USG FLEX H Firewall
USG FLEX 50H/100H/200H/500H/700H
Overview
The Zyxel USG FLEX H series delivers groundbreaking high performance with powerful multi-gigabit and PoE+ interfaces, preparing businesses for the multi-gig era. Empowered by Zyxel AI cloud, the USG FLEX H series provides best-in-breed multi-layered protection for corporate premises, ensuring seamless safety against mounting cyber threats. With enhanced SecuExtender, extending the same security to remote networks is simplified, allowing small to mid-sized businesses to enjoy enterprise-grade security at high speeds.
Key Benefits
- Ultra High Performance: Features next-generation multi-core hardware and Fastpath technology for minimized packet processing, reduced latency, and accelerated traffic flows. Optimized processor utilization boosts performance for high-speed networks.
- Cloud & On-Prem Security Integrated with Smart Sync: Nebula synchronizes cloud and on-premise configurations, enabling unified security policies and real-time threat monitoring from anywhere.
- Firewall/VPN/UTM Ultra High Performance: Delivers robust security throughput for demanding network environments.
- User-Definable Multi-Gig WAN/LAN Ports up to 10Gbps: Offers flexible port configuration to suit diverse network needs.
- High Assurance Multi-Layered Protection: Provides comprehensive security against a wide range of threats.
- Visualizing Network Security with AI SecuPilot: Offers detailed traffic analysis, threat detection, and activity monitoring for enhanced visibility.
- SD-WAN & Traffic Control Capabilities: Optimizes WAN and application usage for improved network efficiency and reliability.
- Centralized VPN Provision with Nebula: Simplifies the deployment and management of VPN infrastructure.
Key Features
Port Flexibility, Multi-G and PoE+: Offers 2.5GbE and 10GbE port speed options with software-defined ports configurable as WAN or LAN. Includes 2 PoE+ integrated ports with a 30W power budget for simplified device power delivery.
AI-Powered Cloud Cybersecurity: Leverages AI cloud intelligence for multi-layered protection, defending against external and internal threats with services like cloud sandboxing, anti-malware, intrusion prevention, DNS/IP/URL filtering, and application patrol. Web filtering and geo-IP filtering enhance policy enforcement.
Fast and Powerful uOS: Introduces a new operating system designed for increased security, minimized response time, instant configuration changes, and optimized management with an intuitive UX design.
Cloud & On-Prem in Sync: Nebula revolutionizes network management with Smart Sync, enabling seamless cloud-based configuration of on-premise firewalls, unified security policies, real-time threat monitoring, and optimized performance from anywhere.
Visualizing Network Security with AI SecuPilot: SecuReporter provides comprehensive network security visualization, detailed traffic analysis, threat detection, and activity monitoring. It offers customizable reports, alerts, and dashboards for risk identification and incident tracking. Enhanced with AI SecuPilot, it delivers AI-powered insights and natural language queries in over 40 languages, simplifying threat investigation and accelerating response.
SD-WAN & Traffic Control: The USG FLEX H Firewall optimizes WAN and application usage for network efficiency. It supports load balancing and active-backup WAN links, automatically switching to stable links. Critical applications can be prioritized, and bandwidth for non-essential traffic can be limited. Reserved bandwidth ensures smooth delivery of time-sensitive services.
Centralized VPN Provision with Nebula: Nebula VPN Orchestrator simplifies deployment and management of SD-VPN, Auto-link VPN, and Manual IPSec VPN, and Remote Access VPN. It enables seamless integration across multiple sites, reduces setup complexity, and supports scalable topologies like Hub-and-Spoke or Mesh. It provides full visibility and control over VPN infrastructure via an intuitive cloud-based interface.
License Options
The USG FLEX H series provides essential security services. Nebula Control Center (NCC) offers subscription options, including Nebula Plus/Professional Packs for enhanced control and management.
License Service
| Service | Gold Security Pack (Included with Gold Bundle H/W) | Entry Defense Pack (Included with Entry Bundle H/W) |
|---|---|---|
| Sandboxing | Yes | - |
| Reputation Filter | Yes | Yes |
| Web Filtering | Yes | - |
| Anti-Malware | Yes | - |
| IPS | Yes | - |
| Application Patrol | Yes | - |
| Device Insight | Yes | - |
| SecuReporter | Yes | Yes |
| Nebula Pro Pack | Yes | Priority Support Only* |
| Secure WiFi*¹ | Yes | - |
| Security Profile Sync | Yes | - |
* Priority Support is available for customers with a Pro Pack organization or those using USG FLEX H series firewalls with Gold Security Pack or Entry Defense Pack licenses.
*¹ The tunnel mode and Remote AP will be available in Q3, 2026.
A la carte Licenses
- Nebula Pro Pack: Offers advanced functionality, diagnostic tools, and AI capabilities for larger, complex deployments.
- Nebula Plus Pack: Expands Base Pack functionality for simplified day-to-day operations.
- Secure WiFi: Enables secure extension of the office experience through tunneling and 2FA, managing over 8 access points.
* The tunnel mode and Remote AP will be available in Q3, 2026.
Specifications
Hardware Specifications
| Model | USG FLEX 50H/HP | USG FLEX 100H/HP | USG FLEX 200H/HP | USG FLEX 500H | USG FLEX 700H |
|---|---|---|---|---|---|
| Network Interfaces | 100M/1G Ethernet (RJ-45) 100M/1G/2.5G Ethernet (RJ-45) | 100M/1G Ethernet (RJ-45) 100M/1G/2.5G Ethernet (RJ-45) | 100M/1G Ethernet (RJ-45) 100M/1G/2.5G Ethernet (RJ-45) 1G/2.5G/5G/10G Ethernet (RJ-45) | 100M/1G Ethernet (RJ-45) 100M/1G/2.5G Ethernet (RJ-45) 1G/2.5G/5G/10G Ethernet (RJ-45) | 100M/1G Ethernet (RJ-45) 100M/1G/2.5G Ethernet (RJ-45) 1G/2.5G/5G/10G Ethernet (RJ-45) |
| 1G SFP/10G SFP+ | - | - | 1G SFP/10G SFP+ | 1G SFP/10G SFP+ | 1G SFP/10G SFP+ |
| IEEE 802.3at (PoE+) Port | Port 5 (50HP only) | Port 8 (100HP only) | Port 2 (2.5G, 200HP only) | Port 3, 4 (2.5G) | Port 3, 4 (10G) |
| Total PoE budget (watts) | 30 | 30 | 30 | 30 | 30 |
| USB 3.0 Type-A | 1 | 1 | 1 | 1 | 1 |
| Console port | Yes (RJ-45) | Yes (RJ-45) | Yes (RJ-45) | Yes (RJ-45) | Yes (RJ-45) |
| Rack-mountable | Yes | Yes | Yes | Yes | Yes |
| Fanless | Yes | Yes | Yes | Yes | Yes |
System Capacity & Performance
| Metric | USG FLEX 50H/HP | USG FLEX 100H/HP | USG FLEX 200H/HP | USG FLEX 500H | USG FLEX 700H |
|---|---|---|---|---|---|
| SPI firewall throughput (Mbps) | 2,000 | 4,000 | 6,500 | 10,000 | 15,000 |
| VPN throughput (Mbps) | 500 | 900 | 1,200 | 2,000 | 3,000 |
| IPS throughput (Mbps) | 1,000 | 1,500 | 2,500 | 4,500 | 7,000 |
| Anti-Malware throughput (Mbps) | 600 | 1,000 | 1,800 | 3,000 | 4,000 |
| UTM throughput (Anti-Malware and IPS) | 600 | 1,000 | 1,800 | 3,000 | 4,000 |
| Max. TCP concurrent sessions | 100,000 | 300,000 | 600,000 | 1,000,000 | 2,000,000 |
| Max. concurrent IPSec VPN tunnels | 20 | 50 | 100 | 300 | 1,000 |
| Recommended gateway-to-gateway IPSec VPN tunnels | 5 | 20 | 50 | 150 | 300 |
| Concurrent SSL VPN users | 15 | 25 | 50 | 150 | 500 |
| VLAN interface | 8 | 16 | 32 | 8 | 8 |
Speedtest Performance
| Metric | USG FLEX 50H/HP | USG FLEX 100H/HP | USG FLEX 200H/HP | USG FLEX 500H | USG FLEX 700H |
|---|---|---|---|---|---|
| SPI firewall throughput (Mbps) | 926.76 | 931.61 | 929.97 | 938.1 | 921.64 |
Key Features - Security Service
| Feature | USG FLEX 50H/HP | USG FLEX 100H/HP | USG FLEX 200H/HP | USG FLEX 500H | USG FLEX 700H |
|---|---|---|---|---|---|
| Anti-Malware | Yes | Yes | Yes | Yes | Yes |
| IPS | Yes | Yes | Yes | Yes | Yes |
| Application Patrol | Yes | Yes | Yes | Yes | Yes |
| Web Filtering | Yes | Yes | Yes | Yes | Yes |
| Reputation Filter | Yes | Yes | Yes | Yes | Yes |
| SecuReporter | Yes | Yes | Yes | Yes | Yes |
| Sandboxing | Yes | Yes | Yes | Yes | Yes |
| Security Profile Sync | Yes | Yes | Yes | Yes | Yes |
| Device Insight | Yes | Yes | Yes | Yes | Yes |
| SSL (HTTPS) Inspection | Yes | Yes | Yes | Yes | Yes |
| Two-Factor Authentication | Yes | Yes | Yes | Yes | Yes |
Key Features - SD-WAN & VPN
| Feature | USG FLEX 50H/HP | USG FLEX 100H/HP | USG FLEX 200H/HP | USG FLEX 500H | USG FLEX 700H |
|---|---|---|---|---|---|
| WAN load balancing | Yes | Yes | Yes | Yes | Yes |
| Prioritize critical applications | Yes | Yes | Yes | Yes | Yes |
| VPN Protocol | IKEv2/IPSec, SSL, Tailscale*⁹ | IKEv2/IPSec, SSL, Tailscale*⁹ | IKEv2/IPSec, SSL, Tailscale*⁹ | IKEv2/IPSec, SSL, Tailscale*⁹ | IKEv2/IPSec, SSL, Tailscale*⁹ |
| Nebula SD-VPN | Yes | Yes | Yes | Yes | Yes |
| Auto-link VPN | Yes | Yes | Yes | Yes | Yes |
| Manual-link VPN | Yes | Yes | Yes | Yes | Yes |
| VPN Topology | Yes | Yes | Yes | Yes | Yes |
Key Features - WLAN Management
| Feature | USG FLEX 50H/HP | USG FLEX 100H/HP | USG FLEX 200H/HP | USG FLEX 500H | USG FLEX 700H |
|---|---|---|---|---|---|
| Default Number of Managed AP | 8 | 8 | 8 | 8 | 8 |
| Secure WiFi*⁸ | Yes | Yes | Yes | Yes | Yes |
| Maximum Number of Tunnel-Mode AP*¹⁰ | 3 | 6 | 10 | 18 | 130 |
| Maximum Number of Managed AP | 12 | 24 | 40 | 72 | 520 |
| Recommend max. AP in 1 AP Group | - | - | - | 60 | 200 |
Environmental Specifications
| Parameter | USG FLEX 50H/HP | USG FLEX 100H/HP | USG FLEX 200H/HP | USG FLEX 500H | USG FLEX 700H |
|---|---|---|---|---|---|
| Operating Temperature | 0°C to 40°C/32°F to 104°F | 0°C to 40°C/32°F to 104°F | 0°C to 40°C/32°F to 104°F | 0°C to 40°C/32°F to 104°F | 0°C to 40°C/32°F to 104°F |
| Operating Humidity | 10% to 90% (non-condensing) | 10% to 90% (non-condensing) | 10% to 90% (non-condensing) | 10% to 90% (non-condensing) | 10% to 90% (non-condensing) |
| Storage Temperature | -30°C to 70°C/-22°F to 158°F | -30°C to 70°C/-22°F to 158°F | -30°C to 70°C/-22°F to 158°F | -30°C to 70°C/-22°F to 158°F | -30°C to 70°C/-22°F to 158°F |
| Storage Humidity | 10% to 90% (non-condensing) | 10% to 90% (non-condensing) | 10% to 90% (non-condensing) | 10% to 90% (non-condensing) | 10% to 90% (non-condensing) |
| MTBF (hr) | 50H: 40°C/596100.85308 hr 25°C/945046.81927 hr 50HP: 40°C/402515.716 hr 25°C/665839.12962 hr | 100H: 40°C/353878.1057 hr 25°C/602150.9604 hr 100HP: 40°C/289845.2327 hr 25°C/518347.4294 hr | 200H: 40°C/306768.409 hr 25°C/528037.0106 hr 200HP: 40°C/227747.9662 hr 25°C/392638.3847 hr | 40°C/346653.298 hr 25°C/491775.8384 hr | 40°C/431877.9743 hr 25°C/669031.2966 hr |
Certifications
| Category | Details |
|---|---|
| EMC | FCC Part 15 (Class A), CE EMC (Class A), RCM (Class A), BSMI |
| Safety | LVD (EN62368-1), BSMI |
Software Features
Security Service
- Firewall: Routing/transparent modes, Stateful packet inspection, Source IP Spoofing Prevention, FTP/SIP ALG, DoS Prevention, Per-host session limit, External IP Block List, Flooding detection.
- Security Policy: Unified policy management, Content Filtering, Application Patrol, Firewall (ACL), SSL inspection, Policy criteria (source/destination IP, user group, time, zone, user).
- Intrusion Prevention System (IPS): Streamed-based engine, Signature-based scanning, Intrusion detection/prevention, Allow list, Exploit-based/vulnerability-based protection, Web attack support (XSS, SQL injection), Automatic signature updates.
- Application Patrol: Smart single-pass scanning, Identifies/controls thousands of applications, Up to 25 application categories, Granular control, Real-time statistics, DoH (DNS over HTTPS) control.
- Anti-Malware: High performance query-based scan engine (Express Mode), Over 30 billion known malicious file identifiers, Wild range file type examination, HTTP/SMTP/POP3/FTP scan support.
- Sandboxing: Cloud-based multi-engine inspection, HTTP/SMTP/POP3/FTP scan, Wild range file type examination, Real-time threat synchronization.
- IP Reputation Filter: IP-based reputation filter, 9 Cyber Threat Categories, Inbound/Outbound traffic filtering, Block/Allow List support.
- DNS Threat Filter: Blocks access to malicious domains, Block/Allow List support, DoH/DoT monitoring/blocking.
- URL Threat Filter: Botnet C&C websites blocking, Malicious URL blocking, Block/Allow List support.
- External Block List: Imports malicious IP/URL from external sources, Works with IP Reputation and URL Threat Filter.
- Web Filtering: HTTPs domain filtering, DNS domain filtering, Allow List websites enforcement, Customizable warnings/redirects, Increased URL categories (111), CTIRU support, Block/Allow List support.
- SSL Inspection: Deep packet inspection for TLS, TLS 1.3 support, Untrusted certificate blocking, Works with IPS/Anti-Malware/Sandboxing/Application Patrol/Web Filtering.
- Device Insight: Agentless scanning for device discovery/classification, Views all network devices (wired, wireless, BYOD, IoT, SecuExtender) on SecuReporter.
- Geo Enforcer: Geo IP blocking, Geographical visibility on logs.
- IP Exception: Granular control for target source/destination IP, Supports security service scan bypass for IPS, Anti-Malware, URL Threat Filter.
VPN
- IPSec VPN: Route-based/Policy-based Site-to-Site, Client remote access (IKEv2 MS-CHAPv2), IKEv2 (EAP, configuration payload), Encryption (DES, 3DES, AES), Authentication (MD5, SHA1, SHA2), Perfect forward secrecy, PSK/PKI authentication, IPSec NAT traversal (NAT-T), Dead Peer Detection (DPD), NAT over IPSec, SecuExtender VPN client provision, Support for Windows, iOS/macOS, Android clients, 2FA support (Google Authenticator/Microsoft Authenticator).
- SSL VPN: Client remote access, Full/Split tunnel mode, SecuExtender VPN client provision, 2FA support (Google Authenticator/Microsoft Authenticator).
- Tailscale VPN: Mesh-capable, Supports native identity providers (Google, Microsoft Entra ID, Apple ID), Supports Windows, Linux, Android, iOS agents.
Networking, Management, and Connectivity
Networking
- Connection: Routing/Transparent mode, Ethernet and PPPoE, NAT and PAT, VLAN tagging (802.1Q), Static route, Policy-based routing (user-aware), Policy-based NAT (SNAT), DHCP client/server/relay, Dynamic DNS support, Multi-WAN load balancing/failover, Bandwidth Management, Link Aggregation support (LAG).
WLAN Management
- Supports AP Controller (APC), WPA3 support on 802.11ax AP, WPA2 Enterprise (802.1x), 802.11r/k/v support, Auto AP firmware update, Dynamic Channel Selection (DCS), Band steering, Wireless L2 Isolation, CAPWAP discovery method, Multiple SSID with VLAN, Supports Smart Mesh.
Management
- Nebula Centralized Management: Centralized device, client, and application usage monitoring (logs and statistics), Pre-configure settings in Nebula, Cloud & on-prem security integrated with smart sync, Security Profile Sync, Nebula SD-VPN, Auto-link VPN, Manual-link VPN, VPN Topology, Monitor device on/off status, Keep event log up to 1 year, Firmware upgrade operation, Remote SSH access, Backup and restore firewall configurations (requires Nebula Pro Pack).
SD-WAN
- Orchestration of secure connections across multiple locations, Mesh or hub-and-spoke topology, Prioritizing mission-critical applications, High availability and failover.
Authentication
- Local user database, External user database, IKEv2 with EAP-MSCHAPv2 VPN authentication, Supports 2FA authentication (Google Authenticator, Microsoft Authenticator), 802.1x Authentication, Captive Portal Web Authentication.
System Management
- Multi-lingual Web GUI (HTTPS and HTTP), Command line interface (console, SSH), SNMP v1, v2c, v3, System configuration rollback, Configuration auto backup, Recovery Manager (one-click full backup of configuration, certificates), Firmware upgrade via FTP, FTP-TLS, Firmware upgrade via Web GUI, New firmware notifications and auto upgrade, Dual firmware images.
Logging and Monitoring
- Comprehensive local logging, Syslog (to up to 4 servers), Event Notification and Email alerts, Real-time traffic monitoring, Built-in daily report, SecuReporter supported.
External Integration
- Avast SMB: Online management platform, Endpoint Protection, Ransomware & Data Protection, Phishing Protection, Web Control, Personal VPN, USB Protection, Patch Management.
Compatibility & Accessories
Managed AP Service
| Model | Managed APs (Default/Max) | Supported Managed APs |
|---|---|---|
| USG FLEX 50H/HP | 8/12 | WAX640S-6E, WBE660S |
| USG FLEX 100H/HP | 8/24 | WAX630S, WBE630S, WAX620D-6E, WBE530, WAX610D, WBE510D |
| USG FLEX 200H/HP | 8/40 | WAX610D, WBE510D |
| USG FLEX 500H | 8/72 | WAX510D, WAX655E, WAX300H, WAX650S, WAC500H |
| USG FLEX 700H | 8/520 | WAX300H, WAX650S, WAC500H |
IPSec and SSL VPN Client
| Item | Description | Supported OS |
|---|---|---|
| SecuExtender Zero Trust IPSec and SSL VPN Client* | SecuExtender supports popular VPN protocols including IKEv2/EAP, SSL VPN. Building secure tunnels with industry-leading strong cipher, SecuExtender guarantees confidentiality and data integrity. | Windows 10 64-bit, macOS 10.15 or above |
* One subscription license to activate IPSec or SSL VPN from selected OS Windows/macOS.
Transceivers (Optional)
| Model | Speed* | Connector | Wavelength (nm) | Max. Distance (km/yd) | DDMI | Optical Fiber Type |
|---|---|---|---|---|---|---|
| SFP10G-T*¹ | 10-Gigabit SFP+ | RJ-45 | - | 0.03/32.8 | - | - |
| SFP10G-SR*² | 10-Gigabit SFP+ | Duplex LC | 850 | 0.3/328 | Yes | Multi mode |
| SFP10G-SR-E*² | 10-Gigabit SFP+ | Duplex LC | 850 | 0.3/328 | Yes | Multi mode |
| SFP10G-LR*² | 10-Gigabit SFP+ | Duplex LC | 1310 | 10/10936 | Yes | Single mode |
| SFP10G-LR-E*² | 10-Gigabit SFP+ | Duplex LC | 1310 | 10/10936 | Yes | Single mode |
| SFP-1000T | Gigabit | RJ-45 | - | 0.1/109 | - | - |
| SFP-SX-D*² | Gigabit | Duplex LC | 850 | 0.55/601 | Yes | Multi mode |
| SFP-SX-E*² | Gigabit | Duplex LC | 850 | 0.55/601 | Yes | Multi mode |
| SFP-LX-10-D*² | Gigabit | Duplex LC | 1310 | 10/10936 | Yes | Single mode |
| SFP-LX-10-E*² | Gigabit | Duplex LC | 1310 | 10/10936 | Yes | Single mode |
* Only USG FLEX 700H supports 10-Gigabit SFP+. Direct Attach Copper (DAC) cables are not supported. For optimal performance, use compatible SFP+ optical modules.
*¹ Works with Cat6a/7 Cable up to 30 m. Switch fan speed may increase to dissipate heat generated by 10G BASE-T transceiver. The maximum number of 10G copper transceivers a switch can support depends on its thermal design.
*² Only connections with patch cords with PC or UPC connectors are supported.
