This article explains what Cloud Monitoring Mode is and why it's used. Also, how to install and deploy a cloud monitoring mode for your USG FLEX / ATP Series firewall. Also, how to troubleshoot why a firewall cannot be register as a monitoring mode firewall, Monitor mode ID and device ownership information for cloud monitoring mode.
Zyxel is excited to introduce Cloud Monitoring Mode, a new sub-management option for Firewall SA types. This innovative feature combines the strengths of both on-premise and cloud modes, offering users enhanced flexibility and centralized management capabilities. In this article, we will explore the key benefits of Cloud Monitoring Mode and provide guidelines for its installation and usage.
1) What is Cloud Monitoring Mode?
Cloud Monitoring Mode is a powerful addition to Zyxel's firewall management options. It provides a centralized gateway for device access, allowing the Nebula Control Center (NCC) to act as the central hub for managing all your firewall devices. With Cloud Monitoring Mode, administrators can leverage a range of additional management tools provided by NCC while retaining the majority of on-premise capabilities and settings.
2) Why use Cloud Monitoring Mode?
Centralized Gateway for Device Access: By utilizing Cloud Monitoring Mode, NCC becomes the single point of entry for managing your firewall devices. This simplifies the management process by providing a centralized location for configuration, monitoring, and maintenance tasks.
Reverse SSH Device Management: Administrators can access devices using their private WAN IP address without the need for additional port forwarding or VPN setup. This streamlined approach ensures secure and convenient remote device management.
Centralized Software Update Policies: Delegate software updates and maintenance schedules to NCC, ensuring consistent and timely updates across all your firewall devices. This feature simplifies the management of multiple devices and ensures they are always up to date with the latest security enhancements.
Full On-premise Firewall Settings: Cloud Monitoring Mode retains the majority of options and tools available in the firewall's on-premise Web GUI. This allows administrators to access and modify firewall settings as needed, ensuring complete control over their network security.
3) Cloud Monitoring Mode Guidelines
Monitor Mode Installation Process: Switching to Cloud Monitoring Mode should have no impact on firewall settings and network services. However, if a device is added to a site prematurely, an error message will be displayed when the firewall initiates a call home. To proceed with the installation process, the device can be removed from the organization.
Cloud Monitoring - FQDN and Service Ports: Cloud Monitoring Mode requires the same set of FQDN, IP address, and service ports as full cloud management. It is important to ensure that the necessary network configurations are in place to enable seamless device connectivity.
- Each Nebula site may only have one Security Gateway (Firewall)
- Cloud Monitoring Mode is a Base Pack feature while advanced options require the organization to have PRO/PLUS Pack Status
4) Installation & Deployment
1. Create Nebula Organization & Site
Login to Nebula and create a new organization and site for the new appliance.
2. Entering Monitor Mode ID:
The Monitoring ID can be found under Configuration -> Mgmt. & Analytics -> Nebula. Administrators should copy this ID into the Nebula site by navigating to Organization-Wide -> Org-wide Manage -> Organization Settings.
Navigate on your firewall's local Web GUI to:
Configuration -> Mgmt. & Analytics -> Nebula
And in Nebula to:
Organization-wide -> Organization-wide manage -> Organization settings
3. Firewall in Monitor Mode in Inventory
When a firewall is added to monitor mode, it is automatically included in the organization matching the Monitor Mode ID. The firewall must then be assigned to a Nebula Site, and the "Monitor Only" tag will be visible under the Device Type column. The monitor mode firewall interacts with the organization's PRO/PLUS status as soon as it is added.
Organization-wide -> License & Inventory
4. Assigning Monitor Mode Firewall to your Site
Click on "Actions", then "Change site assignment" and "add to selected site".
For monitor-only firewalls, deployment methods are greyed out, as they are managed centrally through NCC.
5) Troubleshooting - Status and Descriptions
Below are the status messages and their corresponding descriptions. Additional details can be found in the firewall's user guide:
- N/A: Default status. No Monitor Mode ID has been entered on the Zyxel device.
- Connected: The Zyxel device is successfully connected to Nebula.
- Disconnected - Server is not reachable: The Zyxel device is unable to connect to Nebula. Possible causes include internet or DNS connection issues, or the blocking of IP or TCP ports by the uplink or ISP firewall.
- Disconnected – Connection failure: The Zyxel device fails to connect to Nebula. Ensure that the Monitor Mode ID is correct and up to date.
- Disconnected – Registration failure: The account owner of the device in myZyxel does not match the account owner of the Monitor Mode ID's organization.
- Disconnected – Operation modes mismatch: The device is currently in a Nebula organization's inventory. Remove the device from the inventory and try again.
6) Device Ownership and Organization Inventory
Zyxel firewalls are bound to your myZyxel Cloud (MZC)/Nebula account once they are registered in on-premise or cloud managed mode. To prevent accidental addition of cloud monitoring devices to a different user's organization, NCC includes security mechanisms that verify the device owner and Nebula organization owner. If a non-owner account needs to monitor the firewall, the device owner can create a Nebula Organization for Monitoring Mode and add the necessary accounts to the Administrators List.