USG20-VPN 15 USG20-VPN/USG20W-VPN
VPN Firewall
The latest USG20-VPN/USG20(W)-VPN is equipped with one single cloud management platform while strengthening the robust VPN connections across the branch offices and chain stores with an easy-to-use, integrated security solution designed specifically for your needs. USG20(W)-VPN delivers the best-of-breed protection without the cost or complexity.
Benefits
Nebula Together
The USG20-VPN/USG20W-VPN is now part of the Nebula cloud management family with the same easy management interface and streamlined configuration & updates. The network functions and management services are pushed to the cloud and are optimized for managing distributed networks.
Flexible to adapt to On Premises or Nebula cloud
Manage all distributed networks from one single screen
Web Filtering protects you from undesirable content
Device Insight provides better visibility and control
Analytics report and enhanced insights
Datasheet USG20-VPN/USG20W-VPN
COMMUNITY BIZ FORUM
�Secure Retail/Branch Network
The USG20-VPN/USG20W-VPN provides comprehensive VPN connection types including IKEv2, SSL & IPsec VPN. All offer customers secured remote connections. IPsec VPN hardware engine for high-efficiency VPN tunnel. VPN load balance/failover with IKEv2 ensures strong VPN reliability and security for your business.
Centralized Provisioning from Nebula
With Zero-Touch deployment and simplified centralized management, installation and operation is no longer a hassle. After being registered to a network, the USG20-VPN/ USG20W-VPN will automatically be discovered when it's connected, then the preconfigured settings are automatically applied.
The USG20-VPN/USG20W-VPN is designed specifically for the needs of small business and branch locations, delivering enterprise-class security. Advanced networking and security features like Web Filtering, Security Profile Sync, and SecuReporter improves security by blocking access to malicious or risky websites, along with controlled access with integrated firewall policy for highly granular blocking and filtering, creating a unified security solution for both wired and wireless networks.
The USG20-VPN/USG20W-VPN helps customers to comply with regulations by offering log archiving service without the need for additional hardware and software installation.
All from One Place with Ease
From access points, switches, security gateways and firewalls, all Nebula devices are managed through the cloud using an intuitive interface that allows you to configure, manage, and troubleshoot all distributed networks from one single screen without the complexity of remote site access.
Comprehensive Content Filtering Service
USG20-VPN/USG20W-VPN delivers enhanced content filtering functionality and security through its powerful combination of both reputation and category-based filtering. The dynamic content categorization analyzes the content of a previously unknown website and domain, then determines if it belongs to an undesirable category including gambling, pornography, games, and many others. A newly added DNS content filter offers a better approach to inspect web access, particularly when the website is deploying ESNI (Encrypted Server Name Indication) where the traditional URL filtering is not applicable to the destination domain.
Datasheet USG20-VPN/USG20W-VPN
2
�Deep Insight Into All Your Devices
Device Insight gives you more visibility of your networks including wired, wireless, BYOD, and IoT devices. Enable it to identify devices with distinct security segments down to individual level. Device insights also detect vulnerabilities that are associated with those devices. It helps SMB(s) to reduce the number of human hours spent on investigation. Continuing with our goal of providing our customers with increased visibility, Zyxel SecuReporter gives your organization comprehensive endpoint inventory dashboard.
Analytics Report and Enhanced Insights
USG20-VPN/USG20W-VPN dashboard gives user-friendly traffic summary and threat visual statistics. Utilize SecuReporter for further threat analysis with correlation feature design, making it easy to proactively trackback network status to prevent the next threat event. Centralized visibility of network activities for you to easily manage multiple clients.
Simplified Management Procedure
Managing complex configuration settings can be confusing and time-consuming. Zyxel USG20-VPN/USG20W-VPN provides an "easy mode" setting in the GUI for entry-level and SOHO users. Easy mode provides an icon-based feature set and attractive dashboard to simplify management and monitoring of the device. Application and function settings also have integrated wizards for user-friendly setup. Zyxel USG20-VPN/USG20W-VPN easy mode helps entry-level users and SOHO users effortlessly take advantage of high-speed and secure networking.
Zyxel One Network Experience
Aiming for relieving our customers from repetitive operations of deploying and managing a network, Zyxel One Network is designed to simplify the configuration, management, and troubleshooting, allowing our customers to focus on the business priorities. Zyxel One Network presents an easy-to-use tool, Zyxel One Network Utility (ZON Utility), to realize speed network setup. Zyxel Smart Connect allows Zyxel networking equipment to be aware and recognize each other and further facilitating the network maintenance via one-click remote functions such as factory reset or power cycling. Zyxel One Network redefines the network integration across multiple networking products from switch to WiFi AP and to Gateway.
Datasheet USG20-VPN/USG20W-VPN
3
�Licenses
Licensed Pack
The USG20-VPN/USG20W-VPN provides an indispensable feature set to perfectly fit small business requirements as well as to gain essential security services needed to protect against cyberattacks. Nebula Control Center (NCC) offers multiple subscription options to meet customers' needs.
The Nebula Plus/Professional Pack gives you some peace of mind at more control over your network updates and visibility, or even the most advanced management of cloud networking.
On Premises Feature Included
Nebula Feature Included
Service / Component
On Premises
Content Filter Pack
Web Filtering
SecuReporter
Security Profile Sync
Network Premium
Nebula Professional Pack Nebula Professional Pack Service
Nebula Plus Pack
Nebula Plus Pack Service
*: Please contact your local customer service if you can't use your content filter license with Nebula.
On Cloud
Specifications
Model Product photo
USG20-VPN
USG20W-VPN
Hardware Specifications
10/100/1000 Mbps RJ-45 ports
USB ports
Console port
Rack-mountable
Fanless
System Capacity & Performance*1
SPI firewall throughput*2 (Mbps)
VPN throughput (Mbps)
VPN IMIX Throughput (Mbps)*3
Max. TCP concurrent sessions*5
Max. concurrent IPsec VPN tunnels*6
Recommended gateway-to-gateway IPsec VPN tunnels
Concurrent SSL VPN users
VLAN interface
Speed Test Performance
SPI firewall throughput*9 (Mbps)
Key Features
Security Service
Content Filtering*7 SecuReporter*7
2-Factor Authentication
Device Insight
Security Profile Synchronize (SPS)*7
4 x LAN/DMZ, 1 x WAN, 1 x SFP 1 Yes (RJ-45) N/A Yes
350 90 40 20,000 10 5
5 / 15 8
320
Yes Yes Yes Yes Yes
4 x LAN/DMZ, 1 x WAN, 1 x SFP 1 Yes (RJ-45) N/A Yes
350 90 40 20,000 10 5
5 / 15 8
320
Yes Yes Yes Yes Yes
Datasheet USG20-VPN/USG20W-VPN
4
�Model
USG20-VPN
Key Features
VPN Features VPN
IKEv2, IPSec, SSL, L2TP/IPSec
Microsoft Azure
Yes
Amazon VPC
Yes
Management & Nebula Cloud Mode
Yes
Connectivity Nebula Cloud Monitoring Mode Yes
Easy Mode
Yes
Concurrent devices logins*8 64
Power Requirements
Power input
12V DC, 2.0 A max.
Max. power consumption
12
(Watt Max.)
Heat dissipation (BTU/hr)
40.92
Physical Specifications
Item
dimensions (WxDxH) (mm/in.)
216 x 143 x 33 / 8.50 x 5.63 x 1.30
weight (kg/lb.)
0.88 / 1.94
Packing
dimensions (WxDxH) (mm/in.)
276 x 185 x 98 / 10.87 x 7.28 x 3.86
weight (kg/lb.)
1.41 / 3.11
Included accessories
· Power adapter · RJ-45 - RS-232 cable for
console connection
Environmental Specifications
Operating environment
Temperature Humidity
Storage environment
Temperature Humidity
MTBF (hr)
Certifications
EMC
Safety
0°C to 40°C / 32°F to 104°F 10% to 90% (non-condensing) - 30°C to 70°C / - 22°F to 158°F 10% to 90% (non-condensing) 655,130
FCC Part 15 (Class B), IC, CE EMC (Class B), RCM, BSMI BSMI, UL
USG20W-VPN
IKEv2, IPSec, SSL, L2TP/IPSec Yes Yes Yes Yes Yes 64
12V DC, 2.0 A max. 18
61.38
216 x 143 x 33 / 8.50 x 5.63 x 1.30 0.94 / 2.06 (Antenna included) 276 x 185 x 98 / 10.87 x 7.28 x 3.86 1.50 / 3.31 · Power adapter · RJ-45 - RS-232 cable for
console connection · Antenna
0°C to 40°C / 32°F to 104°F 10% to 90% (non-condensing) - 30°C to 70°C / - 22°F to 158°F 10% to 90% (non-condensing) 655,130
FCC Part 15 (Class B), IC, CE EMC (Class B), RCM, BSMI BSMI, UL
*: This matrix with firmware ZLD5.37 or later. *1: Actual performance may vary depending on system configuration,
network conditions, and activated applications. *2: Maximum throughput based on RFC 2544 (1,518-byte UDP packets). *3: VPN throughput measured based on RFC 2544 (1,424-byte UDP packets);
IMIX: UDP throughput based on a combination of 64 byte, 512 byte and 1424 byte packet sizes. *4: Anti-malware (with Express Mode) and IPS throughput measured using the industry standard HTTP performance test (1,460-byte HTTP packets) Testing done with multiple flows.
*5: Maximum sessions measured using the industry standard IXIA IxLoad testing tool
*6: Including Gateway-to-Gateway and Client-to-Gateway. *7: With Zyxel service license to enable or extend the feature capacity. *8: This is the recommend maximum number of concurrent logged-in
devices. *9: The Speedtest result is conducted with 1Gbps WAN link in real world and it
is subject to fluctuate due to quality of the ISP link.
Datasheet USG20-VPN/USG20W-VPN
5
�Wireless Specifications
Model Standard compliance Wireless frequency Radio SSID number Maximum transmit power (Max. total channel)
No. of antenna Antenna gain Data rate Frequency band
Receive sensitivity
USG20W-VPN
802.11 a/b/g/n/ac
2.4 GHz/5 GHz
1
4
US (FCC) 2.4 GHz: 25 dBm, 3 antennas
US (FCC) 5 GHz: 25 dBm, 3 antennas
EU (ETSI) 2.4 GHz: 20 dBm (EIRP), 3 antennas
EU (ETSI) 5 GHz: 20 dBm (EIRP), 3 antennas
3 detachable antennas
· 2 dBi @2.4 GHz · 3 dBi @5 GHz
· 802.11n: Up to 450 Mbps · 820.11ac: Up to 1300 Mbps
2.4 GHz (IEEE 802.11 b/g/n): · USA (FCC): 2.412 to 2.462 GHz · Europe (ETSI): 2.412 to 2.472 GHz · TWN (NCC): 2.412 to 2.462 GHz
5 GHz (IEEE 802.11 a/n/ac): · USA (FCC): 5.150 to 5.250 GHz; 5.250 to 5.350 GHz;
5.470 to 5.725 GHz; 5.725 to 5.850 GHz · Europe (ETSI): 5.15 to 5.35 GHz; 5.470 to 5.725 GHz · TWN (NCC): 5.15 to 5.25 GHz; 5.25 to 5.35 GHz;
5.470 to 5.725 GHz; 5.725 to 5.850 GHz
2.4 GHz: · 11 Mbps -87 dBm · 54 Mbps -77 dBm · HT20 -71 dBm · HT40 -68 dBm
5 GHz: · 54 Mbps -74 dBm · HT40, MCS23 -68 dBm · VHT40, MCS9 -62 dBm · HT20, MCS23 -71 dBm · VHT20, MCS8 -66 dBm · VHT80, MCS9 -59 dBm
Software Features
Security Service
Firewall · ICSA-certified corporate firewall · Routing and transparent (bridge)
modes · Stateful packet inspection · SIP NAT traversal · H.323 NAT traversal*1 · ALG support for customized ports · Protocol anomaly detection and
protection · Traffic anomaly detection and
protection · Flooding detection and protection · DoS/DDoS protection
Web Filtering · HTTPs domain filtering · SafeSearch support: Google,
YouTube, and Microsoft Bing*1 · Allow List websites enforcement · URL Block and Allow List with
keyword blocking · Customizable warning messages and
redirect URL
· Customizable Content Filtering block page
· URL categories increased to 111 · CTIRU (Counter-Terrorism Internet
Referral Unit) support · Support DNS base filtering (domain
filtering)
Geo Enforcer · Geo IP blocking · Geographical visibility on traffics
statistics and logs · IPv6 address support*2
Device Insight · Agentless Scanning for discovery and
classification of devicess · View all devices on the network,
including wired, wireless, BYOD, IoT, and SecuExtender (remote endpoint) on SecuReporter · Visibility of network devices (switches, wireless access points, firewalls) from Zyxel or 3rd party vendors
VPN
IPSec VPN · Encryption: DES, 3DES, AES (256-bit) · Authentication: MD5, SHA1, SHA2 (512-
bit) · Support Route-based VPN Tunnel
Interface (VTI) · Key management:
IKEv1 (x-auth, mode-config), IKEv2 (EAP, configuration payload) · Perfect forward secrecy (DH groups) support 1, 2, 5, 14, 15-18, 20-21 · IPSec NAT traversal (NAT-T) · Dead Peer Detection (DPD) and relay detection · PSK and PKI (X.509) certificate support · VPN concentrator · Route-based VPN Tunnel Interface (VTI) · VPN auto-reconnection · VPN high availability (Failover, LB) · L2TP over IPSec · GRE and GRE over IPSec
Datasheet USG20-VPN/USG20W-VPN
6
�· NAT over IPSec · SecuExtender Zero Trust VPN Client
provisioning · Support native Windows, iOS/macOS
and Android (StrongSwan) client provision*1 · Support 2FA Email/SMS*1 · Support 2FA Google Authenticator
SSL VPN · Supports Windows and macOS · Supports full tunnel mode · Supports 2-Factor authentication
Networking
Mobile Broadband*1 · WAN connection failover via 3G and
4G* USB modems · Auto fallback when primary WAN
recovers
IPv6 Support*1 · Dual stack · IPv4 tunneling (6rd and 6to4
transition tunnel) · IPv6 addressing · DNS, DHCPv6 server/client · Bridge · VLAN · PPPoE · Static/Policy route · Session control · Firewall and ADP · IPSec (IKEv2 6in6, 4in6, 6in4) · Content Filtering
Connection · Routing mode · Bridge mode and hybrid mode*1 · Ethernet and PPPoE · NAT and PAT · NAT Virtual Server Load Balancing · VLAN tagging (802.1Q) · Virtual interface (alias interface) · Policy-based routing (user-aware)*1 · Policy-based NAT (SNAT) · Dynamic routing (RIPv1/v2 and OSPF,
BGP)*1 · DHCP client/server/relay · Dynamic DNS support · WAN trunk for more than 2 ports · Per host session limit · Guaranteed bandwidth · Maximum bandwidth · Priority-bandwidth utilization · Bandwidth limit per user · Bandwidth limit per IP · GRE*1 · BGP
Management
Nebula Cloud Mode · Unlimited Registration & Central
Management (Configuration, Monitoring, Dashboard, Location Map & Floor Plan Visual) of Nebula Devices · Zero Touch Auto-Deployment of Hardware/Configuration from Cloud · Over-the-air Firmware Management · Central Device and Client Monitoring (Log and Statistics Information) and Reporting · Security Profile Sync
Nebula Cloud Monitoring Mode · Monitor device on/off status · Firmware upgrade operation · Manage firewall licenses · Access remote GUI (requires Nebula
Pro Pack) · Backup and restore firewall
configurations (requires Nebula Pro Pack)
Authentication · Local user database · Cloud user database*2 · Built-in user database · External user database: Microsoft
Windows Active Directory, RADIUS, LDAP · IEEE 802.1x authentication · Captive portal Web authentication · XAUTH, IKEv2 with EAP VPN authentication · Web-based authentication · Forced user authentication (transparent authentication) · IP-MAC address binding · SSO (Single Sign-On) support*1 · Supports 2-factor authentication Google Authenticator SMS/Email
System Management · Role-based administration · Multiple administrator logins · Supports Cloud Helper · Multi-lingual Web GUI (HTTPS and
HTTP) · Command line interface (console,
Web console, SSH and telnet)*1 · SNMP v1, v2c, v3 · System configuration rollback*1 · Configuration auto backup*1 · Firmware upgrade via FTP, FTP-TLS,
and web GUI*1 · Dual firmware images · Cloud CNM SecuManager*1
Logging/Monitoring · Comprehensive local logging · Syslog (send to up to 4 servers) · Email alerts (send to up to 2 servers) · Real-time traffic monitoring · System status monitoring · Built-in daily report · Cloud CNM SecuReporter
Zyxel One Network · ZON Utility
IP configuration Web GUI access Firmware upgrade Password configuration · Smart Connect Location and System Name
update Discover neighboring devices One-click remote management
access to the neighboring Zyxel devices
Subscription Services · Content Filter Pack
Web Filtering SecuReporter Security Profile Sync · Nebula Professional Pack · Nebula Plus Pack
*: For specific models supporting the 3G and 4G dongles on the list, please refer to the Zyxel product page at 3G dongle document
*1: Only supported in On Premises Mode *2: Only supported in Nebula Cloud Mode
Datasheet USG20-VPN/USG20W-VPN
7
�Accessories
Transceivers (Optional)
Model SFP10G-SR*
SFP10G-LR*
SFP-1000T
Speed 10-Gigabit SFP+ 10-Gigabit SFP+ Gigabit
SFP-LX-10-D
Gigabit
SFP-SX-D
Gigabit
SFP-BX1310-10-D*1 Gigabit
SFP-BX1490-10-D*1 Gigabit
Connector Duplex LC Duplex LC RJ-45 Single LC Single LC Single LC Single LC
Wavelength 850 nm
1310 nm
-
1310 nm
850 nm
1310 nm(TX) 1490 nm(RX) 1490 nm(TX) 1310 nm(RX)
Max. Distance 300 m/ 328 yd 10 km/ 10936 yd 100 m/ 109 yd 10 km/ 10936 yd 500 m/ 601 yd 10 km/ 10936 yd 10 km/ 10936 yd
*:only USG2200 series supports 10-Gigabit SFP+ *1: SFP-BX1310-10-D & SFP-BX1490-10-D, SFP-BX1310-E & SFP-BX1550-E must be used in pairs.
Optical Fiber Type DDMI
Multi Mode
Yes
Single Mode
Yes
Multi Mode
-
Single Mode
Yes
Multi Mode
Yes
Single Mode
Yes
Single Mode
Yes
For more product information, visit us on the web at www.zyxel.com
Copyright © 2023 Zyxel and/or its affiliates. All rights reserved. All specifications are subject to change without notice.
Datasheet USG20-VPN/USG20W-VPN
19/06/23
�
Adobe PDF Library 17.0 Adobe InDesign 18.3 (Windows)