Customer Reviews

ZyXEL ZyWALL USG200 Unified Security Gateway Firewall w/100 VPN Tunnels, SSL VPN, 7 Gigabit Ports, and High Availability

5 star:		(13)
4 star:		(5)
3 star:		(3)
2 star:		(3)
1 star:		(2)

 

 

While ZyXEL may not be that well known in the consumer network gear market, they make some good enterprise level gear. The USG line from ZyXEL is middle ground between simple consumer products and highly configurable enterprise products.

I have used the ZyXEL ZyWALL 2 PLUS Internet Security Firewall, 4 Port 10/100 Fast Ethernet Switch, w/ 5 IPSec VPN Tunnelsand the (discontinued) 1P for several years without issue; primarily for maintaining an IPSEC VPN tunnel. While the 2 Plus and 1P were more consumer grade, the USG20 is a step beyond. It has a plethora of configuration options available, and wringing out optimal performance from the device is not for the faint of heart. Having a background in network configuration will make the job easier, otherwise, plan to spend some time with the instruction manual.

ZyXEL's online resources, customer support and forum support are very good; they strive to make sure your problems get solved. They offer timely firmware updates to correct problems.

The ZyWALL USG20 not only has basic packet inspection firewall and traffic anomaly detection functionality, but has a significant number of features at this price point:

* Flexible Security Zones

* IPSEC and SSL VPN

* VLANs

* Bandwidth Management

* Content filtering/ Anti-SPAM

* Reporting

The UI is somewhat straightforward, however, the concept of Objects may confuse some. Objects are used to define re-used elements throughout the configuration. For example, an IP address range may be defined and named IP_RANGE_1. This name is then used throughout the configuration screens when setting up features that use that same address range.

There isn't much you can't do with this, that you could with a device costing several times as much.

Pros:

* Price vs Features ratio

* Highly configurable

* USB 3G support

* Configuration wizards for some set-up

* SSL VPN support

* 4 Gig ports

* Runs cool

Cons:

* No PPTP/L2TP VPN

* Object oriented configuration can be confusing

* SSL VPN limited to few applications and hard to get working.

* So configurable that it takes a while to fully set-up.

* Manual recommends unit SHOULD NOT be wall mounted. (Why?)

I bought this router from a competitor but wanted to leave a review here. The amount of features that you get out of this router is unbelievable for the price you pay. I'll point out my pros and cons about the unit but I will start by saying that this is not a dlink/linksys/netgear plug and play router, you need to have a good understanding of networking in order to use the unit to even half of its full potential.

Pros:

IPSec VPN

SSL VPN (ridiculously easy to configure, and there is a network extension option so that you can actually be put on the network and have full access to your resources)

Extensive firewall options (seriously there's a ton of options)

Cisco-like CLI

Ability to integrate with Active Directory (I use this with the ssl vpn, can be kind of tricky to configure though)

Bandwidth Management (very flexible options for this, you can really lock down how much bandwidth devices/programs can have and set priorities as well)

Object based (this is really useful, instead of specifying IP address in NAT/Firewall/BWM you can create objects and then specify the object so that in case you need to change it, you only need to change it in one location. You can even group objects together to consolidate firewall/BWM rules)

True DMZ (you can actually dedicate a port to the DMZ and then just have the others on lan subnets)

Free U.S. based technical support for the life of the unit (I called them before purchasing the unit to get information on it and the gentlemen was very courteous and knowledgeable. It's comforting to know that if I have issues I can get a hold of someone, who is American, within minutes). The firmware updates are free for the life of the unit as well.

Cons:

No L2TP/IPsec (Zyxel says this will be available in a firmware update, not sure exactly when though)

Occasionally the user interface will be stuck in a "loading" state when browsing. It only happens once or twice a week and clearing the cache usually fixes the issue.

The unit does feel a little bit cheap without a metal enclosure, but it does a pretty good job of getting rid of heat.

The unit has the "authentication policy" option which allows you to force users to enter a username and password when accessing some or all network resources (including the internet) to further increase security on the network however I have found that it doesn't work very well. For example, some times it wont prompt me to enter credentials and other times it will ask for them and after i enter them the network resource wont come up.

Closing thoughts:

The unit does also have content filter/ADP(anomaly detection and protection)/anti spam but I have not used any of these features though I have heard good things especially from the content filter. The content filter requires a license that you must purchase (you are given a 30 day trial) and the ADP and Anti Spam appear to come with the unit without a license (at least from understanding).

I mentioned it before (and other have as well) but its worth mentioning again that you get a lot of features for the price you pay. I've been very happy with the router since day one (I've had it about three weeks now). Hope this review helps somebody out there.

***Update 12-24-2011***

I've had the firewall for about five months now and it's still running strong. I haven't had any issues so far and after doing a firmware update I am now able to get the authentication policy to work properly. It also seems that Zyxel is releasing a major firmware update next month for all their USG series firewalls which will add IPv6 support as well as L2TP support.

This is one of the best priced and most feature rich routers I've ever used. I've used sonic walls about 5 years in the past and we had a linksys dual wan router before this. Once we needed more than one external ip the linksys just couldn't cut it. The firewall would either be fully off or fully on with secondary ip's, so we had to find another solution. Having used sonic walls in the past I looked at them first but a price/feature comparison lead me straight to the ZyWall USG100.

Setup for the device seems complicated at first, with assigning ip's to machines, ports to groups, and other things that I've not encountered with a firewall before. But these extra steps in the beginning save so much time later on. Instead of having routes and many firewall rules assigned to an ip, you would assign it to a virtual object stored in the zywall which has all of it's information. So when a change to the machines ip is required you don't have to go in and change every single rule and route, you just modify the virtual object and your done.

So far it's done everything we've needed and suprised us with its flexibility. And it would have 5 stars from me except for one slight failing. The vpn setup is a bit unruly when it comes to macs. Just for a standard vpn it requires a free 3rd party program (ipsecuritas) with a bit of setup that a normal user would balk at. Also the ssl vpn which ZyXEL boasts about is just a no go for macs, it just isn't supported.

It's a great product for a great price. It does everything well except for the vpn working with macs. If they can fix that then they would get 5 stars from me.

I work for a large Fortune 100 company and there I maintain our firewalls. We use firewalls costing tens of thousands of dollars so I am well aware of what is current in an enterprise firewall. While this box does not have the throughput of a large commercial class box, it has all the bells & whistles you could need or want. It is not a novice class device however. You need to really need to know what you are doing and for this box if you do not, you do not want this device. It has features home users would not have a clue about. However if you want an enterprise class firewall at an affordable price, this is it. I have been using it for a week now and for the price, it's the best you can get.

I needed a firewall that would keep up with 100Mbps Comcast cable modem down speeds. I own a DLink 655 extreme N and a Linksys / Cisco E3000. Both limited my down rate to about 40Mbps. The Zyxel ZyWall USG200 easily keeps up with the data rate. I've seen down rate hit 80+Mbps. It has all of the expected firewall features and allows policies to be built and assigned to groups or users. It is also very flexible in allowing the 2 WAN ports to be configured to work either together to increase capacity or provide redundancy or independently. The 4 internal GBEN ports can be assigned to different VLANs with a flexible rule set determining what traffic is allowed to what port.

The SSL VPN works with a IE9, IE8, Firefox, and Google chrome running on Windows 7, Vista, and XP (it will probably work with others, but that's all that I've tried it on).

The big downside to this firewall is that the Anti-virus, IPS (Intrusion Protection System), and Content Filter (from Blue Coat) only come with a 30day license. After 30 Days, you have to buy a license for each. The cost of the licenses is way too high (ranging from $150 per year to $400.00 per year for each of the features, AV, IPS, and Content Filter). This is not clear in any of the product descriptions. I like the firewall well enough, but the licensing scheme is a major downside. Oh, you can also buy Zyxel OTP (One Time Password) hard tokens to use for logging onto the system. Those run $132.00 for ten.

In addition to the cost, the licenses are not easy to find.

One note on the SSL VPN... the built in license only allows 2 concurrent VPN sessions. Additional VPN sessions require the purchase of yet another license to increase the concurrent limit.

In summary, it's a good Firewall but the AV, IPS, content filter, and SSL VPN licenses are overpriced and hard to find. I would have given the firewall 5 stars if it were not for the licensing issues with the feature components.

The USG 20 is a very feature rich and powerful device for the money. It has features that until very recently could be found in expensive commercial network appliances. Don't mistake this device for a simple home gateway. I have had it for a few months now and have a few observations.

1) Configuring this device is not for the faint of heart. If you don't have a reasonable level of IT skill, this may not be for you. The manual is almost 1000 pages. It is poorly translated to English and unclear in places.

2) ZyXel has been delivering firmware updates at a rapid pace (10/12/2010, 4/25/2011 and 6/3/2011). This is good because they are clearly supporting it. It is also bad because there are a lot of bug fixes. These fixes included a fix for a serious security flaw that was found earlier this year by RedTeam PenTesting GMBH. This kind of flaw should not have escaped from any security vendor. Worse, I could not find any indication that ZyXel notified it's customers to update their firmware.

3) In all firmware versions to date, the firewall does not cut off active sessions when a schedule rule is applied. If you intend to use this device to limit your kids computer time, it doesn't work. This is a flaw that affects many users.

4) The first unit I received died within 24 hours. Amazon replaced it and the second unit has been fine. It does run hot so it cannot be placed where airflow is restricted. I have mine on a wire rack style shelf to allow airflow underneath and above the device. I would not be comfortable stacking another device above it.

5) There were indications in ZyXel support responses and in online reviews that support for IPV6 would be added by the end of last year. That was one of the reasons I bought it. The capability has not shown up.

This is a fantastic device for the price. As another reviewer noted, you *really* need to know what you're doing to set it up (this is not a DLink plug-and-play hobbyists router, but it will do everything that you need in dual-WAN load-balancing firewall/router. It's well built. The web UI is very well done, it's easy to set up and get working (as far as this sort of equipment goes. The router has no problem handling a 50Mbps VPN on the WAN side and will handle 100Mbps WAN for a straight-through connection. In fact, that speed is a good reason to use this device even if you're using only one of the two WAN ports. The single-WAN version (ZyXEL ZyWALL USG20 Internet Security Firewall with 4 Gigabit LAN/DMZ Ports, 2 IPSec VPN, SSL VPN, and 3G WAN Support) is just as well thought out as the 50, but it can handle only 30Mbps on the VPN. If that speed is okay and you don't need the dual-WAN, then go with the USG20 --- it's basically the same device. Also, the DMZ is a true DMZ with it's own dedicated LAN port. There is a comprehensive 900+ page (.pdf) manual that covers pretty much every contingency, and includes step-by-step instructions for the vast majority of setup scenarios. (Download the manual from the ZyXEL web site).

-----

Update: I was just (after two months of using the router without any problems) doing something *really* out of the ordinary, and hit on a configuration that crashed the router. ZyXEL, however, handled this situation so well that I'd give them another star if I could. Tech support (in Anaheim, not India) was very easy to get to. The Tier-1 guy was quite knowledgeable, the problem was escalated to Tier 3 without hassles, and a patch was issued within 24 hours. Throughout this process, the Tier-2 support engineer emailed me too keep me appraised of their progress. I couldn't be happier with this level of support.

Overall, I was very impressed with the USG50. But I ended up returning the unit because of problems with outgoing VPN connections.

Laptops on my internal network were not able to connect to a remote Cisco VPN. After debugging for several days on a Mac (which uses racoon for the IPSec connection) it turns out the problem was with dead peer detection (DPD). The USG50 would show messages like this in its log:

error, IPSec, SPI:0x0 SEQ:0x0 No rule found, Dropping packet [count=5]

info, IKE, The cookie pair is: <16 digit hex> / <16 digit hex> [count=5] info, IKE, [COOKIE] Invalid cookie, no sa found [count=5]

The problem was that packets on port 500 (IKE) were not being routed to port 4500 (NATT) and vice versa. Because these packets were not getting through, the remote Cisco VPN killed the connection because it thought its peer was gone.

According to ZyXEL support, to do this you need UPnP and that "UPnP is not available on the USG's because from a business standpoint it as seen as a security risk." (I'm responsible for my network, so the security decisions are mine, not XyXEL's.)

The only option is to map the ports to a single IP using NAT. For laptop users (who are the most likely ones to need the VPN connection because they're working remotely) this doesn't work because only one user at a time can connect to a remote VPN and a special (non-DHCP) network configuration is required.

Since discovering this problem, I've installed a Netgear ProSafe FVS336G (which also has dual-WAN with four Gigabit Ethernet ports.) Outgoing VPN is working great with this unit.

They ZyWALL USG50 has performed very well over the past 2 months. The firewall offers excellent hardware and features for the price. However, the subscription services from ZyXEL leave much to be desired.

The Good:

* Hardware appears to be solid

* GigE ports

* Stable software

* Good set of built-in non-subscription security features

* Very stable VPN implementation

* Very usable SSL VPN (does not require a subscription)

* Excellent throughput with security features turned on for the price

The Bad:

* The process of renewing IDP, AV, Content Filtering subscriptions is convoluted

* The built-in reporting functionality is somewhat limited (e.g. Content Filter reports) and the server-based report functionality does not seem to be implemented

* The quality of Content Filtering (AppPatrol) and IDP is questionable - protocols are miss-recognized and I am getting some false positives from the IDP

* ZyXEL support is non-responsive

* Functionality is rather limited unless you pay ~$220 / year for the subscription services - none of the promotional materials mention that you only get 30 days of IDP, AV, Anit-SPAM, and Content Filtering

This router is amazing because it has enterprise features at a low price.

We had one major problem though, which resulted in switching to a competitors router. We could not get this to work with any of our SIP phones with hosted pbx. All of the firewall settings were correct, but many calls would drop and we were unable to do transfers. Ports open, IP address allowed, SIP ALG turned off. After weeks of frustration and being unable to correctly diagnose the problem, we switched to a cisco router and everything is working like magic.