac/n/g/b/a	802.11 a/b/g/n/ac	N/A	N/A	N/A
10/100/1000 Mbps RJ-45 ports	4 x LAN/DMZ, 1 x WAN	4 x LAN/DMZ, 1 x WAN	4 x LAN/DMZ, 1 x WAN, 1 x SFP	4 x LAN/DMZ, 2 x WAN, 1 x SFP	7 (configurable), 1 x SFP (configurable)	12 (configuratble), 2 x SFP (configurable)
USB3.0 ports	1	1	1	2	2	2
Console port	Yes (RJ-45)	Yes (RJ-45)	Yes (RJ-45)	Yes (DB9)	Yes (DB9)	Yes (DB9)
Rack-mountable	N/A	N/A	N/A	Yes	Yes	Yes
Fanless	Yes	Yes	Yes	Yes	N/A	N/A
System Capacity & Performance^*1
*SPI firewall throughput (Mbps)^2**	900	900	900	1,800	2,300	5,400
*VPN throughput (Mbps)^3**	270	270	270	450	810	1,100
*VPN IMIX throughput (Mbps)^3**	100	100	100	240	240	550
*IPS throughput (Mbps)^4**	540	540	540	1,100	1,150	2,000
*Anti-Malware throughput (Mbps)^4**	360	360	360	570	800	1,450
*UTM throughput (Anti-Malware and IPS)(Mbps)^4**	360	360	360	550	800	1,350
*Max. TCP concurrent sessions^5**	300,000	300,000	300,000	600,000	1,000,000	1,600,000
Recommended gateway-to-gateway IPsec VPN tunnels	20	20	20	50	150	250
*Max. concurrent IPsec VPN tunnels^6**	50	50	50	100	300	500
Concurrent SSL VPN users	30	30	30	60	150	150
VLAN interface	8	8	8	16	64	128
Speedtest Performance
*SPI firewall throughput (Mbps)^10**	848	848	848	931	935	934
Security Service	USG FLEX 100^*11	USG FLEX 100AX	USG FLEX 100W	USG FLEX 200	USG FLEX 500	USG FLEX 700
*Sandboxing^7**	Yes	Yes	Yes	Yes	Yes	Yes
*Web Filtering^7**	Yes	Yes	Yes	Yes	Yes	Yes
*Application Patrol^7**	Yes	Yes	Yes	Yes	Yes	Yes
*Anti-Malware^7**	Yes	Yes	Yes	Yes	Yes	Yes
*IPS^7**	Yes	Yes	Yes	Yes	Yes	Yes
*Reputation Filter^7**	Yes	Yes	Yes	Yes	Yes	Yes
Geo Enforcer	Yes	Yes	Yes	Yes	Yes	Yes
*SecuReporter^7**	Yes	Yes	Yes	Yes	Yes	Yes
*Collaborative Detection & Response^7**	Yes	Yes	Yes	Yes	Yes	Yes
Device Insight	Yes	Yes	Yes	Yes	Yes	Yes
*Security Profile Sync^7**	Yes	Yes	Yes	Yes	Yes	Yes
SSL (HTTPS) Inspection	Yes	Yes	Yes	Yes	Yes	Yes
2-Factor Authentication	Yes	Yes	Yes	Yes	Yes	Yes
Email Security	Yes	Yes	Yes	Yes	Yes	Yes
VPN Features
VPN	IKEv2, IPSec, SSL, L2TP/IPSec	IKEv2, IPSec, SSL, L2TP/IPSec	IKEv2, IPSec, SSL, L2TP/IPSec	IKEv2, IPSec, SSL, L2TP/IPSec	IKEv2, IPSec, SSL, L2TP/IPSec	IKEv2, IPSec, SSL, L2TP/IPSec
Microsoft Azure	Yes	Yes	Yes	Yes	N/A	N/A
Amazon VPC	Yes	Yes	Yes	Yes	Yes	Yes
WLAN Management
Default number of managed AP	8	8	8	8	8	8
Recommend max. AP in 1 AP Group	10	10	10	20	60	200
*Secure WiFi Service^7**	Yes	Yes	Yes	Yes	Yes	Yes
Maximum Number of Tunnel-Mode AP	6	6	6	10	18	130
Maximum Number of Managed AP	24	24	24	40	72	520
Management & Connectivity
Nebula Cloud Mode	Yes	Yes	Yes	Yes	Yes	Yes
Nebula Cloud Monitoring Mode	Yes	Yes	Yes	Yes	Yes	Yes
Device HA Pro	N/A	N/A	N/A	N/A	Yes	Yes
Link Aggregation (LAG)	N/A	N/A	N/A	N/A	Yes	Yes
*Hotspot Management^7**	N/A	N/A	N/A	Yes	Yes	Yes
*Ticket printer support^9/ Support Q'ty (max.)**	N/A	N/A	N/A	Yes (SP350E)/10	Yes (SP350E)/10	Yes (SP350E)/10
*Concurrent devices logins (default/max.)^78*	64	64	64	200	200/300	500/2000
Security Service	USG FLEX 100^*11	USG FLEX 100AX	USG FLEX 100W	USG FLEX 200	USG FLEX 500	USG FLEX 700
Power input	12 V DC, 2 A max.	12 V DC, 2.5 A max.	12 V DC, 2 A max.	12 V DC, 2.5 A max.	12 V DC, 4.17 A	100-240 V AC, 50/60 Hz, 2.5 A max.
Max. power consumption (Watt Max.)	12.5	24.3	12.5	13.3	24.1	46
Heat dissipation (BTU/hr)	42.65	55.37	42.65	45.38	82.23	120.1
Physical Specifications
Item Dimensions (WxDxH)(mm/in.)	216 x 147.3 x 33/ 8.50 x 5.80 x 1.30	216 x 149.28 x 33/ 8.50 x 5.88 x 1.30	216 x 147.3 x 33/ 8.50 x 5.80 x 1.30	272 x 187 x 36/ 10.7 x 7.36 x 1.42	300 x 188 x 44/ 16.93 x 7.4 x 1.73	430 x 250 x 44/ 16.93 x 9.84 x 1.73
Item Weight (kg/lb.)	0.85/1.87	1.00/2.20	0.85/1.87	1.4/3.09	1.65/3.64	3.3/7.28
Packing Dimensions (WxDxH)(mm/in.)	284 x 190 x 100/ 11.18 x 7.48 x 3.94	284 x 190 x 100/ 11.18 x 7.48 x 3.94	284 x 190 x 100/ 11.18 x 7.48 x 3.94	427 x 247 x 73/ 16.81 x 9.72 x 2.87	351 x 152 x 245/ 13.82 x 5.98 x 9.65	519 x 392 x 163/ 20.43 x 15.43 x 6.42
Packing Weight (kg/lb.)	1.40/3.09	1.53/3.37	1.40/3.09	2.23 (W/O bracket) 2.42 (W/ bracket)	2.83/6.24	4.8/10.58
Included accessories	• Power adapter • RJ-45 - RS-232 cable for console connection	• Power adapter with plug • RJ-45 - RS-232 cable for console connection • Antenna	• Power adapter • RJ-45 - RS-232 cable for console connection	• Power adapter • Rack mounting kit	• Power adapter • Power cord • Rack mounting kit	• Power adapter • Rack mounting kit
Environmental Specifications
Operating Temperature	0°C to 40°C/ 32°F to 104°F	0°C to 40°C/ 32°F to 104°F	0°C to 40°C/ 32°F to 104°F	0°C to 40°C/ 32°F to 104°F	0°C to 40°C/ 32°F to 104°F	0°C to 40°C/ 32°F to 104°F
Operating Humidity	10% to 90% (non-condensing)	10% to 90% (non-condensing)	10% to 90% (non-condensing)	10% to 90% (non-condensing)	10% to 90% (non-condensing)	10% to 90% (non-condensing)
Storage Temperature	-30°C to 70°C/ -22°F to 158°F	-30°C to 70°C/ -22°F to 158°F	-30°C to 70°C/ -22°F to 158°F	-30°C to 70°C/ -22°F to 158°F	-30°C to 70°C/ -22°F to 158°F	-30°C to 70°C/ -22°F to 158°F
Storage Humidity	10% to 90% (non-condensing)	10% to 90% (non-condensing)	10% to 90% (non-condensing)	10% to 90% (non-condensing)	10% to 90% (non-condensing)	10% to 90% (non-condensing)
MTBF (hr)	989,810	766,228	989,810	529,688	529,688	947,736
Acoustic Noise	N/A	N/A	N/A	N/A	24.5 dBA on < 25°C Operating temperature, 41.5 dBA on full FAN speed	24.5 dBA on < 25°C Operating temperature, 41.5 dBA on full FAN speed
Certifications
EMC	FCC Part 15 (Class B), CE EMC (Class B), BSMI	FCC Part 15 (Class B), IC EMC (Class B), CE EMC (Class B), RCM (Class B), BSMI	FCC Part 15 (Class B), CE EMC (Class B), BSMI	FCC Part 15 (Class B), CE EMC (Class B), C-Tick (Class B), BSMI	FCC Part 15 (Class B), CE EMC (Class B), C-Tick (Class B), BSMI	FCC Part 15 (Class B), CE EMC (Class B), C-Tick (Class B), BSMI
Safety	LVD (EN60950-1), BSMI	LVD (EN62368-1), BSMI	LVD (EN60950-1), BSMI	LVD (EN60950-1), BSMI	LVD (EN60950-1), BSMI	LVD (EN60950-1), BSMI

Wireless Specifications	USG FLEX 100AX	USG FLEX 100W
Standard compliance	802.11 ax/ac/n/g/b/a	802.11 a/b/g/n/ac
Wireless frequency	2.4/5 GHz	2.4/5 GHz
Radio	2	2
SSID number	4	4
Maximum transmit power (Max. total channel)	US (FCC) 2.4 GHz: 29.8 dBm, 2 antennas US (FCC) 5 GHz: 32.6 dBm, 2 antennas EU (ETSI) 2.4 GHz: 19.93 dBm (EIRP), 2 antennas EU (ETSI) 5 GHz: 22.99 dBm (EIRP), 2 antennas	US (FCC) 2.4 GHz: 25 dBm, 3 antennas US (FCC) 5 GHz: 25 dBm, 3 antennas EU (ETSI) 2.4 GHz: 20 dBm (EIRP), 3 antennas EU (ETSI) 5 GHz: 20 dBm (EIRP), 3 antennas
No. of antenna	2 detachable antennas	3 detachable antennas
Antenna gain	3 dbi @2.4 GHz/5 GHz Data rate	2 dBi @ 2.4 GHz 3 dBi @ 5 GHz
Data rate	2.4 GHz: up to 600 Mbps 5 GHz: up to 1200 Mbps	2.4 GHz: up to 300 Mbps 5 GHz: up to 866 Mbps
Frequency band	2.4 GHz (IEEE 802.11 b/g/n) USA (FCC): 2.412 to 2.462 GHz Europe (ETSI): 2.412 to 2.472 GHz TWN (NCC): 2.412 to 2.462 GHz 5 GHz (IEEE 802.11 a/n/ac/ax) USA (FCC): 5.150 to 5.250 GHz; 5.725 to 5.850 GHz Europe (ETSI): 5.15 to 5.35 GHz; 5.470 to 5.725 GHz TWN (NCC): 5.15 to 5.25 GHz; 5.725 to 5.850 GHz	2.4 GHz (IEEE 802.11 b/g/n) USA (FCC): 2.412 to 2.462 GHz Europe (ETSI): 2.412 to 2.472 GHz TWN (NCC): 2.412 to 2.462 GHz 5 GHz (IEEE 802.11 a/n/ac/ax) USA (FCC): 5.150 to 5.250 GHz; 5.250 to 5.350 GHz; 5.470to 5.725 GHz; 5.725 to 5.850 GHz Europe (ETSI): 5.15 to 5.35 GHz; 5.470 to 5.725 GHz TWN (NCC): 5.15 to 5.25 GHz; 5.25 to 5.35 GHz; 5.470 to 5.725 GHz; 5.725 to 5.850 GHz
Receive sensitivity	2.4 GHz 11 Mbps ≤ -99 dBm 54 Mbps ≤ -95 dBm HT20, MCS7 ≤ -90 dBm HT40, MCS7 ≤ -86 dBm 5 GHz 54 Mbps ≤ -90 dBm HT20, MCS7 ≤ -85 dBm HT40, MCS7 ≤ -81 dBm VHT20, MCS8 ≤ -90 dBm +/-2 dBm VHT40, MCS9 ≤ -85 dBm +/-2 dBm VHT80, MCS9 ≤ -68 dBm +/-2 dBm HE20, MCS11 ≤ -61 dBm +/-2 dBm HE40, MCS11 ≤ -58 dBm +/-2 dBm HE80, MCS11 ≤ -55 dBm +/-2 dBm	2.4 GHz 11 Mbps ≤ -87 dBm 54 Mbps ≤ -74 dBm HT20 ≤ -71 dBm HT40 ≤ -68 dBm 5 GHz 54 Mbps ≤ -74 dBm HT20, MCS23 ≤ -71 dBm HT40, MCS23 ≤ -68 dBm VHT20, MCS8 ≤ -66 dBm VHT40, MCS9 ≤ -62 dBm VHT80, MCS9 ≤ -59 dBm

*: This matrix with firmware ZLD5.37 or later.
*1: Actual performance may vary depending on system configuration, network conditions, and activated applications.
*2: Maximum throughput based on RFC 2544 (1,518-byte UDP packets).
*3: VPN throughput measurement are based on RFC 2544 (1,424-byte UDP packets); IMIX: UDP throughput based on a combination of 64 byte, 512 byte, and 1424 byte packet sizes.
*4: AV (with Express Mode) and IDP throughput measured using the industry standard HTTP performance test (1,460-byte HTTP packets). Testing done with multiple flows.
*5: Maximum sessions measured using the industry standard IXIA IxLoad testing tool.
*6: Including Gateway-to-Gateway and Client-to-Gateway.
*7: With Zyxel service license to enable or extend the feature capacity.
*8: This is the recommend maximum number of concurrent logged-in devices.
*9: With Hotspot Management license support.
*10: The Speedtest result is conducted with 1 Gbps WAN link in real world and it is subject to fluctuate due to quality of the ISP link.
*11: USG FLEX 100 rev1 is adopting a new hardware design equipped with 4 x LAN/DMZ, 1 x WAN.

Software Features:

Security Service

Firewall

Routing and transparent (bridge) modes
Stateful packet inspection
SIP NAT traversal
H.323 NAT traversal^*2
ALG support for customized ports
Protocol anomaly detection and protection
Traffic anomaly detection and protection
Flooding detection and protection
DoS/DDoS protection

Unified Security Policy

Unified policy management interface
Support Content Filtering, Application Patrol, firewall (ACL)
Firewall: SSL inspection^*2
Policy criteria: source and destination IP address, user group, time
Policy criteria: zone, user^*2

Intrusion Prevention System (IPS)

Support both intrusion detection and prevention
Support allowlist (whitelist) to deal with false positives involving known benign activity^*2
Support rate-based IPS signatures to protect networks against application-based DoS and brute force attacks^*2
Signature-based and behavior-based scanning
Support exploit-based and vulnerability-based protection
Support Web attacks like XSS and SQL injection
Streamed-based engine
Support SSL inspection^*2
Inspection on various protocols: HTTP, FTP, SMTP, POP3, and IMAP
Inspection on various protocols: HTTPs, FTPs, SMTPs, POP3s, and IMAPs^*2
Customizable signature & protection profile^*2
Automatic new signature update mechanism support

Application Patrol

Smart single-pass scanning engine
Identifies and control thousands of applications and their behaviors
Support up to 25 application categories
Granular control over the most popular applications
Prioritize and throttle application
Real-time application statistics and reports
Identify and control the use of DoH (DNS over HTTPS)

Anti-Malware

High performance query-based scan engine (Express Mode)
Works with over 30 billion of known malicious file identifiers and still growing
Multiple file types supported
Stream-based scan engine (Stream Mode)
No file size limitation
HTTP, FTP, SMTP, and POP3 protocol supported
SSL inspection support^*2
Automatic signature update

Email Security^*2

Transparent mail interception via SMTP and POP3 protocols
Spam and Phishing mail detection
Block and Allow List support
Supports DNSBL checking

URL Threat Filter

Botnet C&C websites blocking
Malicious URL blocking
Supports External URL blacklist

Web Filtering

HTTPs domain filtering
SafeSearch support: Google, YouTube, and Microsoft Bing^*2
Allow List websites enforcement
URL Block and Allow List with keyword blocking
Customizable warning messages and redirect URL
Customizable Content Filtering block page
URL categories increased to 111
CTIRU (Counter-Terrorism Internet Referral Unit) support
Support DNS base filtering (domain filtering)

Geo Enforcer

Geo IP blocking
Geographical visibility on traffics statistics and logs
IPv6 address support^*2

IP Exception

Provides granular control for target source and destination IP
Supports security service scan bypass for IPS, Anti-Malware and URL Threat Filter

Device Insight

Agentless scanning for discovery and classification of devices
View all devices on the network, including wired, wireless, BYOD, IoT, and SecuExtender (remote endpoint) on SecuReporter
Visibility of network devices (switches, wireless access points, firewalls) from Zyxel or 3rd party vendors

Collaborative Detection & Response (CDR)

Support Alert/Block/Quarantine containment actions
Prevent malicious wireless clients network access with blocking feature
Customizable warning messages and redirect URL
Bypass by IP or MAC address with exempt list

VPN

IPSec VPN

Key management: IKEv1 (x-auth, mode-config), IKEv2 (EAP, configuration payload)
Encryption: DES, 3DES, AES (256-bit)
Authentication: MD5, SHA1, SHA2 (512-bit)
Perfect forward secrecy (DH groups) support 1, 2, 5, 14, 15-18, 20-21
PSK and PKI (X.509) certificate support
IPSec NAT traversal (NAT-T)
Dead Peer Detection (DPD) and relay detection
VPN concentrator
Route-based VPN Tunnel Interface (VTI)
VPN high availability (Failover, LB)
GRE over IPSec^*2
NAT over IPSec
L2TP over IPSec
SecuExtender Zero Trust VPN Client
Support native Windows, iOS/macOS and Android (StrongSwan) client provision*2
Support 2FA Email/SMS^*2
Support 2FA Google Authenticator

SSL VPN

Supports Windows and macOS X
Supports full tunnel mode
Supports 2-Factor authentication

Networking

Secure WiFi

Secure Tunnel for Remote AP
L2 access between home office and HQ (Secured Tunnel)
GRE Tunnel for Campus AP
Enforcing 2FA with Google Authenticator
WPA2 Enterprise (802.1x) supported
Wireless Storm Control
Applicable regardless of the On premise/Nebula-managed mode of the USG FLEX

WLAN Management^*2

Supports AP Controller (APC) version 4.00
802.11ax WiFi 6 AP and WPA3 support
802.11k/v/r support
Supports auto AP FW update
Scheduled WiFi service
Dynamic Channel Selection (DCS)
Client steering for 5 GHz priority and sticky client prevention
Auto healing
Customizable captive portal page
WiFi Multimedia (WMM) wireless QoS
CAPWAP discovery protocol
Multiple SSID with VLAN
Supports ZyMesh
Support AP forward compatibility
Rogue AP Detection

Mobile Broadband^*2

WAN connection failover via 3G and 4G* USB modems
Auto fallback when primary WAN recovers

IPv6 Support^*2

Dual stack
IPv4 tunneling (6rd and 6to4 transition tunnel)
SLAAC, static IP address
DNS, DHCPv6 server/client
Static/Policy route
IPSec (IKEv2 6in6, 4in6, 6in4)

Connection

Routing mode
Bridge mode and hybrid mode^*2
Ethernet and PPPoE
NAT and PAT
NAT Virtual Server Load Balancing
VLAN tagging (802.1Q)
Virtual interface (alias interface)
Policy-based routing (user-aware)^*2
Policy-based NAT (SNAT)
• GRE^*2
Dynamic routing (RIPv1/v2 and OSPF, BGP)^*2
DHCP client/server/relay
Dynamic DNS support
WAN trunk for more than 2 ports
Per host session limit
Guaranteed bandwidth
Maximum bandwidth
Priority-bandwidth utilization
Bandwidth limit per user^*2
Bandwidth limit per IP
Bandwidth management by application
Link Aggregation support^{*1 *2}

Management

Nebula Cloud Mode

Unlimited Registration & Central Management (Configuration, Monitoring, Dashboard, Location Map & Floor Plan Visual) of Nebula Devices
Zero Touch Auto-Deployment of Hardware/Configuration from Cloud
Over-the-air Firmware Management
Central Device and Client Monitoring (Log and Statistics Information) and Reporting
Security Profile Sync

Nebula Cloud Monitoring Mode

Monitor device on/off status
Firmware upgrade operation
Manage firewall licenses
Access remote GUI (requires Nebula Pro Pack)
Backup and restore firewall configurations (requires Nebula Pro Pack)

Authentication

• Local user database
External user database: Microsoft Windows Active Directory, RADIUS, LDAP
Cloud user database^*3
IEEE 802.1x authentication
Captive portal Web authentication
XAUTH, IKEv2 with EAP VPN authentication
IP-MAC address binding
SSO (Single Sign-On) support^*2
Supports 2-factor authentication (Google Authenticator, SMS^*2 /Email^*2

System Management

Role-based administration
Multi-lingual Web GUI (HTTPS and HTTP)
Command line interface (console, web console, SSH and telnet)^*2
SNMP v1, v2c, v3
System configuration rollback^*2
Configuration auto backup^*2
Firmware upgrade via FTP, FTP-TLS^*2
Firmware upgrade via Web GUI^*2
New firmware notify and auto upgrade
Dual firmware images

Logging/Monitoring

Comprehensive local logging
Syslog (to up to 4 servers)
Email alerts (to up to 2 servers)
Real-time traffic monitoring
Built-in daily report
Cloud CNM SecuReporter

*: For specific models supporting the 3G and 4G dongles on the list, please refer to the Zyxel product page at 3G dongle document
*1: Supported models USG FLEX 500/700
*2: Only supported in On Premises Mode
*3: Only supported in Nebula Cloud Mode

License Service:

Applicable on cloud mode

Applicable on premises mode

Device Purchase

	Bundled with UTM*	Device Only
Gold Security Pack		No License Included^*3
*UTM Security Pack^1**
Hospitality Pack
*Nebula Pro Pack^2**
Nebula Plus Pack
Secure WiFi

*: Default bundle with UTM Security Pack is only applicable on USG FLEX 100/100AX/100W/200/500/700.
*1: UTM Security Pack gives additional 30-day trial of service on top of its formal 1-year license duration.
*2: 1-year Nebula Pro Pack is given free to USG FLEXs that are default bundled with UTM Security Pack.
*3: Without UTM bundle you can also purchase licenses later. However the bundle option is highly advisable with lower total costs and seamless protection. Pay less and secure more!

License Purchase

	License Pack	Single License
Gold Security Pack^*		Web Security Anti Malware SecuReporter
UTM Security Pack^*
*Hospitality Pack^1**
Nebula Pro Pack
Nebula Plus Pack
Secure WiFi

*: Only applicable on USG FLEX 100/100AX/100W/200/500/700.
*1: Only applicable on USG FLEX 200/500/700.

License Pack

Service	Gold Security Pack	UTM Security Pack	Hospitality Pack
Sandboxing
Reputation Filter
Web Filtering
Anti-Malware
IPS
Application Patrol
SecuReporter
Collaborative Detection & Response
Network Premium
Email Security
Security Profile Sync
Hotspot Management service^*
*Concurrent Device Upgrade^1**
Nebula Pro Pack Services
Secure WiFi

*: Hotspot Management is only applicable on USG FLEX 200/500/700.
*1: Only applicable on USG FLEX 500/700 to allow additional connected clients.

Documentation:

Download the Zyxel USG Flex Firewalls Datasheet (PDF).

Zyxel USG FLEX 100W Firewall The newly designed platform gains up to 125% firewall performance