Security Service
Firewall
- ICSA-certified corporate firewall
- Routing and transparent (bridge) modes
- Stateful packet inspection
- SIP NAT traversal
- H.323 NAT traversal*2
- ALG support for customized ports
- Protocol anomaly detection and protection
- Traffic anomaly detection and protection
- Flooding detection and protection
- DoS/DDoS protection
Unified Security Policy
- Unified policy management interface
- Support Content Filtering, Application Patrol, firewall (ACL)
- Firewall: SSL inspection*2
- Policy criteria: source and destination IP address, user group, time
- Policy criteria: zone, user*2
Intrusion Prevention System (IPS)
- Support both intrusion detection and prevention
- Support allowlist (whitelist) to deal with false positives involving known benign activity*2
- Support rate-based IPS signatures to protect networks against application-based DoS and brute force attacks*2
- Signature-based and behavior-based scanning
- Support exploit-based and vulnerability-based protection
- Support Web attacks like XSS and SQL injection
- Streamed-based engine
- Support SSL inspection*2
- Inspection on various protocols: HTTP, FTP, SMTP, POP3, and IMAP
- Inspection on various protocols: HTTPs, FTPs, SMTPs, POP3s, and IMAPs*2
- Customizable signature & protection profile*2
- Automatic new signature update mechanism support
Application Patrol
- Smart single-pass scanning engine
- Identifies and control thousands of applications and their behaviors
- Identify, categorize and control over 3,000 apps and behaviors
- Granular control over the most popular applications
- Prioritize and throttle application bandwidth usage
- Real-time application statistics and reports
- Identify and control the use of DOH (DNS over HTTPS)
Sandboxing
- Cloud-based multi-engine inspection
- Support HTTP/SMTP/POP3/FTP
- Wild range file type examination
- Real-time threat synchronization
- SSL inspection support*2
Anti-Malware
- High performance query-based scan engine (Express Mode)
- Works with over 30 billion of known malicious file identifiers and still growing
- Multiple file types supported
- Stream-based scan engine (Stream Mode)
- No file size limitation
- HTTP, FTP, SMTP, and POP3 protocol supported
- SSL inspection support*2
- Automatic signature update
Hybrid Mode Malware Scanning
- Both stream-based engine and cloud query concurrently in action
- Works with local cache and over 30 billion databases and growing
- HTTP, HTTPS, and FTP protocol supported
- Multiple file types supported
E-mail Security*2
- Transparent mail interception via SMTP and POP3 protocols
- Spam, Phishing, mail detection
- Block and Allow List support
- Supports DNSBL checking
IP Reputation Filter
- IP-based reputation filter
- Supports 10 Cyber Threat Categories
- Supports external IP blacklist
- Inbound & Outbound traffic filtering
- Block and Allow List support
DNS Threat Filter
- Block clients to access malicious domain
- Effective against any IP protocol
- Monitoring or blocking the use of DoH/DoT
URL Threat Filter
- Botnet C&C websites blocking
- Malicious URL blocking
- Supports External URL blacklist
Web Filtering
- HTTPs domain filtering
- SafeSearch support
- Allow List websites enforcement
- URL Block and Allow List with keyword blocking
- Customizable warning messages and redirect URL
- Customizable Content Filtering block page
- URL categories increased to 111
- CTIRU (Counter-Terrorism Internet Referral Unit) support
- Support DNS base filtering (domain filtering)
Geo Enforcer
- Geo IP blocking
- Geographical visibility on traffics statistics and logs
- IPv6 address support*2
- GRE Tunnel for Campus AP
- SSL inspection support*2
IP Exception
- Provides granular control for target source and destination IP
- Supports security service scan bypass for Anti-malware (including Sandboxing), IPS, IP Reputation, and URL Threat Filter
Device Insight*2
- Agentless Scanning for discovery and classification of devicess
- Provide the dashboard to view all devices on the network, including wired, wireless, BYOD, IoT, and SecuExtender (remote endpoint)
- Extended view of the inventory on SecuReporter
- Visibility of network devices (switches, wireless access points, firewalls) from Zyxel or 3rd party vendors
Collaborative Detection & Response
- Support Alert/Block/Quarantine containment actions
- Prevent malicious wireless clients network access with blocking feature
- Customizable warning messages and redirect URL
- Bypass by IP or MAC address with exempt list
VPN
IPSec VPN
- Key management: IKEv1 (x-auth, mode-config), IKEv2 (EAP, configuration payload)
- Encryption: DES, 3DES, AES (256-bit)
- Authentication: MD5, SHA1, SHA2 (512-bit)
- Perfect forward secrecy (DH groups) support 1, 2, 5, 14, 15-18, 20-21
- PSK and PKI (X.509) certificate support
- IPSec NAT traversal (NAT-T)
- Dead Peer Detection (DPD) and relay detection
- VPN concentrator
- Route-based VPN Tunnel Interface (VTI)
- VPN high availability (Failover, LB)
- GRE over IPSec*2
- NAT over IPSec
- L2TP over IPSec
- SecuExtender Zero Trust VPN Client provisioning
- Support native Windows, iOS/macOS and Android (StrongSwan) client provision*2
- Support 2FA Email/SMS*2
- Support 2FA Google Authenticator
SSL VPN*2
- Supports Windows and macOS
- Supports full tunnel mode
- Supports 2-Factor authentication
Networking
Secure WiFi
- Secure Tunnel for Remote AP
- L2 access between home office and HQ (Secured Tunnel)
- GRE Tunnel for Campus AP
- Enforcing 2FA with Google Authenticator
- WPA2 Enterprise (802.1x) supported
- Wireless Storm Control
- Applicable regardless of the On Premises/Nebula-managed mode
WLAN Management*2
- Supports AP Controller (APC) version 3.60
- 802.11ax Wi-Fi 6 AP and WPA3 support
- 802.11k/v/r support
- Wireless L2 isolation
- Supports auto AP FW update
- Scheduled WiFi service
- Dynamic Channel Selection (DCS)
- Client steering for 5 GHz priority and sticky client prevention
- Auto healing
- Customizable captive portal page
- WiFi Multimedia (WMM) wireless QoS
- CAPWAP discovery protocol
- Multiple SSID with VLAN
- Supports ZyMesh
- Support AP forward compatibility
- Rogue AP Detection
Mobile Broadband*2
- WAN connection failover via 3G and 4G* USB modems
- Auto fallback when primary WAN recovers
IPv6 Support*2
- Dual stack
- IPv4 tunneling (6rd and 6to4 transition tunnel)
- SLAAC, static IP address
- DNS, DHCPv6 server/client
- Static/Policy route
- IPSec (IKEv2 6in6, 4in6, 6in4)
Connection
- Routing mode
- Bridge mode and hybrid mode*2
- Ethernet and PPPoE
- NAT and PAT
- NAT Virtual Server Load Balancing
- VLAN tagging (802.1Q)
- Virtual interface (alias interface)
- Policy-based routing (user-aware)*2
- Policy-based NAT (SNAT)
- GRE*2
- Dynamic routing (RIPv1/v2 and OSPF, BGP)*2
- DHCP client/server/relay
- Dynamic DNS support
- WAN trunk for more than 2 ports
- Per host session limit
- Guaranteed bandwidth
- Maximum bandwidth
- Priority-bandwidth utilization
- Bandwidth limit per user*2
- Bandwidth limit per IP
- Bandwidth management by application
- Link Aggregation support*1*2
Management
Nebula Cloud Management*3
- Unlimited Registration & Central Management (Configuration, Monitoring, Dashboard, Location Map & Floor Plan Visual) of Nebula Devices
- Zero Touch Auto-Deployment of Hardware/Configuration from Cloud
- Over-the-air Firmware Management
- Central Device and Client Monitoring (Log and Statistics Information) and Reporting
- Security Profile Sync
Authentication
- Local user database
- Cloud user database*3
- External user database: Microsoft Windows Active Directory, RADIUS, LDAP
- IEEE 802.1x authentication
- Captive portal Web authentication
- XAUTH, IKEv2 with EAP VPN authentication
- IP-MAC address binding
- SSO (Single Sign-On) support*2
- Supports 2-factor authentication (Google Authenticator, SMS/Email)
System Management
- Role-based administration
- Multi-lingual Web GUI (HTTPS and HTTP)
- Command line interface (console, web console, SSH and telnet)*2
- SNMP v1, v2c, v3
- System configuration rollback*2
- Configuration auto backup*2
- Firmware upgrade via FTP, FTP-TLS, and web GUI*2
- New firmware notify and auto upgrade
- Dual firmware images
- Cloud CNM SecuManager*2
Logging and Monitoring
- Comprehensive local logging
- Syslog (to up to 4 servers)
- Email alerts (to up to 2 servers)
- Real-time traffic monitoring
- Built-in daily report
- Cloud CNM SecuReporter
*: For specific models supporting the 3G and 4G dongles on the list, please refer to the Zyxel product page at 3G dongle document
*2: Supported models ATP500/700/800
*3: Only supported in On-Premise mode
*4: Only supported in Cloud mode