USG20-VPN/USG20W-VPN VPN Firewall

Overview

The Zyxel USG20-VPN and USG20W-VPN are VPN firewalls equipped with a single cloud management platform, designed to strengthen VPN connections across branch offices and chain stores. They offer an easy-to-use, integrated security solution, delivering best-of-breed protection without complexity.

Benefits

Nebula Together: Part of the Nebula cloud management family, offering an easy interface, streamlined configuration, and optimized management for distributed networks. ☁️
Flexible Adaptation: Adaptable to On Premises or Nebula cloud environments. ?/☁️
Centralized Management: Manage all distributed networks from one single screen. ?️
Web Filtering: Protects users from undesirable content. ?️
Device Insight: Provides enhanced visibility and control over network devices. ?️
Analytics Report: Offers enhanced insights into network activity. ?

Key Features & Capabilities

Secure Retail/Branch Network

Provides comprehensive VPN connection types including IKEv2, SSL, and IPsec VPN for secured remote connections. Features an IPsec VPN hardware engine for high-efficiency tunnels and VPN load balance/failover with IKEv2 for strong reliability and security. Designed for small businesses and branch locations, offering enterprise-class security with advanced networking and security features like Web Filtering, Security Profile Sync, and SecuReporter to block malicious websites and enforce granular firewall policies for unified wired and wireless network security.

Centralized Provisioning from Nebula

Enables Zero-Touch deployment and simplified centralized management. Once registered to a network, the USG20-VPN/USG20W-VPN is automatically discovered and preconfigured. Offers a log archiving service to help customers comply with regulations, without requiring additional hardware or software installation.

All from One Place with Ease

All Nebula devices, including access points, switches, security gateways, and firewalls, are managed through the cloud via an intuitive interface. This allows for configuration, management, and troubleshooting of distributed networks from a single screen, eliminating the complexity of remote site access.

Comprehensive Content Filtering Service

Delivers enhanced content filtering and security through a powerful combination of reputation and category-based filtering. Dynamic content categorization analyzes unknown websites and domains to identify undesirable categories like gambling, pornography, and games. A DNS content filter provides an improved approach to inspect web access, especially for sites using ESNI (Encrypted Server Name Indication).

Deep Insight Into All Your Devices

Device Insight offers enhanced visibility into networks, including wired, wireless, BYOD, and IoT devices, identifying distinct security segments and vulnerabilities. This helps SMBs reduce investigation time. Zyxel SecuReporter provides a comprehensive endpoint inventory dashboard.

Diagram Description: A network diagram illustrating various device types such as PC, BYOD, IoT, Switch, Firewall, Access Point, Servers, Data and Storage, and Applications, all connected to Destinations, managed centrally.

Analytics Report and Enhanced Insights

The USG20-VPN/USG20W-VPN dashboard provides user-friendly traffic summaries and threat visual statistics. SecuReporter facilitates threat analysis with a correlation feature, enabling proactive tracking of network status and prevention of threats. It offers centralized visibility of network activities for managing multiple clients.

Diagram Description: A screenshot of the SecuReporter dashboard, showcasing a map with threat origins and targets, security indicator statistics (Anti-Spam, Anti-Virus, Content Filter), top attack origins, top attack targets, traffic usage, top application usage, top attack types, top destination countries, and top destination ports, along with IP addresses of attackers and targets.

Simplified Management Procedure

For entry-level and SOHO users, an "easy mode" setting is available in the GUI. This mode features an icon-based interface and an attractive dashboard for simplified management and monitoring. Integrated wizards assist with application and function settings, enabling users to easily leverage high-speed and secure networking.

Zyxel One Network Experience

Designed to simplify network deployment and management, Zyxel One Network allows customers to focus on business priorities. It includes the Zyxel One Network Utility (ZON Utility) for rapid network setup and Zyxel Smart Connect for device awareness and one-click remote maintenance functions like factory reset or power cycling. Zyxel One Network integrates various networking products, from switches to WiFi APs and gateways.

Image Description: The Zyxel One Network logo, emphasizing "Redefining network integration."

Licenses

The USG20-VPN/USG20W-VPN offers an indispensable feature set for small business requirements and essential security services to protect against cyberattacks. The Nebula Control Center (NCC) provides multiple subscription options. Nebula Plus/Professional Packs offer enhanced control over network updates, visibility, and advanced cloud management.

Feature Inclusion Table:

Service / Component	On Premises Feature Included	Nebula Feature Included
Content Filter Pack (Web Filtering, SecuReporter, Security Profile Sync, Network Premium)	●	●
Nebula Professional Pack Service	●	●
Nebula Plus Pack Service	●	●

Note: Please contact local customer service if you cannot use your content filter license with Nebula.

Specifications

Hardware Specifications

Product Photo Description: Two distinct firewall units are shown. The USG20-VPN is a compact, black rectangular device. The USG20W-VPN is similar but slightly larger, featuring three external antennas at the top.

	USG20-VPN	USG20W-VPN
10/100/1000 Mbps RJ-45 ports	4 x LAN/DMZ, 1 x WAN, 1 x SFP	4 x LAN/DMZ, 1 x WAN, 1 x SFP
USB ports	1	1
Console port	Yes (RJ-45)	Yes (RJ-45)
Rack-mountable	N/A	N/A
Fanless	Yes	Yes

System Capacity & Performance

	USG20-VPN	USG20W-VPN
SPI firewall throughput*2 (Mbps)	350	350
VPN throughput (Mbps)	90	90
VPN IMIX Throughput (Mbps)*3	40	40
Max. TCP concurrent sessions*5	20,000	20,000
Max. concurrent IPsec VPN tunnels*6	10	10
Recommended gateway-to-gateway IPsec VPN tunnels	5	5
Concurrent SSL VPN users	15	15
VLAN interface	8	8

Speed Test Performance

	USG20-VPN	USG20W-VPN
SPI firewall throughput*9 (Mbps)	320	320

Key Features

Category	Service	USG20-VPN	USG20W-VPN
Security Service	Content Filtering*7	Yes	Yes
	SecuReporter*7	Yes	Yes
	2-Factor Authentication	Yes	Yes
	Device Insight	Yes	Yes
	Security Profile Synchronize (SPS)*7	Yes	Yes

VPN Features

	USG20-VPN	USG20W-VPN
VPN Features	IKEv2, IPSec, SSL, L2TP/IPSec	IKEv2, IPSec, SSL, L2TP/IPSec
Microsoft Azure	Yes	Yes
Amazon VPC	Yes	Yes

Management & Connectivity

	USG20-VPN	USG20W-VPN
Nebula Cloud Mode	Yes	Yes
Nebula Cloud Monitoring Mode	Yes	Yes
Easy Mode	Yes	Yes
Concurrent devices logins*8	64	64

Power Requirements

	USG20-VPN	USG20W-VPN
Power input	12V DC, 2.0 A max.	12V DC, 2.0 A max.
Max. power consumption (Watt Max.)	12	18
Heat dissipation (BTU/hr)	40.92	61.38

Physical Specifications

	USG20-VPN	USG20W-VPN
Item dimensions (WxDxH) (mm/in.)	216 x 143 x 33 / 8.50 x 5.63 x 1.30	216 x 143 x 33 / 8.50 x 5.63 x 1.30
weight (kg/lb.)	0.88 / 1.94	0.94 / 2.06 (Antenna included)
Packing dimensions (WxDxH) (mm/in.)	276 x 185 x 98 / 10.87 x 7.28 x 3.86	276 x 185 x 98 / 10.87 x 7.28 x 3.86
weight (kg/lb.)	1.41 / 3.11	1.50 / 3.31
Included accessories	• Power adapter ? • RJ-45 - RS-232 cable for console connection	• Power adapter ? • RJ-45 - RS-232 cable for console connection • Antenna ?

Environmental Specifications

	USG20-VPN	USG20W-VPN
Operating environment	Temperature: 0°C to 40°C / 32°F to 104°F	Temperature: 0°C to 40°C / 32°F to 104°F
Operating environment	Humidity: 10% to 90% (non-condensing)	Humidity: 10% to 90% (non-condensing)
Storage environment	Temperature: -30°C to 70°C / -22°F to 158°F	Temperature: -30°C to 70°C / -22°F to 158°F
Storage environment	Humidity: 10% to 90% (non-condensing)	Humidity: 10% to 90% (non-condensing)
MTBF (hr)	655,130	655,130

Certifications

Category	USG20-VPN	USG20W-VPN
EMC	FCC Part 15 (Class B), IC, CE EMC (Class B), RCM, BSMI	FCC Part 15 (Class B), IC, CE EMC (Class B), RCM, BSMI
Safety	BSMI, UL	BSMI, UL

Notes: Performance metrics may vary based on system configuration, network conditions, and activated applications. Throughput tests are based on industry standards like RFC 2544. Specific details on testing methodologies and limitations are provided in the original document footnotes.

Wireless Specifications (USG20W-VPN)

Specification	Value
Standard compliance	802.11 a/b/g/n/ac
Wireless frequency	2.4 GHz/5 GHz
Radio	1
SSID number	4
Maximum transmit power (Max. total channel)	US (FCC) 2.4 GHz: 25 dBm, 3 antennas; US (FCC) 5 GHz: 25 dBm, 3 antennas; EU (ETSI) 2.4 GHz: 20 dBm (EIRP), 3 antennas; EU (ETSI) 5 GHz: 20 dBm (EIRP), 3 antennas
No. of antenna	3 detachable antennas
Antenna gain	• 2 dBi @2.4 GHz • 3 dBi @5 GHz
Data rate	• 802.11n: Up to 450 Mbps • 802.11ac: Up to 1300 Mbps
Frequency band	2.4 GHz (IEEE 802.11 b/g/n): • USA (FCC): 2.412 to 2.462 GHz • Europe (ETSI): 2.412 to 2.472 GHz • TWN (NCC): 2.412 to 2.462 GHz 5 GHz (IEEE 802.11 a/n/ac): • USA (FCC): 5.150 to 5.250 GHz; 5.250 to 5.350 GHz; 5.470 to 5.725 GHz; 5.725 to 5.850 GHz • Europe (ETSI): 5.15 to 5.35 GHz; 5.470 to 5.725 GHz • TWN (NCC): 5.15 to 5.25 GHz; 5.25 to 5.35 GHz; 5.470 to 5.725 GHz; 5.725 to 5.850 GHz
Receive sensitivity	2.4 GHz: • 11 Mbps ≤ -87 dBm • 54 Mbps ≤ -77 dBm • HT20 ≤ -71 dBm • HT40 ≤ -68 dBm 5 GHz: • 54 Mbps ≤ -74 dBm • HT40, MCS23 ≤ -68dBm • VHT40, MCS9 ≤ -62 dBm • HT20, MCS23 ≤ -71 dBm • VHT20, MCS8 ≤ -66 dBm • VHT80, MCS9 ≤ -59 dBm

Software Features

Security Service

Firewall

ICSA-certified corporate firewall
Routing and transparent (bridge) modes
Stateful packet inspection
SIP NAT traversal
H.323 NAT traversal*1
ALG support for customized ports
Protocol anomaly detection and protection
Traffic anomaly detection and protection
Flooding detection and protection
DoS/DDoS protection

Web Filtering

HTTPs domain filtering
SafeSearch support: Google, YouTube, and Microsoft Bing*1
Allow List websites enforcement
URL Block and Allow List with keyword blocking
Customizable warning messages and redirect URL

Content Filtering

Customizable Content Filtering block page
URL categories increased to 111
CTIRU (Counter-Terrorism Internet Referral Unit) support
Support DNS base filtering (domain filtering)

Geo Enforcer

Geo IP blocking
Geographical visibility on traffics statistics and logs
IPv6 address support*2

Device Insight

Agentless Scanning for discovery and classification of devices
View all devices on the network, including wired, wireless, BYOD, IoT, and SecuExtender (remote endpoint) on SecuReporter
Visibility of network devices (switches, wireless access points, firewalls) from Zyxel or 3rd party vendors

VPN

IPSec VPN

Encryption: DES, 3DES, AES (256-bit)
Authentication: MD5, SHA1, SHA2 (512-bit)
Support Route-based VPN Tunnel Interface (VTI)
Key management: IKEv1 (x-auth, mode-config), IKEv2 (EAP, configuration payload)
Perfect forward secrecy (DH groups) support 1, 2, 5, 14, 15-18, 20-21
IPSec NAT traversal (NAT-T)
Dead Peer Detection (DPD) and relay detection
PSK and PKI (X.509) certificate support
VPN concentrator
Route-based VPN Tunnel Interface (VTI)
VPN auto-reconnection
VPN high availability (Failover, LB)
L2TP over IPSec
GRE and GRE over IPSec

VPN (Continued)

NAT over IPSec
SecuExtender Zero Trust VPN Client provisioning
Support native Windows, iOS/macOS and Android (StrongSwan) client provision*1
Support 2FA Email/SMS*1
Support 2FA Google Authenticator

SSL VPN

Supports Windows and macOS
Supports full tunnel mode
Supports 2-Factor authentication

Networking

Mobile Broadband*1

WAN connection failover via 3G and 4G* USB modems
Auto fallback when primary WAN recovers

IPv6 Support*1

Dual stack
IPv4 tunneling (6rd and 6to4 transition tunnel)
IPv6 addressing
DNS, DHCPv6 server/client
Bridge
VLAN
PPPoE
Static/Policy route
Session control
Firewall and ADP
IPSec (IKEv2 6in6, 4in6, 6in4)
Content Filtering

Connection

Routing mode
Bridge mode and hybrid mode*1
Ethernet and PPPoE
NAT and PAT
NAT Virtual Server Load Balancing
VLAN tagging (802.1Q)
Virtual interface (alias interface)
Policy-based routing (user-aware)*1
Policy-based NAT (SNAT)
Dynamic routing (RIPv1/v2 and OSPF, BGP)*1
DHCP client/server/relay
Dynamic DNS support
WAN trunk for more than 2 ports
Per host session limit
Guaranteed bandwidth
Maximum bandwidth
Priority-bandwidth utilization
Bandwidth limit per user
Bandwidth limit per IP
GRE*1
BGP

Management

Nebula Cloud Mode

Unlimited Registration & Central Management (Configuration, Monitoring, Dashboard, Location Map & Floor Plan Visual) of Nebula Devices
Zero Touch Auto-Deployment of Hardware/Configuration from Cloud
Over-the-air Firmware Management
Central Device and Client Monitoring (Log and Statistics Information) and Reporting
Security Profile Sync

Nebula Cloud Monitoring Mode

Monitor device on/off status
Firmware upgrade operation
Manage firewall licenses
Access remote GUI (requires Nebula Pro Pack)
Backup and restore firewall configurations (requires Nebula Pro Pack)

Authentication

Local user database
Cloud user database*2
Built-in user database
External user database: Microsoft Windows Active Directory, RADIUS, LDAP
IEEE 802.1x authentication
Captive portal Web authentication
XAUTH, IKEv2 with EAP VPN authentication
Web-based authentication
Forced user authentication (transparent authentication)
IP-MAC address binding
SSO (Single Sign-On) support*1
Supports 2-factor authentication
Google Authenticator
SMS/Email

System Management

Role-based administration
Multiple administrator logins
Supports Cloud Helper
Multi-lingual Web GUI (HTTPS and HTTP)
Command line interface (console, Web console, SSH and telnet)*1
SNMP v1, v2c, v3
System configuration rollback*1
Configuration auto backup*1
Firmware upgrade via FTP, FTP-TLS, and web GUI*1
Dual firmware images
Cloud CNM SecuManager*1

Logging/Monitoring

Comprehensive local logging
Syslog (send to up to 4 servers)
Email alerts (send to up to 2 servers)
Real-time traffic monitoring
System status monitoring
Built-in daily report
Cloud CNM SecuReporter

Zyxel One Network

ZON Utility
- IP configuration
- Web GUI access
- Firmware upgrade
- Password configuration
Smart Connect
- Location and System Name update
- Discover neighboring devices
- One-click remote management access to the neighboring Zyxel devices

Subscription Services

Content Filter Pack
- Web Filtering
- SecuReporter
- Security Profile Sync
Nebula Professional Pack
Nebula Plus Pack

*: For specific models supporting the 3G and 4G dongles on the list, please refer to the Zyxel product page at 3G dongle document. *1: Only supported in On Premises Mode. *2: Only supported in Nebula Cloud Mode.

Accessories

Transceivers (Optional)

Model	Speed	Connector	Wavelength	Max. Distance	Optical Fiber Type	DDMI
SFP10G-SR*	10-Gigabit SFP+	Duplex LC	850 nm	300 m/ 328 yd	Multi Mode	Yes
SFP10G-LR*	10-Gigabit SFP+	Duplex LC	1310 nm	10 km/ 10936 yd	Single Mode	Yes
SFP-1000T	Gigabit	RJ-45	-	100 m/ 109 yd	Multi Mode	-
SFP-LX-10-D	Gigabit	Single LC	1310 nm	10 km/ 10936 yd	Single Mode	Yes
SFP-SX-D	Gigabit	Single LC	850 nm	500 m/ 601 yd	Multi Mode	Yes
SFP-BX1310-10-D*1	Gigabit	Single LC	1310 nm(TX) 1490 nm(RX)	10 km/ 10936 yd	Single Mode	Yes
SFP-BX1490-10-D*1	Gigabit	Single LC	1490 nm(TX) 1310 nm(RX)	10 km/ 10936 yd	Single Mode	Yes

*: Only USG2200 series supports 10-Gigabit SFP+. *1: SFP-BX1310-10-D & SFP-BX1490-10-D, SFP-BX1310-E & SFP-BX1550-E must be used in pairs.

	ZyWALL USG Series User's Guide Comprehensive user guide for the Zyxel ZyWALL USG Series network security gateways, covering setup, configuration, features, and troubleshooting.
	Zyxel USG FLEX 500 Firmware Release Note V5.00(ABUJ.2)C0 This document provides detailed release notes for the Zyxel USG FLEX 500 firmware version V5.00(ABUJ.2)C0, including supported platforms, new features, known issues, and troubleshooting.
	Zyxel USG FLEX H Series Handbook: VPN and Security Configuration Guide Comprehensive handbook for Zyxel USG FLEX H Series devices, covering VPN setup, security services, authentication, maintenance, and Nebula integration. Learn to configure site-to-site IPSec VPNs, content filtering, anti-malware, and more.
	Zyxel ZyWALL110 Firmware Release Note V4.65(AAAA.1)C0 Comprehensive release notes for the Zyxel ZyWALL110 network security appliance, detailing firmware updates from V4.65 down to V4.10, including new features, bug fixes, known issues, and essential upgrade/recovery procedures.
	USG FLEX H Series Handbook: Configuring Site-to-Site IPSec VPN A comprehensive guide to configuring site-to-site IPSec VPN connections on Zyxel USG FLEX H Series devices, including models USG FLEX 50H, 50HP, 100H, 100HP, 200H, 200HP, 500H, and 700H with uOS firmware version 1.35.
	Zyxel Security Solution Guide: Simplify and Strengthen Your Network Security A comprehensive guide to Zyxel's security solutions, including firewalls, routers, and licenses, designed to protect small and medium-sized businesses from cyber threats. Learn about features like Anti-Malware, IPS, Web Filtering, and secure remote working capabilities.
	Zyxel USG FLEX H Series User's Guide Comprehensive user's guide for the Zyxel USG FLEX H Series, covering initial setup, configuration, security features, and management. Learn how to optimize your network with detailed instructions and technical references.
	Zyxel USG FLEX H Series Firewall: High-Performance Network Security Datasheet Explore the Zyxel USG FLEX H series firewalls, offering advanced multi-gigabit performance, AI-powered cybersecurity, comprehensive UTM features, and flexible VPN connectivity for businesses. Datasheet detailing models 50H, 100H, 200H, 500H, and 700H.