Security Service

Firewall

• ICSA-certified corporate firewall
• Routing and transparent (bridge) modes
• Stateful packet inspection
• SIP NAT traversal
• H.323 NAT traversal^*2
• ALG support for customized ports
• Protocol anomaly detection and protection
• Traffic anomaly detection and protection
• Flooding detection and protection
• DoS/DDoS protection

Unified Security Policy

• Unified policy management interface
• Support Content Filtering, Application Patrol, firewall (ACL)
• Firewall: SSL inspection^*2
• Policy criteria: source and destination IP address, user group, time
• Policy criteria: zone, user^*2

Intrusion Prevention System (IPS)

• Support both intrusion detection and prevention
• Support allowlist (whitelist) to deal with false positives involving known benign activity^*2
• Support rate-based IPS signatures to protect networks against application-based DoS and brute force attacks^*2
• Signature-based and behavior-based scanning
• Support exploit-based and vulnerability-based protection
• Support Web attacks like XSS and SQL injection
• Streamed-based engine
• Support SSL inspection^*2
• Inspection on various protocols: HTTP, FTP, SMTP, POP3, and IMAP
• Inspection on various protocols: HTTPs, FTPs, SMTPs, POP3s, and IMAPs^*2
• Customizable signature & protection profile^*2
• Automatic new signature update mechanism support

Application Patrol

• Smart single-pass scanning engine
• Identifies and control thousands of applications and their behaviors
• Identify, categorize and control over 3,000 apps and behaviors
• Granular control over the most popular applications
• Prioritize and throttle application bandwidth usage
• Real-time application statistics and reports
• Identify and control the use of DOH (DNS over HTTPS)

Sandboxing

• Cloud-based multi-engine inspection
• Support HTTP/SMTP/POP3/FTP
• Wild range file type examination
• Real-time threat synchronization
• SSL inspection support^*2

Anti-Malware

• High performance query-based scan engine (Express Mode)
• Works with over 30 billion of known malicious file identifiers and still growing
• Multiple file types supported
• Stream-based scan engine (Stream Mode)
• No file size limitation
• HTTP, FTP, SMTP, and POP3 protocol supported
• SSL inspection support^*2
• Automatic signature update

Hybrid Mode Malware Scanning

• Both stream-based engine and cloud query concurrently in action
• Works with local cache and over 30 billion databases and growing
• HTTP, HTTPS, and FTP protocol supported
• Multiple file types supported

E-mail Security^*2

• Transparent mail interception via SMTP and POP3 protocols
• Spam, Phishing, mail detection
• Block and Allow List support
• Supports DNSBL checking

IP Reputation Filter

• IP-based reputation filter
• Supports 10 Cyber Threat Categories
• Supports external IP blacklist
• Inbound & Outbound traffic filtering
• Block and Allow List support

DNS Threat Filter

• Block clients to access malicious domain
• Effective against any IP protocol
• Monitoring or blocking the use of DoH/DoT

URL Threat Filter

• Botnet C&C websites blocking
• Malicious URL blocking
• Supports External URL blacklist

Web Filtering

• HTTPs domain filtering
• SafeSearch support
• Allow List websites enforcement
• URL Block and Allow List with keyword blocking
• Customizable warning messages and redirect URL
• Customizable Content Filtering block page
• URL categories increased to 111
• CTIRU (Counter-Terrorism Internet Referral Unit) support
• Support DNS base filtering (domain filtering)

Geo Enforcer

• Geo IP blocking
• Geographical visibility on traffics statistics and logs
• IPv6 address support^*2
• GRE Tunnel for Campus AP
• SSL inspection support^*2

IP Exception

• Provides granular control for target source and destination IP
• Supports security service scan bypass for Anti-malware (including Sandboxing), IPS, IP Reputation, and URL Threat Filter

Device Insight^*2

• Agentless Scanning for discovery and classification of devicess
• Provide the dashboard to view all devices on the network, including wired, wireless, BYOD, IoT, and SecuExtender (remote endpoint)
• Extended view of the inventory on SecuReporter
• Visibility of network devices (switches, wireless access points, firewalls) from Zyxel or 3rd party vendors

Collaborative Detection & Response

• Support Alert/Block/Quarantine containment actions
• Prevent malicious wireless clients network access with blocking feature
• Customizable warning messages and redirect URL
• Bypass by IP or MAC address with exempt list

VPN

IPSec VPN

• Key management: IKEv1 (x-auth, mode-config), IKEv2 (EAP, configuration payload)
• Encryption: DES, 3DES, AES (256-bit)
• Authentication: MD5, SHA1, SHA2 (512-bit)
• Perfect forward secrecy (DH groups) support 1, 2, 5, 14, 15-18, 20-21
• PSK and PKI (X.509) certificate support
• IPSec NAT traversal (NAT-T)
• Dead Peer Detection (DPD) and relay detection
• VPN concentrator
• Route-based VPN Tunnel Interface (VTI)
• VPN high availability (Failover, LB)
• GRE over IPSec^*2
• NAT over IPSec
• L2TP over IPSec
• SecuExtender Zero Trust VPN Client provisioning
• Support native Windows, iOS/macOS and Android (StrongSwan) client provision^*2
• Support 2FA Email/SMS^*2
• Support 2FA Google Authenticator

SSL VPN^*2

• Supports Windows and macOS
• Supports full tunnel mode
• Supports 2-Factor authentication

Networking

Secure WiFi

• Secure Tunnel for Remote AP
• L2 access between home office and HQ (Secured Tunnel)
• GRE Tunnel for Campus AP
• Enforcing 2FA with Google Authenticator
• WPA2 Enterprise (802.1x) supported
• Wireless Storm Control
• Applicable regardless of the On Premises/Nebula-managed mode

WLAN Management^*2

• Supports AP Controller (APC) version 3.60
• 802.11ax Wi-Fi 6 AP and WPA3 support
• 802.11k/v/r support
• Wireless L2 isolation
• Supports auto AP FW update
• Scheduled WiFi service
• Dynamic Channel Selection (DCS)
• Client steering for 5 GHz priority and sticky client prevention
• Auto healing
• Customizable captive portal page
• WiFi Multimedia (WMM) wireless QoS
• CAPWAP discovery protocol
• Multiple SSID with VLAN
• Supports ZyMesh
• Support AP forward compatibility
• Rogue AP Detection

Mobile Broadband^*2

• WAN connection failover via 3G and 4G^* USB modems
• Auto fallback when primary WAN recovers

IPv6 Support^*2

• Dual stack
• IPv4 tunneling (6rd and 6to4 transition tunnel)
• SLAAC, static IP address
• DNS, DHCPv6 server/client
• Static/Policy route
• IPSec (IKEv2 6in6, 4in6, 6in4)

Connection

• Routing mode
• Bridge mode and hybrid mode^*2
• Ethernet and PPPoE
• NAT and PAT
• NAT Virtual Server Load Balancing
• VLAN tagging (802.1Q)
• Virtual interface (alias interface)
• Policy-based routing (user-aware)^*2
• Policy-based NAT (SNAT)
• GRE^*2
• Dynamic routing (RIPv1/v2 and OSPF, BGP)^*2
• DHCP client/server/relay
• Dynamic DNS support
• WAN trunk for more than 2 ports
• Per host session limit
• Guaranteed bandwidth
• Maximum bandwidth
• Priority-bandwidth utilization
• Bandwidth limit per user^*2
• Bandwidth limit per IP
• Bandwidth management by application
• Link Aggregation support^*1*2

Management

Nebula Cloud Management^*3

• Unlimited Registration & Central Management (Configuration, Monitoring, Dashboard, Location Map & Floor Plan Visual) of Nebula Devices
• Zero Touch Auto-Deployment of Hardware/Configuration from Cloud
• Over-the-air Firmware Management
• Central Device and Client Monitoring (Log and Statistics Information) and Reporting
• Security Profile Sync

Authentication

• Local user database
• Cloud user database^*3
• External user database: Microsoft Windows Active Directory, RADIUS, LDAP
• IEEE 802.1x authentication
• Captive portal Web authentication
• XAUTH, IKEv2 with EAP VPN authentication
• IP-MAC address binding
• SSO (Single Sign-On) support^*2
• Supports 2-factor authentication (Google Authenticator, SMS/Email)

System Management

• Role-based administration
• Multi-lingual Web GUI (HTTPS and HTTP)
• Command line interface (console, web console, SSH and telnet)^*2
• SNMP v1, v2c, v3
• System configuration rollback^*2
• Configuration auto backup^*2
• Firmware upgrade via FTP, FTP-TLS, and web GUI^*2
• New firmware notify and auto upgrade
• Dual firmware images
• Cloud CNM SecuManager^*2

Logging and Monitoring

• Comprehensive local logging
• Syslog (to up to 4 servers)
• Email alerts (to up to 2 servers)
• Real-time traffic monitoring
• Built-in daily report
• Cloud CNM SecuReporter

^*: For specific models supporting the 3G and 4G dongles on the list, please refer to the Zyxel product page at 3G dongle document
^*2: Supported models ATP500/700/800
^*3: Only supported in On-Premise mode
^*4: Only supported in Cloud mode