Most major router brands offer some form of firewall baked into their products, providing basic to sometimes intermediate features to help manage your network’s security. However, most if not all of them, can’t really compare to running a dedicated firewall solution. This is where options like the Zyxel USG Flex 100H Firewall come in handy.
You can’t let its size fool you as this isn’t your everyday entry-level solution. It is the entry-level model within its series, but its features are far from entry-level. Best for small businesses with up to 50 people accessing the network at any given time, this firewall offers an affordable solution for mom and pop companies and other small businesses looking to add a layer of protection that routers simply just can’t offer.
By itself, it looks no bigger than some of your basic routers or switches. Small in size, it can easily integrate into your network without taking up a lot of space. No rack-mounting needed. Just plug it in-line between your incoming WAN (internet) connection and the rest of your network and hide it somewhere.
It offers added durability thanks to the sturdy aluminum body that not only protects it physically but also helps to spread heat around so no active cooling (fans) methods are necessary.
The front of the unit has an array of LED status lights and a single USB 3.0 port. Simple, clean, and offers a bit of an enterprise feel to the overall design.
The backside offers a familiar collection of ports, including 8xGb (1Gbps) ports, a console ports, and a power connection.
Each port can be configured to be 10Mbps, 100Mbps, or 1000Mbps within the user interface. Upgrading to the larger models will gain you support for 2.5Gbps (or even 10Gbps via SFP+). However, this specific model (USGFLEX100H) is only capable of up to 1Gbps per port. Again, this is the entry-level option within its series.
One of these ports will act as your WAN (internet connection) and you assign this port when first setting things up. All other ports are for your devices (computers, switches, etc) or even seperate VLANs.
The console port is for a RJ45 (Ethernet) to serial connection adapter that allows network admins to physically tap right in to execute configurations and setup the firewall (including resetting things completely).
The initial setup is incredibly easy for what it is. First, you want to insert your incoming internet (WAN) connection into the first port and then a computer/laptop into the second. Then you would access its admin screen like you would any router/switch/firewall by browsing to its IP address.
The instructions say the default IP is 192.168.1.1 although this could change if you have it plugged somewhere deeper within your network. Best way to know for sure is to do something like opening a command prompt (if using Windows), typing “ipconfig”, and looking for your Ethernet adapter stats and where it says “gateway”. For MacOS or Linux you’d simply take an equivalent approach. You can also look at your network properties/settings for gateway information as well. If any of this sounds confusing, you may not be the right person to be configuring this as hardware firewalls are (typically) not for beginners.
Once you are in, a wizard walks you through setting the basics up. Including settings a password for the GUI, assigning which port will act as your WAN (in this case, port 1), acquiring the date and time, registering it with Zyxel’s Nebula platform, and finishing up.
From there, you land right into the GUI where you can monitor everything within the firewall and manage all of your settings.
As mentioned, this one comes with a long list of features. Including up to 3Gbps total throughput between all devices connected to it. It offers support for VPN (its SecuExtender VPN utility supports both IKEv2 and SSLVPN). Like a managed switch, you can identify the speeds of each port in case you want to slow one down.
You can monitor various resource usage, such as CPU, memory, sessions, and more. Just not bandwidth usage by port or device (MB/GBs downloaded/uploaded within a given time period). Something that seems to be rare in many affordable firewall solutions for some reason. You can monitor speed peaks, just not overall bandwidth used.
You can create a seperate VLAN for every one of your ports if you wanted to. Isolating things into multiple networks that aren’t able to talk to each other. For example, if you are doing business from home, you can split your internet between your home network and your business network. Each one being isolated from the other for good security practices.
Not everything is free though. This is where registration with Nebula comes into play. Including remote configuration, web filtering, anti-malware, application patrol, reputation filter, SecuReporter, sandboxing, device insights, and more. All of these fall under having a paid subscription through Nebula. This isn’t required and when we registered the firewall, we did get a 30 day trial to all of these (as you can see in one of the above images under “setup”).
If you decide not to take advantage of the Nebula subscription, you default to the basic features of the firewall. Still providing you with plenty of protection and reporting features, which is still better than not having a hardware-based firewall solution.
So not everything is free, but who didn’t see that coming? Again, this series targets small business owners looking to take network security seriously. Just attending a show like Blackhat quickly educates someone how expensive these efforts can really get. This is just an affordable stepping stone into that world for those who can’t afford all of that.
Some of the models in the series offer support for PoE+ and faster port speeds, but we weren’t able to test any of this since this model is excluded from these features. But again, this is the entry-level option in the series. As you climb up, you gain additional connectivity, faster speeds, and other additional benefits.
Here is a list of USG FLEX H Series models, what they include, and their MSRP:
- USG FLEX 100H Firewall – 8x GbE Ethernet ports – $399.99
- USG FLEX 100H Firewall (Bundled) – 8x GbE Ethernet ports + one year Gold Security License – $499.99
- USG FLEX 100HP Firewall – 8x GbE Ethernet ports with one as GbE/PoE (802.3at, 30W total) – $499.99
- USG FLEX 100HP Firewall (Bundled) – 8x GbE Ethernet ports with one as GbE/PoE (802.3at, 30W total) + one year Gold Security License – $599.99
- USG FLEX 200H Firewall – 2x 2.5 GbE and 6x GbE ports – $549.99
- USG FLEX 200H Firewall (Bundled) – 2x 2.5 GbE and 6x GbE ports + one year Gold Security License – $699.99
- USG FLEX 200HP Firewall – 2x 2.5 GbE and 6x GbE ports with one as GbE/PoE (802.3at, 30W total) – $649.99
- USG FLEX 200HP Firewall (Bundled) – 2x 2.5 GbE and 6x GbE ports with one as GbE/PoE (802.3at, 30W total) + one year Gold Security License – $799.99
- USG FLEX 500H Firewall – 2x 2.5 GbE, 2x 2.5 GbE/PoE (802.3at, 30W total), and 8x GbE Ethernet ports – $899.99
- USG FLEX 500H Firewall (Bundled) – 2x 2.5 GbE, 2x 2.5 GbE/PoE (802.3at, 30W total), and 8x GbE Ethernet ports + one year Gold Security License – $1099.99
- USG FLEX 700H Firewall – 2x 2.5 GbE, 2x 10 GbE/PoE (802.3at, 30W total), and 8x GbE Ethernet ports, and two 10GbE SFP+ ports – $1399.99
- USG FLEX 700H Firewall (Bundled) – 2x 2.5 GbE, 2x 10 GbE/PoE (802.3at, 30W total), and 8x GbE Ethernet ports, and two 10GbE SFP+ ports + one year Gold Security License – $1699.99
The overall design of its GUI feels user-friendly as long as you have an understanding how everything works. Littered with features while also keeping things where you’d expect to find them. It isn’t the fastect interface experience, but seems reasonable for the cost.
It is capable of keeping up with average small business traffic pretty easily with its ability to crunch through up to 3Gbps of traffic between all ports. Of course, between the internet and your network, you are limited to whatever connection speeds you have. But since most small businesses don’t have more than gigabit or less speeds, this is reasonable. The rest of that throughput is for everything else happening on the network between all of those devices.
It’s VLAN capabilities are pretty strong as well as its VPN capabilities. It’s threat indicator under the security section does a great job at summarizing everything into one place that is easy to consume. It also breaks down the top-accessed web applications (like YouTube, Google docs, etc). It even (of course) supports SNMP (V1/V2/V3) access so that it can be integrated with solutions like PRTG.
It also supports a daily email report that can be sent out to a number of admin email addresses. This report contains a user-configurable report on various analytics such as resource usage, security analysis, and DHCP table information. The only thing is lacks is bandwidth usage of each port (which would have been nice).
It’s Nebula integration takes things much further and benefits users the most when they invest in multiple Zyxel products. Giving them an outside of the box view of the entire network, allowing for easy management of every point of the network (router, firewall, switches, etc), including firmware updates,
We have found the firewall to be pretty rock solid when it comes to small business environments. Providing a long list of useful features in an easy-to-use interface that is built-in (no software required, as expected). Especially, for those businesses looking to layer themselves with protection, including secure VPN support.
As mentioned, this is sufficient for companies with up to 50 users accessing the network throughout a building location. Depending on the features enabled, this number may drop, so maybe it would be best to say up to 25-50 people.
For those with larger networks and a higher number of those accessing it, or those with multi-gigabit networks, you’d want to look into some of the higher models in the series. For example, we have a multi-gigabit network running throughout the building spanning up to 10Gbps. So if we were shopping for a new firewall, we’d likely invest in one of the models with SFP+ support.
The price point seems reasonable for what the user is getting. Both in this model and beyond. There are a lot of gears moving and a lot of layers of protection to take advantage of. The more you understand how network security works (encryptions, VPNs, filters, etc), the more you can take advantage of how everything works.
Also, the lack of bandwidth monitoring per port or device (total usage down/up within a given period of time) is unfortunate. It would be nice to see this information as an option both in the interface as well as the email reports for an added experience. As excessive bandwidth usage could be warning signs for either a breach or users abusing their privileges. For example, say there is a sudden large usage of data (like 300GB) on a single day. It would be nice to track it down to the port or even specific device it came from, as well as which date and time it occured based on a chart (filterable by 24 hour, 7 days, etc).
*Average price is based on the time this article was published
|Max. Concurrent Sessions?
|Max. UTM Concurrent sessions?
|Total Physical ports (ALL Configurable)?
|USB 3.0 port
|SPI Firewall Throughput?
|UTM throughput (AV & IDP)?
|Max. Concurrent IPsec VPN tunnels Gateway to Gateway IPsec VPN Tunnels
|Gateway to Gateway IPsec VPN Tunnels
|Concurrent SSL VPN users
Are you a manufacturer or distributor that would like us to test something out for review? Contact us and we can let you know where to send the product and we will try it out.