The Zyxel USG FLEX 100 is a Unified Security Gateway Firewall Appliance, or for the sake of this review, a firewall.
The USG FLEX 100’s platform provides the latest, leading technologies, all while providing a complete suite of security subscriptions with seamless, scalable gateway connectivity.
It sits somewhere in the affordable segment of this market, but this can still be an expensive investment for small businesses.
Specification and Features
- Gigabit RJ-45 ports
- 4 x LAN/DMZ
- 1 x WAN
- 1 x SFP
- Firewall throughput – 900Mbps
- VPN throughput – 270Mbps
- UTM throughput – 350Mbps
- Max. TCP concurrent sessions – 300,000
- Max. concurrent IPsec VPN tunnels – 40
- Concurrent SSL VPN users – 30
- VPN – IKEv2, IPSec, SSL, L2TP/IPSec
- SSL (HTTPS) inspection
- 2-Factor Authentication
- Higher Precise detection: Support advanced Anti-Malware with cloud query express mode which expands billions of signatures
- Best threat intelligence alliance: Integrate threat intelligence from leading companies in the cybersecurity field to increase accuracy in threat detection
- High assurance multi-layered protection: Empower you to restrict user’s inappropriate application usage or web access without any unattended gaps
- Flexible subscription options: Choose UTM, Hospitality bundled service or single license for your security needs
- Performance boost: Boost up to 125% firewall performance and 500% Unified Threat Management (UTM) performance
- SecuReporter analytics report and insights: Utilise cloud security service for further threat analysis with correlation feature design, making it easy to proactively trackback network status to prevent the next threat event
- Comprehensive connectivity: Enabled hospitality features with hotspot, AP management, and concurrent device upgrades
- Work remotely and securely: Robust SSL, IPSec and L2TP over IPSec VPN connectivity and VPN high availability (HA)
No Nebula Cloud Management
Zyxel doesn’t appear to advertise this as being compatible with the Nebula cloud management system, but with many of their devices being Nebulaflex and the growing popularity of the cloud-managed system, I assumed it was.
Well, it isn’t, at least for now anyway. They may or may not enable this function at a later date.
Once I realised this did not work with Zyxel Nebula, the set up was straightforward. Just plug the internet into the WAN port, your computer into the LAN port and go to 192.168.1.1 to start the setup process.
You have to activate the device, then also activate all the licences. As I have not paid for these myself, I had to set the device up without a licence, but then within the settings, you can activate a 1-month trial.
You have the usual router features such as NAT, UPnP, IP binding and DDNS. It has a single WAN port, but within the settings, it is possible to set a second port for load balancing on the OPT port.
For the VPN, the device supports IPSec, SSL and L2TP VPN, and it has a wizard to walk you through this setup process. Following the walkthrough will then prompt you to download the Zyxel IPSec VPN Client which is part of the licence you need to pay for for many features. I would assume there is no issue using your own clients if you set things up to work this way
When you log in, you will be greeted with an overview of the network and logs. If you have all filters and other settings set up, this provides an interesting overview of what has been scanned and block with some insight on the sort of content blocked.
There is also SecuReporter which is an online service you need to give access too; this will provide even more analytics on content that has been filtered.
Content and App Filtering
- HTTPs domain filtering
- SafeSearch support
- Whitelist websites enforcement
- URL blacklist and whitelist, keyword blocking support
- Customisable warning messages and redirection URL
- URL categories increased to 100+
- CTIRU (Counter-Terrorism Internet Referral Unit) support
- Geo IP blocking
- Geographical visibility on traffics statistics and logs
- IPv6 address support
With only me and my partner in my house, content and app filtering isn’t really a requirement; however, rolling out these policies are quite simple. You can have schedule options and can apply it per port, so it is easy enough to apply filters to specific sets of users during office hours.
Similarly, you can set up policies for apps too. So for Facebook, I can block the specific applications including video, messenger and the Facebook login. This can either be logged, dropped or refused.
During my testing, a few of the content filters let stuff through which it shouldn’t have. I was able to load a page (legally) selling guns, similarly a pharmacy. But in general, it filtered out everything I tried.
- Support Stream-based scan engine and Express mode for cloud query
- No file size limitation
- Works with local cache for stream mode
- Express mode support over 30 billion cloud databases and growing
- HTTP(s), FTP(s), SMTP(s), POP3(s) protocol support
- Automatic signature updates
- Multiple file types supported
I didn’t trigger many malware alerts, but the gateway offers comprehensive coverage to protect your systems. Even though I triggered some alerts, the report showed nothing, this only seems to list viruses.
By default, the anti-malware service uses the express mode and out of the box, it will scan exe, swf, MS docs, flash files, PDF docs, RTF, and Zip files. You can then have it scan various image and movies formats as well as other compression formats.
One of the issues with many of these devices is the throughput they can handle, a lot of the time they can handle a relatively high throughput but once you start enabling all the advanced features, this drops considerably.
With my Virgin connection being 350Mbps (and normally over) once I enable the features of many cheaper devices I see a drop in my overall internet speed, with the growing number of gigabit connections in the UK, this could be an issue for some.
With this, it is rated at 900Mbps for the firewall, but once you enable the universal threat management features such as anti-malware and deep packet inspection, this drops down to 360Mbps.
The one-off purchase price of this firewall is not so bad, it is the reoccurring costs that you need to be careful of.
For the UTM bundle licence which includes anti-malware, this will set you back £159.69 and includes:
- Content Filtering
Block access to malicious or risky web sites.
Scan files at the gateway for viruses and other threats.
- Intrusion Detection and Prevention
Deep-packet inspection against known attacks from network.
- Application Patrol
Automatically categorise and manage the network application usage.
Fast detection to block spam/phishing mail with malicious contents.
- SecuReporter Premium
Cloud-based intelligent analytics and report with 30-day log retention.
The security licence by itself costs £96.16 and only has web filtering and email security.
Whereas the anti-malware by itself costs £118.03
Price and Competition
I don’t cover many firewall products, so my product knowledge isn’t as thorough as some other areas.
This sits somewhere on the affordable end of the Zyxel pricing with the NSG50 being the model that sits below this at £226.69 which is compatible with Nebula.
The NSG50 is somewhat limited in its performance with a firewall throughput of just 300Mbps with only 10 concurrent VPN tunnels.
The WatchGuard Firebox T10 which is the cheapest model they have is £298.56 inc VAT with a throughput of 400 Mbps, 5VPN tunnels and a recommended user count of just 5; then their licence price can hit £378.39 per year. It is probably not a like for like product, but that’s the sort of prices this market can charge.
Most of my business-related networking content is orientated around SOHO use and very small businesses, with the relatively high running costs of this, it is perhaps not the most suitable device in these scenarios.
However, once you have an office with quite a few staff that relative cost drops down quite a bit. Less than £15pcm for your network security sounds like a good buy, having anti-malware at the routing level makes a lot of sense, if the like of Garmin can have their entire IT system taken out by ransomware, you can guarantee someone in your office will expose you to a similar threat sooner or later.
The overall features of this are extensive, to say the least, I only scratched the surface of what this can do. In particular, more affordable solutions don’t appear to offer the same level of anti-malware or content filtering, and most of them have a lower throughput.
I also found it very easy to set up, while it is probably a bit much for a complete novice, you certainly don’t need to be an expert in networking to secure your office (though an expert set up is probably a good idea).
Overall, if you have an office with a few staff, the Zyxel USG Flex 100 looks like a good investment, securing your network from many of the vulnerabilities you hear about in the news nowadays, without breaking the bank.