Our USG FLEX firewall can be managed and provisioned by Nebula Control Center (NCC) from ZLD5.00 firmware and onwards. The ATP series can be managed in NCC from ZLD5.10 firmware. This guide shows how to add the device on Nebula using the ZTP process and pre-configure the firewall settings on Nebula, before delivering the device for the on-site installation. This article shows how to register your firewall in Nebula. It is divided into different sections, so please navigate to the relevant section for you in the table of contents.
Note: ZTP mode is not available as of version 5.37 patch 1, so you must deploy the device to Nebula using native mode. Here are the affected models. ATP series: ATP100, ATP100W, ATP200, ATP500, ATP700, ATP800 USG FLEX series: USG FLEX 50, USG FLEX 50W, USG FLEX 100, USG FLEX 100W, USG FLEX 200, USG FLEX 500, USG FLEX 700, USG20-VPN, USG20W-VPN
If you encounter difficulty adding your device to Nebula, it may indicate that your device was manufactured before the end of 2023 and requires completion of the Zero Touch Provisioning (ZTP) process. To proceed, follow these steps:
- Downgrade the firmware on your device
- Navigate through the ZTP process as required
- Once successfully added, update the device to the latest firmware version
How to register your firewall into Nebula (Videos)
Note: Your device must be reset to default in order to connect it to Nebula, losing all previous settings that might have been configured. Once connected to Nebula, the device will be configured automatically with Nebula default settings. Please also note that there are some limitations and the following feature are not yet available on the cloud mode for the USG FLEX:
- Device HA
- Email Security (Anti-Spam)
- SSL Inspection
- Dynamic Routing (RIP, OSPF, BGP)
- Related IPv6 features
- AP controller (Nebula Control Center should be used as AP controller instead)
- Hotspot service (Nebula Control Center already supports hotspot services such as Voucher, Walled garden)
Licensing
- Licensing of your USG FLEX into Nebula Control Center
If your USG Flex came with a bundled license, you will automatically enjoy a Nebula Professional Pack of 1-year for your device. The UTM service license will seamlessly be carried on to Nebula, regardless its remaining time.
In case your USG did not come with a bundle license, you will still enjoy the 30 days trial for your UTM services. The Nebula PRO Pack services also include 30 days trial automatically while your organization is created.
The trial license period does also apply to your device with a bundle license.
- Migrating my existing NSG license (NSS) to the USG FLEX (UTM)
In order to migrate the license from your NSG to the USE FLEX on the cloud, the following mapping table applies. For instance, NSG 100 can only migrate its license to USG FLEX 200 and cannot migrate license to other USG FLEX models.
| NSG Series | NSG50 | NSG100 | NSG200 | NSG300 |
| USG FLEX series | USG FLEX 100/100W | USG FLEX 200 | USG FLEX 500 | USG FLEX 700 |
In case your USG FLEX 100 already has a 1-year license, after migrating the remaining license from the NSG50 (Ex.: 6 months) to the USG FLEX 100, the latter ends up having 1 and half year license to be used.
Please raise a Support Request, and our team will gladly help you solve your migration license issue with due priority.
Choosing Nebula Mode through Web GUI
Once your device is running 5.10 and it's using factory default settings, when you try to log into the Web Configurator for the first time, an update of the admin default password ("1234") will be required.
- Nebula Mode
Select Nebula Mode to manage your Zyxel Device using Nebula Control Center (NCC). NCC is a cloud-based network management system that allows you to manage and monitor your Zyxel Device remotely.
Follow the Nebula mode wizard to configure the WAN settings to pass the management of your Zyxel Device to NCC.
 |
 |
Once the Management mode and the WAN of the device are configured allowing internet access, you can proceed to Nebula for further setup. More information is in the section "Nebula native mode"
- Migrate remotely from on-premise to Nebula mode
Even if you have static IP settings or factory default settings, you can switch your on-prem management solution to Nebula Cloud mode remotely using the Web GUI. Note the device will be factory reset and configurations will be lost. On Nebula Phase 13, you don't have to go on-site to factory reset the device before migrating to Nebula. Now you can do it remotely.
The requirements for migrating remotely to Nebula is that the firewall:
- Needs to be in Nebula Native Mode which means it needs to contain the ZTP Certificate
- The device needs to be online (WAN (internet) access needed)
Note: If you have the device in the on-premise mode you may skip step "Nebula native mode"
- Create an organization and site
If you haven't established a Nebula organization and site yet, please follow the provided link article. Once you've completed that step, we can proceed with the registration process.
Nebula [Site/Organization] - How to create/delete an organization and site on Nebula Control Center?
Configure the Firewall in the Nebula portal
Before doing these steps, please have the network topology, firewall setting, and WAN configuration in advance. This information will allow you to pre-configure the Firewall settings ahead of being turned on within Nebula. The Firewall will automatically synchronize this configuration when it connects to Nebula. When creating the site, you can specify the model of your firewall without adding it. This makes it possible to pre-configure some parameters before adding the device itself.
- Port Group settings
Site-wide -> Configure -> Firewall -> Port
- To configure the WAN/LAN port groups or add WAN/LAN groups to match your scenario.
- Сonfigure WAN settings if you have a static IP
Site-wide -> Configure -> Firewall - interfaces- to change the WAN/LAN interface’s IP addresses to match your scenario.
Register the Firewall and choose the deployment method
Manual mode
Go to Site-wide -> License & InventoryEnter the device page and click on "Add" to register the Firewall. You can register multiple devices by entering the MAC address and serial number
Afterward, you can assign the device to the correct site. You may have several devices in an organization, from here you can select a specific device and assign it to the corresponding site:
A pop-up window will appear where you can select the device deployment method.
Zero Touch Provision mode
For the first time that the device is enrolled on Nebula, the Zero Touch Provision mode must be used as the device needs the ZTP process to become Cloud capable. Go to Execute ZTP Process
The Nebula native mode
When you first register your device into Nebula, you need to make sure that you have the ZTP certificate on your device. In all devices, the firewall needs to first go through the ZTP process once. In newer devices, the ZTP certificate could already be in the firewall (please check if you have the ZTP certificate here - if you don't have the ZTP certificate you need to do the ZTP process and you cannot do the native mode to get the firewall online).
- Reset the device to the default configuration
When you want to migrate from Stand-alone mode to Nebula, you need to reset the device first using the RESET button located on the front of the device (holding it down for 15 seconds). If you during the process change even the slightest setting (e.g. the admin password), the migration won't succeed.
- Check if you have DHCP or Static IP on WAN
If you have static IP on your WAN, you need to login to the device via the Web GUI, choose Nebula mode and enter the IP information needed for a connection to be established:
If you have static IP on WAN, go through the wizard below and after you are finished, go to step 2 - register the device:
- Choose the Native Mode
Connect your WAN port to the port stated on the picture (in this example P2) and the LAN on the port shown (in this example P4) - Note: Nothing else should be connected
- You should be able to see that it's waiting for the device to connect itself to Nebula (under Devices -> Firewall):
The firewall should now do a quick restart and after the restart, the device should come online within 20 minutes.
Troubleshooting - "Waiting device connected" [Checking ZTP Certificate]
If your device is stuck in Native mode "Waiting for a device connected" - you need to double-check that you have the ZTP certificate:
Login via SSH onto the device (using the program Putty or Teraterm) and type show native mode cert file status:
If you get an error or the certificate is not there, you haven't done the ZTP process yet on that firewall and need to use the ZTP process this time. It could also be that you do not have the 5.10 firmware version and need to upgrade the firewall before using the Native mode.
- Migrate from on-premise mode to Nebula Mode in Web GUI
Go to Configuration -> Mgmt. & Analytics -> Nebula, then click on Apply and Go To NebulaYou will then get a pop-up and you need to click yes:
Then you wait for the device to come online in Nebula.
Execute ZTP Process
The videos shown at the beginning of the article show the whole process with only the last part being different. This last part corresponds to the ZTP process which two methods are available as shown in the video. This method is covered in the following 2 sub-sections.
For the ZTP process, it's needed to specify how the WAN connection will be set up (DCHP/PPPoE/Static IP) and specify an email address to where the email that contains the link and JSON file will be sent to. "I will install firewall by myself" sends the email to the account that is adding the device to the site at the moment. It is also possible to specify any other email account so an installer can run the ZTP process.
- Activate the Firewall cloud capability via URL
Having the device with the latest firmware running, connect the power port to an appropriate power source and turn on the firewall. Wait for the SYS LED to turn solid green. Then, connect the WAN (P2) interface to the Internet.
Connect LAN (P4) interface to the computer.
Open the email received from Nebula and click on "Allow Nebula to Manage My Device".
Wait until Nebula Zero Touch Provisioning was successful. Click on "Go to Nebula Control Center" to access Nebula
The device will take a few minutes to connect to Nebula and become online.
Note: If you have a device such as AP already connected on port 4 of the USG FLEX, and the AP is already providing a Wi-Fi network in the subnet 192.168.1.1/24, you can execute the ZTP via URL from any device connected to the Wi-Fi network, allowing to do it from a Mobile device.
- Activate the Firewall cloud capability via USB
Alternatively, you also can activate the Firewall using a USB stick. Copy the File attached in the email sent from Nebula to a new/clean USB (FAT32), and connect it to the Firewall's USB port. Power on the Firewall, the SYS LED blinks red when it's connecting to Nebula and steady green when it's connected.
Go to the Nebula Dashboard to check the gateway status.
The device will take a few minutes to connect to Nebula and become online.
Troubleshooting
- Internet connection is down - Check the Internet connection
Web Browser shows, that the internet connection is down when the URL in the email was accessed.
Check your internet connection and make sure you connect to the WAN (P2) interface. Then, click on "Retry" to redo the ZTP.
You also can click on "Network Test Tools" to log in to the device's web GUI for further troubleshooting. The user is "support" and the password is the firewall’s serial number.
If you have a Static IP / PPPoE connection, double-check that you have entered the static IP information on the device locally:
Go to Configuration -> WAN Settings and double-check that everything is filled in correctly- Zero Touch Provisioning (ZTP) fails because this device is not in the factory default state
Please hold the reset button for 5 seconds to reset the device to factory default. Then click on the URL to redo the ZTP.
- ZTP by USB: The SYS LED does not stop blinking red
Nebula Dashboard shows, that the firewall is offline.
If the ZTP by USB fails, then please check the internet connection. Open the ztpresult.log in USB to check the status.
Here is an example:
ZTP fails because there is no matching ZTP file in the USB for this device. Please make sure you copy the correct ZTP file.
- Nebula mode does not show when accessing Web GUI
You can upgrade your device via the Device Web configurator interface (check here) or using the ZON utility. This article shows how to do it via the ZON utility.
Make sure you have installed ZON on your computer. If not, you can download it here:
Zyxel One Network Utility (ZON)
Connect the power port to the power source and turn on the firewall. Wait for the SYS LED to turn solid green. Connect your computer to the firewall's port 4 (P4).
Open ZON on your computer to scan the firewall. Select the firewall, then click on "Firmware Upgrade":
Select the latest firmware version from the cloud and input the default password “1234” to upgrade. The firmware process takes about 5 minutes to complete
Licensing for USG FLEX series
- Bundled Nebula licensing for your USG FLEX into Nebula Control Center
If your USG Flex came with a bundled license, you will automatically enjoy a Nebula Professional Pack of 1-year for your device. The UTM service license will seamlessly be carried on to Nebula, regardless of its remaining time.
In case your USG did not come with a bundled license, you will still enjoy the 30 days trial for your UTM services. The Nebula Pro Pack services also include 30 days trial automatically while your organization is created.
The trial license period does also applies to your device with a bundle license.
- Migrating my existing NSG license (NSS) to the USG FLEX (UTM)
In order to migrate the license from your previous NSG to the USE FLEX on the cloud, the following mapping table applies. For instance, NSG 100 can only migrate its license to USG FLEX 200 and cannot migrate license to other USG FLEX models.
| NSG Series | NSG50 | NSG100 | NSG200 | NSG300 |
| USG FLEX series | USG FLEX 100/100W | USG FLEX 200 | USG FLEX 500 | USG FLEX 700 |
In case your USG FLEX 100 already has a 1-year license, after migrating the remaining license from the NSG50 (Ex.: 6 months) to the USG FLEX 100, the latter ends up having 1 and half year license to be used.
- Limitations with changing to Nebula mode
There are some limitations and the following feature are not yet available on the cloud model for the USG FLEX:
- Device HA
- Email Security (Anti-Spam)
- SSL Inspection
- Dynamic Routing (RIP, OSPF, BGP)
- Related IPv6 features
- AP controller (Nebula Control Center should be used as AP controller instead)
- Hotspot service (Nebula Control Center already supports hotspot services such as Voucher, and Walled garden)
If you encounter other issues, please feel free to get in contact with our Support team.