Security Service

Firewall

• Routing and transparent (bridge) modes
• Stateful packet inspection
• Source IP Spoofing Prevention
• FTP ALG/SIP Pinhole
• Dos Prevention (Preventing Flood and Sweep Attacks)
• Per host session limit
• Support External IP Block List
• Flooding detection and protection

Security Policy

• Unified policy management interface
• Support Content Filtering, Application Patrol, firewall (ACL)
• Firewall: SSL inspection
• Policy criteria: source and destination IP address, user group, time
• Policy criteria: zone, user

Intrusion Prevention System (IPS)

• Streamed-based engine
• Signature-based scanning
• Support both intrusion detection and prevention
• Support allow list (whitelist) to deal with false positives involving known benign activity
• Support exploit-based and vulnerability-based protection
• Support Web attacks like XSS and SQL injection
• Automatic new signature update mechanism support

Application Patrol

• Smart single-pass scanning engine
• Identifies and control thousands of applications and their behaviors
• Support more than 50 application categories
• GenAI App Visibility & Control
• Granular control over the most popular applications
• Real-time application statistics and reports
• Identify and control the use of DoH (DNS over HTTPS)

Anti-Malware

• High performance query-based scan engine (Express Mode)
• Works with over 30 billion of known malicious file identifiers and still growing
• Wild range file type examination
• Support HTTP/SMTP/POP3/FTP scan

Sandboxing

• Cloud-based multi-engine inspection
• Support HTTP/SMTP/POP3/FTP scan
• Wild range file type examination
• Real-time threat synchronization

IP Reputation Filter

• IP-based reputation filter
• Supports 9 Cyber Threat Categories
• Inbound & Outbound traffic filtering
• Support Block and Allow List

DNS Threat Filter

• Block clients to access malicious domain
• Block and Allow List support
• Monitoring or blocking the use of DoH/DoT

URL Threat Filter

• Botnet C&C websites blocking
• Malicious URL blocking
• Support Block and Allow List

External Block List

• Importing malicious IP/URL from external sources
• Works with IP Reputation and URL Threat Filter

Web Filtering

• HTTPs domain filtering
• DNS domain filtering
• Allow List websites enforcement
• Customizable warning messages and redirect URL
• URL categories increased to 111
• CTIRU (Counter-Terrorism Internet Referral Unit) support
• Support Block and Allow List
• DNS SafeSearch

SSL Inspection

• Deep packet inspection for TLS
• Support inspect TLS1.3
• Support untrusted certificate blocking
• Works with IPS/Anti-Malware/Sandboxing/Application Patrol/Web Filtering

Device Insight

• Agentless Scanning for discovery and classification of devices
• View all devices on the network, including wired, wireless, BYOD, IoT, and SecuExtender (remote endpoint) on SecuReporter
• Visibility of network devices (switches, wireless access points, firewalls) from Zyxel or 3rd party vendors
• Visibility of networks devices from Astra Client

Geo Enforcer

• Geo IP blocking
• Geographical visibility on logs

IP Exception

• Provides granular control for target source and destination IP
• Supports security service scan bypass for IPS, Anti-Malware and URL Threat Filter

VPN

IPSec VPN

• Route-based and Policy-based Site to Site
• Client remote access (IKEv2 MS-CHAPv2)
• IKEv2 (EAP, configuration payload)
• Encryption: DES, 3DES, AES (256-bit)
• Authentication: MD5, SHA1, SHA2 (512-bit)
• Perfect forward secrecy (DH groups) support 2, 5, 14-16, 19-21, 28-30
• PSK and PKI (X.509) certificate authentication
• IPSec NAT traversal (NAT-T)
• Dead Peer Detection (DPD) and relay detection
• NAT over IPSec
• SecuExtender VPN Client provision
• Support native Windows, iOS/macOS and Android (StrongSwan) client provision
• Support 2FA Google Authenticator/Microsoft Authenticator

SSL VPN

• Client remote access*
• Full/Split tunnel mode
• SecuExtender VPN client provision
• Support 2FA Google Authenticator/Microsoft Authenticator

Tailscale VPN^*2

• Mesh-capable VPN
• Supports native identity providers, including Google, Microsoft Entra ID, Apple ID, etc.
• Supports Windows, Linux, Android, and iOS agents

Networking

Connection

• Routing/Transparent mode
• Ethernet and PPPoE
• NAT and PAT
• VLAN tagging (802.1Q)
• Static route
• Policy-based routing (user-aware)
• Policy-based NAT (SNAT)
• IGMP Proxy
• DHCP client/server/relay
• Dynamic DNS support
• Multi-WAN load balancing/failover (Round Robin, LLF, Split over)
• Bandwidth Management
• Link Aggregation support (LAG)

WLAN Management^*2

• Supports AP Controller (APC)
• WPA3 support on 802.11ax AP
• WPA2 Enterprise (802.1x)
• 802.11r/k/v support
• Support auto AP firmware update
• Dynamic Channel Selection (DCS)
• Band steering (Band select)
• Wireless L2 Isolation
• CAPWAP discovery method
• Multiple SSID with VLAN
• Support Multi-Link Operation (MLO)
• Support AP Load Balancing
• Support MAC Filtering (Block/Allow)
• Supports Smart Mesh

Management

Nebula Centralized Management

• Centralized device, client, and application usage monitoring (logs and statistics)
• On-premises settings in Nebula
• Cloud & on-prem security integrated with smart sync
• Security Profile Sync
• Nebula SD-VPN
• Auto-link VPN
• Manual-link VPN
• VPN Topology
• Monitor device on/off status
• Keep event log up to 1 year
• Firmware upgrading operation
• Remote SSH for accessing device GUI
• Backup and restore firewall configurations (requires Nebula Pro Pack)

SD-WAN

• Orchestration of secure connections across multiple locations
• Supporting mesh or hub-and-spoke topology
• Prioritizing mission-critical applications
• High availability and failover

Authentication

• Local user database
• External user database
• IKEv2 with EAP-MSCHAPv2 VPN authentication
• Supports 2FA authentication (Google Authenticator, Microsoft Authenticator)
• 802.1x Authentication
• Captive Portal Web Authentication

System Management

• Multi-lingual Web GUI (HTTPS and HTTP)
• Command line interface (console, SSH)
• SNMP v1, v2c, v3
• System configuration rollback
• Configuration auto backup
• Recovery Manager (one-click full backup of configuration, certificates)
• Firmware upgrade via FTP, FTP-TLS
• Firmware upgrade via Web GUI
• New firmware notifications and auto upgrade
• Dual firmware images

Logging and Monitoring

• Comprehensive local logging
• Syslog (to up to 4 servers^*1)
• Event Notification and Email alerts
• Real-time traffic monitoring
• Built-in daily report
• SecuReporter supported

External Integration

Tailscale VPN^*2

• Mesh-capable VPN
• Supports native identity providers, including Google, Microsoft Entra ID, Apple ID, etc.
• Supports Windows, Linux, Android, and iOS agents

Avast SMB^*3

• Online management platform
• Endpoint Protection
• Ransomware & Data Protection
• Phishing Protection
• Web Control
• Personal VPN
• USB Protection
• Patch Management

^*: Compatible with OpenVPN Connect
^*1: Up to 4 servers via CLI, default 2 servers
^*2: Local GUI only
^*3: Requires an active Avast license. Features listed are provided and managed by Avast.