Our USG FLEX series can be managed and provisioned by Nebula Control Center (NCC) from ZLD5.00 firmware. This guide shows how to add and pre-configure the USG FLEX settings on Nebula, before delivering the device for the on-site installation.
Step by step guide
1. Create the organization and site
Log into Nebula Control Center with your myZyxel account and create a new organization.
Name the organization and site, then click on "Next".
Click on "Next" to skip adding a device to Nebula.
Click on "Skip WiFi settings" to continue.
Click on "Go to Nebula Dashboard".
On the Nebula Dashboard, click on "USG FLEX" to select the firewall model you want to configure.
In this example, we have selected the USG FLEX 200.
Alternatively, you also can create the organization and site via the Nebula App.
This can be achieved by opening the Nebula app, log in with your account and tap on "Create New Organization" to start the initial setup process. Name the organization and site, then tap on "Next".
2. Pre-configure the USG FLEX on the Nebula portal
Before doing these steps, please have the network topology, firewall setting and WAN configuration in advance. This information will allow you to pre-configure the USG FLEX settings ahead of being turned on within Nebula. The USG FLEX will automatically synchronize this configuration when it connects to Nebula.
Here are some examples of how to configure the port group and interface within Nebula:
Port Group settings
Go to USG FLEX -> Configure -> Port to configure the WAN/LAN port groups or add WAN/LAN groups to match your scenario.
Go to USG FLEX -> Configure -> Interface to change the WAN/LAN interface’s IP addresses to match your scenario.
By default, the WAN interface is configured as a DHCP client.
Delegate the owner authority
Go to Organization-wide -> Configure -> Administrators to add additional accounts for access to the organization.
Please enable "Delegate owner’s authority" if you want to transfer the ownership of the organization to one of the additional accounts.
3. Register the USG FLEX and do the Zero Touch Provisioning (ZTP)
Go to Organization-wide -> Configure -> License & inventory. Enter the device page and click on "Add" to register the USG FLEX. You can register multiple devices by entering the MAC address and serial number.
Afterwards, you can assign the device to the correct site. You may have several devices in an organization, from here you can select a specific device and assign it to the corresponding site:
Click on "Waiting ZTP" to send the installation guide via email.
By default, Nebula will send the email to your MZC accounts email address.
It's possible to enter an alternative email address.
Alternatively, you also can register the USG FLEX and do the ZTP via the Nebula App.
Register the device, select the site you want to add the USG FLEX to and scan this QR code.
Select the gateway, tap on "Initial Setup" to configure the WAN interface, then send the installation guide via email.
Here is an example of the email from Nebula. The email outlines the final steps on how to activate the USG FLEX and connect to Nebula either by URL or USB:
Activate the USG FLEX by USB could reduce customer effort. You can copy the ZTP file/s to the USB’s root folder. Multiple ZTP files can be located in the same USB for multi-deployment.
4. Upgrade the firewall's firmware to ZLD5.00 via Zyxel One Network Utility (ZON)
Make sure you have installed ZON on your computer. If not, you can download it here:
Connect the power port to the power source and turn on the firewall. Wait for the SYS LED to turn solid green. Connect your computer to the firewall's port 4 (P4).
Open ZON on your computer to scan the firewall. Select the firewall, then click on "Firmware Upgrade":
Select the latest firmware version from the cloud and input the default password “1234” to upgrade. The firmware process takes about 5 minutes to complete.
5.1. Activate the USG FLEX (via URL)
Once the upgrade has been completed, connect the power port to an appropriate power source and turn on the firewall. Wait for the SYS LED to turn solid green. Then, connect the WAN (P2) interface to the Internet.
Connect LAN (P4) interface to the computer.
Open the email received from Nebula and click on "Allow Nebula to Manage My Device".
Wait until Nebula Zero Touch Provisioning was successful. Click on "Go to Nebula Control Center" to access Nebula.
5.2. Active the USG FLEX (via USB)
Alternatively, you also can activate the USG FLEX by USB
Copy the File to a new/clean USG stick (FAT32).
Connect the USB drive to the USG FLEX.
Power on the USG FLEX. The SYS LED blinks red when it's connecting to Nebula and steady green when it's connected.
Go to Site-wide -> Monitor -> Dashboard to check the gateway status.
Web Browser shows, that the internet connection is down when the URL in the email was accessed.
Check your internet connection and make sure you connect to the WAN (P2) interface. Then, click on "Retry" to redo the ZTP.
You also can click on "Network Test Tools" to log in to the devices web GUI for further troubleshooting. The user is "support" and the password is the firewall’s serial number.
Zero Touch Provisioning (ZTP) fails because this device is not in the factory default state.
Please hold the reset button for 5 seconds to reset the device to factory default. Then click on the URL to redo the ZTP.
ZTP by USB: The SYS LED does not stop blinking red. Nebula Dashboard shows, that the firewall is offline.
If the ZTP by USB fails, then please check the internet connection. Open the ztpresult.log in USB to check the status.
Here is an example:
ZTP fails because there is no matching ZTP file in the USB for this device. Please make sure you copy the correct ZTP file.