Our USG FLEX firewall can be managed and provisioned by Nebula Control Center (NCC) from ZLD5.00 firmware and onwards. The ATP series can be managed in NCC from ZLD5.10 firmware. This guide shows how to add the device on Nebula using the ZTP process and pre-configure the firewall settings on Nebula, before delivering the device for the on-site installation. 

 

This article shows how to register your firewall in Nebula. It is divided into different sections, so please navigate to the relevant section for you in the table of content.

 

Table of Content

1. How to register your firewall into Nebula (Videos)

2. Choosing Nebula Mode through Web GUI

2.1 Nebula Mode

2.2 Migrating from on-premise to Nebula mode

3. Create an organization and site

4. Configure the Firewall in the Nebula portal

4.1 Port Group settings

4.2 Configure WAN settings if you have a static IP

5. Register the Firewall and choose the deployment method

5.1 Zero Touch Provision mode

5.2 The Nebula native mode

6. Execute ZTP Process

6.1 Activate the Firewall cloud capability via URL

6.2 Activate the Firewall cloud capability via USB

7. Troubleshooting

8. Licensing for USG FLEX series

 

1. How to register your firewall into Nebula (Videos)

1.1 Register in Nebula using ZTP URL mode (09:02)

1.2 Register your device in Nebula using ZTP USB mode (01:58)

 

Note: Your device must be reset to default in order to connect it to Nebula, losing all previous settings that might have been configured. Once connected to Nebula, the device will be configured automatically with Nebula default settings. Please also note that there are some limitations and the following feature are not yet available on the cloud mode for the USG FLEX:

- Device HA
- Email Security (Anti-Spam)
- SSL Inspection
- Dynamic Routing (RIP, OSPF, BGP)
- Related IPv6 features
- AP controller (Nebula Control Center should be used as AP controller instead)
- Hotspot service (Nebula Control Center already supports hotspot services such as Voucher, Walled garden)

 

Licensing of your USG FLEX into Nebula Control Center.

If your USG Flex came with a bundled license, you will automatically enjoy a Nebula Professional Pack of 1-year for your device. The UTM service license will seamlessly be carried on to Nebula, regardless its remaining time.

 

In case your USG did not come with a bundle license, you will still enjoy the 30 days trial for your UTM services. The Nebula PRO Pack services also includes 30 days trial automatically while your organization is created.

The trial license period does also apply to your device with a bundle license.

 

Migrating my existing NSG license (NSS) to the USG FLEX (UTM).

In order to migrate the license from your previous NSG to the USE FLEX on the cloud, the following mapping table applies. For instance, NSG 100 can only migrate its license to USG FLEX 200 and cannot migrate license to other USG FLEX models.

 

In case your USG FLEX 100 already has a 1-year license, after migrating the remaining license from the NSG50 (Ex.: 6 months) to the USG FLEX 100, the latter ends up having 1 and half year license to be used.

 

Please raise a Support Request, and our team will gladly help you solve your migration license issue with due priority.

2. Choosing Nebula Mode through Web GUI

Once your device is running 5.10 and it's using factory default settings, when you try to log into the Web Configurator for the first time, an update of the admin default password ("1234") will be required. 

 

2.1 Nebula Mode

Select Nebula Mode to manage your Zyxel Device using Nebula Control Center (NCC). NCC is a cloud-based network management system that allows you to manage and monitor your Zyxel Device remotely.

Follow the Nebula mode wizard to configure the WAN settings to pass the management of your Zyxel Device to NCC. 

 

Once the Management mode and the WAN of the device are configured allowing internet access, you can proceed to Nebula for further setup.

More information on section 5.2.

 

2.2 Migrate remotely from on-premise to Nebula mode

Even if you have static IP settings or factory default settings, you can switch your on-prem management solution to Nebula Cloud mode remotely using the Web GUI. Note the device will be factory reset and configurations will be lost. On Nebula Phase 13, you don't have to go on-site to factory reset the device before migrating to Nebula. Now you can do it remotely. 

 

The requirements for migrating remotely to Nebula is that the firewall:

- Needs to be in Nebula Native Mode which means it needs to contain the ZTP Certificate

- The device needs to be online (WAN (internet) access needed)

 

Note! If you have the device in the on-premise mode you may skip step 5.2.

  

3. Create an organization and site

Log into Nebula Control Center with your myZyxel account and create a new organization.

Name the organization and site, then click on "Next".

You can add your device here, but for this article, we will show how to add the device in case your organization and site already exists.  Click on "Next" to skip adding a device to Nebula.

On the next page, click on "Skip WiFi settings" to continue. And on the final step click on "Go to Nebula Dashboard".

On the Nebula Dashboard, click on "Firewall" to select the firewall model you want to configure.
In this example, we have selected the USG FLEX 200.

Alternatively, you also can create the organization and site via the Nebula App.
This can be achieved by opening the Nebula app, logging in with your account and tapping on "Create Organization" to start the initial setup process. Name the organization and site, then tap on "Create", Scan your device QR code, configure the ZTP and once done, go to Dashboard.

 

4. Configure the Firewall in the Nebula portal

Before doing these steps, please have the network topology, firewall setting and WAN configuration in advance. This information will allow you to pre-configure the Firewall settings ahead of being turned on within Nebula. The Firewall will automatically synchronize this configuration when it connects to Nebula.

4.1 Port Group settings

Go to Firewall -> Configure -> Port to configure the WAN/LAN port groups or add WAN/LAN groups to match your scenario.

 

4.2 Configure WAN settings if you have a static IP

Go to Firewall -> Configure -> Interface to change the WAN/LAN interface’s IP addresses to match your scenario.

 

5. Register the Firewall and choose the deployment method

Another way to register your device is to go to Organization-wide -> Configure -> License & inventory. Enter the device page and click on "Add" to register the Firewall. You can register multiple devices by entering the MAC address and serial number.

Afterward, you can assign the device to the correct site. You may have several devices in an organization, from here you can select a specific device and assign it to the corresponding site:

A pop-up window will appear where you can select the device deployment method.

 

5.1 Zero Touch Provision mode

For the first time that the device is enrolled on Nebula, the Zero Touch Provision mode must be used as the device needs the ZTP process to become Cloud capable. Go to Step 6 - Execute ZTP Process

 

5.2 The Nebula native mode

When you first register your device into Nebula, you need to make sure that you have the ZTP certificate on your device. In all devices, the firewall needs to first go through the ZTP process once. In newer devices, the ZTP certificate could already be in the firewall (please check if you have the ZTP certificate here - if you don't have the ZTP certificate you need to do the ZTP process and you cannot do the native mode to get the firewall online).

 

5.2.1 Reset the device to the default configuration

When you want to migrate from Stand-alone mode to Nebula, you need to reset the device first using the RESET button located on the front of the device (holding it down for 15 seconds). If you during the process change even the slightest setting (e.g. the admin password), the migration won't succeed. 

5.2.2 Check if you have DHCP or Static IP on WAN

If you have static IP on your WAN, you need to login to the device via the Web GUI, choose Nebula mode and enter the IP information needed for a connection to be established: 

If you have static IP on WAN, go through the wizard below and after you are finished, go to step 2 - register the device:

5.2.3 Choose the Native Mode

Connect your WAN port to the port stated on the picture (in this example P2) and the LAN on the port shown (in this example P4) - Note! Nothing else should be connected.

 

You should be able to see that it's waiting for the device to connect itself to Nebula (under Firewall -> Monitor -> Firewall):

The firewall should now do a quick restart and after the restart, the device should come online within 20 minutes.

 

5.2.4 Troubleshooting - "Waiting device connected" [Checking ZTP Certificate]

If your device is stuck in Native mode "Waiting for a device connected" - you need to double-check that you have the ZTP certificate: 

Login via SSH onto the device (using the program Putty or Teraterm) and type show native mode cert file status: 

If you get an error or the certificate is not there, you haven't done the ZTP process yet on that firewall and need to use the ZTP process this time. It could also be that you do not have the 5.10 firmware version and need to upgrade the firewall before using the Native mode. 

 

5.3 Migrate from on-premise mode to Nebula Mode in Web GUI

Go to Configuration -> Mgmt. & Analytics -> Nebula, then click on Apply and Go To Nebula

You will then get a pop-up and you need to click yes:

Then you wait for the device to come online in Nebula.

6. Execute ZTP Process

The videos shown at the beginning of the article show the whole process with only the last part being different. This last part corresponds to the ZTP process which two methods are available as shown in the video. This method is covered in the following 2 sub-sections.

 

 

For the ZTP process, it's needed to specify how the WAN connection will be set up (DCHP/PPPoE/Static IP) and specify an email address to where the email that contains the link and JSON file will be sent to. "I will install firewall by myself" sends the email to the account that is adding the device to the site at the moment. It is also possible to specify any other email account so an installer can run the ZTP process.

 

6.1 Activate the Firewall cloud capability via URL

Having the device with the latest firmware running, connect the power port to an appropriate power source and turn on the firewall. Wait for the SYS LED to turn solid green. Then, connect the WAN (P2) interface to the Internet.

Connect LAN (P4) interface to the computer.

 

Open the email received from Nebula and click on "Allow Nebula to Manage My Device".

Wait until Nebula Zero Touch Provisioning was successful. Click on "Go to Nebula Control Center" to access Nebula.

 

The device will take a few minutes to connect to Nebula and become online.

 

Note: If you have a device such as AP already connected on port 4 of the USG FLEX, and the AP is already providing a Wi-Fi network in the subnet 192.168.1.1/24, you can execute the ZTP via URL from any device connected to the Wi-Fi network, allowing to do it from a Mobile device.

6.2 Activate the Firewall cloud capability via USB

Alternatively, you also can activate the Firewall using a USB stick.
Copy the File attached in the email sent from Nebula to a new/clean USB (FAT32), and connect it to the Firewall's USB port.
Power on the Firewall, the SYS LED blinks red when it's connecting to Nebula and steady green when it's connected.

Go to Site-wide -> Monitor -> Dashboard to check the gateway status.

 

The device will take a few minutes to connect to Nebula and become online.

 

 

7. Troubleshooting

7.1 Internet connection is down - Check the internet connection

Web Browser shows, that the internet connection is down when the URL in the email was accessed.

Check your internet connection and make sure you connect to the WAN (P2) interface. Then, click on "Retry" to redo the ZTP.

You also can click on "Network Test Tools" to log in to the device's web GUI for further troubleshooting. The user is "support" and the password is the firewall’s serial number.

 

If you have a Static IP / PPPoE connection, double-check that you have entered the static IP information on the device locally: 

Navigate to Configuration -> WAN Settings and double-check that everything is filled in correctly:

 

7.2 Zero Touch Provisioning (ZTP) fails because this device is not in the factory default state.

Please hold the reset button for 5 seconds to reset the device to factory default. Then click on the URL to redo the ZTP.

7.3 ZTP by USB: The SYS LED does not stop blinking red

Nebula Dashboard shows, that the firewall is offline.
If the ZTP by USB fails, then please check the internet connection. Open the ztpresult.log in USB to check the status.

Here is an example:

ZTP fails because there is no matching ZTP file in the USB for this device. Please make sure you copy the correct ZTP file.

 

7.4 Nebula mode does not show when accessing Web GUI

You can upgrade your device via the Device Web configurator interface (check here) or using the ZON utility. This article shows how to do it via the ZON utility.

Make sure you have installed ZON on your computer. If not, you can download it here:

Zyxel One Network Utility (ZON)

Connect the power port to the power source and turn on the firewall. Wait for the SYS LED to turn solid green. Connect your computer to the firewall's port 4 (P4).

Open ZON on your computer to scan the firewall. Select the firewall, then click on "Firmware Upgrade":

Select the latest firmware version from the cloud and input the default password “1234” to upgrade. The firmware process takes about 5 minutes to complete.

 

8. Licensing for USG FLEX series

8.1 Bundled Nebula licensing for your USG FLEX into Nebula Control Center.

If your USG Flex came with a bundled license, you will automatically enjoy a Nebula Professional Pack of 1-year for your device. The UTM service license will seamlessly be carried on to Nebula, regardless of its remaining time.

In case your USG did not come with a bundled license, you will still enjoy the 30 days trial for your UTM services. The Nebula Pro Pack services also include 30 days trial automatically while your organization is created.

The trial license period does also applies to your device with a bundle license.

 

8.2 Migrating my existing NSG license (NSS) to the USG FLEX (UTM).

In order to migrate the license from your previous NSG to the USE FLEX on the cloud, the following mapping table applies. For instance, NSG 100 can only migrate its license to USG FLEX 200 and cannot migrate license to other USG FLEX models.

 

In case your USG FLEX 100 already has a 1-year license, after migrating the remaining license from the NSG50 (Ex.: 6 months) to the USG FLEX 100, the latter ends up having 1 and half year license to be used.

 

8.3 Limitations with changing to Nebula mode

There are some limitations and the following feature are not yet available on the cloud model for the USG FLEX:

- Device HA
- Email Security (Anti-Spam)
- SSL Inspection
- Dynamic Routing (RIP, OSPF, BGP)
- Related IPv6 features
- AP controller (Nebula Control Center should be used as AP controller instead)
- Hotspot service (Nebula Control Center already supports hotspot services such as Voucher, Walled garden)

 

If you encounter other issues, please feel free to get in contact with our Support team.