Organization-wide Manage
Use the Organization-wide manage menus to create new sites, register or unregister a Nebula Device, change organization general settings, and manage licenses, user accounts, administrator accounts or VPN members in the organization.
Organization Portal
This screen shows you the site locations on a Google map and the summary of sites, site tags and connected Nebula Devices for the selected organization.
Click Organization-wide > Organization-wide manage > Organization portal to access this screen.
Organization-wide > Organization-wide manage > Organization portal
Sites
Click the Sites tab in the Overview screen to view detailed information of the sites which are associated with the selected organization.
Organization-wide > Organization-wide manage > Organization portal: Sites
The following table describes the labels in this screen.
Label | Description |
|---|---|
Tag | Select one or multiple sites and click this button to create a new tag for the sites or delete an existing tag. |
Delete | Select the sites and click this button to remove it. |
Search | Enter a key word as the filter criteria to filter the list of sites. |
Sites | This shows the number of sites in this organization. |
Over the last day | This shows how many clients are associated with the sites in this organization and the total amount of data transmitted or received by the clients in the past day. |
Export | Click this button to save the site list as a CSV or XML file to your computer. |
Status | This shows the status of Nebula Devices in the site. • Green: All Nebula Devices are online and have no alerts. • Amber: Some Nebula Devices have alerts. • Red: Some Nebula Devices are offline. • Gray: All Nebula Devices have been offline for 7 days or more. • White: No Nebula Devices. |
Name | This shows the descriptive name of the site. |
Usage | This shows the amount of data consumed by the site. |
Client | This shows the number of clients connected to Nebula Devices in the site. |
Tag | This shows the user-specified tag that is added to the site. |
Site Health | This shows the percentage of uptime in a given time interval to indicate the site’s network availability. • Green: 95 – 100% network uptime • Dark green: 75 – 95% network uptime • Brown: 50 – 75% network uptime • Red: < 50% network uptime • Grey: No uptime data |
Device | This shows the total number of Nebula Devices deployed in the site. |
Offline device | This shows the number of Nebula Devices which are added to the site but not accessible by the NCC now. |
% Offline | This shows what percentage of the connected clients are currently offline. |
 | Click this icon to display a greater or lesser number of configuration fields. |
Site tags
Click the Site tags tab in the Overview screen to view the tags created and added to the sites for monitoring or management purposes.
Organization-wide > Organization-wide manage > Organization portal: Site tags
The following table describes the labels in this screen.
Label | Description |
|---|---|
Search | Enter a key word as the filter criteria to filter the list of tags. |
Site tags | This shows the number of site tags created and added to the sites in this organization. |
Over the last day | This shows the number of clients associated with the sites in this organization and the total amount of data transmitted or received by the clients in the past day. |
Export | Click this button to save the tag list as a CSV or XML file to your computer. |
Status | This shows the status of Nebula Devices in sites with the specified tag. • Green: All Nebula Devices are online and have no alerts. • Amber: Some Nebula Devices have alerts. • Red: Some Nebula Devices are offline. • Gray: All Nebula Devices have been offline for 7 days or more. • White: No Nebula Devices. |
Tag | This shows the name of the specified tag. |
Site | This shows the total number of sites with the specified tag. |
Offline device | This shows the number of offline Nebula Devices in all sites with the specified tag. |
Client | This shows the number of clients in sites with the specified tag. |
Usage | This shows the total amount of data consumed in all sites with the specified tag. |
Device | This shows the total number of Nebula Devices deployed to all sites with the specified tag. |
Offline site | This shows the number of offline sites with the specified tag. |
% Offline | This shows what percentage of all sites with the specified tag are currently offline. |
 | Click this icon to display a greater or lesser number of configuration fields. |
Devices
Click the Devices tab in the Organization portal screen to view the detailed information about Nebula Devices which are connected to the sites in the selected organization.
Organization-wide > Organization-wide manage > Organization portal: Devices
The following table describes the labels in this screen.
Label | Description |
|---|---|
Search | Enter a key word as the filter criteria to filter the list of connected Nebula Devices. |
Devices | This shows the number of Nebula Devices assigned to the sites in this organization. |
Over the last day | This shows the number of clients associated with the sites in this organization and the total amount of data transmitted or received by the clients in the past day. |
Export | Click this button to save the Nebula Device list as a CSV or XML file to your computer. |
Status | This shows the status of the Nebula Device. • Green: The Nebula Device is online. • Amber: The Nebula Device recently had alerts. • Red: The Nebula Device was recently offline. • Gray: The Nebula Device has been offline for more than 6 days. |
Model | This shows the model number of the Nebula Device. |
Name | This shows the descriptive name of the Nebula Device. |
Site | This shows the name of the site to which the Nebula Device is connected. |
MAC address | This shows the MAC address of the Nebula Device. |
Tag | This shows the user-specified tag for the Nebula Device. |
Client | This shows the number of the clients which are currently connected to the Nebula Device. |
Usage | This shows the amount of data consumed by the Nebula Device. |
Serial number | This shows the serial number of the Nebula Device. |
Configuration status | This shows whether the configuration on the Nebula Device is up-to-date. |
Connectivity | This shows the Nebula Device connection status. The red time slot indicates the connection to the NCC is down, and the green time slot indicates the connection is up. Move the cursor over a time slot to see the actual date and time when a Nebula Device is connected or disconnected. |
Public IP | This shows the global (WAN) IP address of the Nebula Device. |
 | Click this icon to display a greater or lesser number of configuration fields. |
Configuration Management
Configuration synchronization allows you to easily copy configurations from one site or Nebula Device to another. Use this screen to synchronize the configuration between sites or switch ports. You can also back up the current configurations for sites or switches to the NCC and restore the configuration at a later date.
Click Organization-wide > Organization-wide manage > Configuration management to access this screen.
Organization-wide > Organization-wide manage > Configuration management
The following table describes the labels in this screen.
Label | Description |
|---|---|
Synchronization | |
Settings | Specify whether general site configuration or just SSID settings of a site will be propagated to other sites. Click What will be synchronized? to view detailed information. |
From source site | Select the site from which you want to copy its site configuration to other sites. |
To Site(s) | Select one or more sites to which you want to import the copied site configuration. You can also select the site tags created using the Organization-wide > Organization-wide manage > Organization portal: Sites screen. |
Sync | Click this button to start synchronizing configuration settings between the selected sites. |
Switch settings clone | |
From source device | Select the Nebula Switch from which you want to copy its Switch port settings to other Nebula Devices. |
To device(s) | Select one or more Nebula Switches to which you want to import the copied Switch port settings.  Only Nebula Switches of the same model can synchronize. Both Switches should be registered to a site in the organization. |
Clone | Click this button to start synchronizing Switch port settings between the selected Nebula Devices. |
Backup & Restore To back up or restore a previously saved configuration, your administrator account should have full access to the organization. | |
Site(s) settings | You can create up to three site configuration backups for the organization. The NCC automatically creates and saves one backup when you perform configuration restoration. The automatic backup cannot be deleted. |
Backup | This shows the index number of the site configuration backup. |
Description | This shows the descriptive name of the backup. When you click Add to create a new backup, you need to enter a name for the backup in order to save it to the NCC. |
Date (UTC) | This shows the date and time the backup was saved on the NCC server. |
Admin | This shows the name of the administrator account who performed the backup. |
Remove | Click the remove icon to delete the backup. |
Add | Click this button to create a new configuration backup of all the sites in the organization. |
Restore from backup | Select the backup you want to restore. |
Restore to site(s) | Select one or more sites to which you want to restore the specified configuration backup. |
Restore | Click this button to overwrite the settings of the sites with the selected configuration backup. |
Switch settings | At the time of writing, only one backup is allowed per Nebula Device. |
Backup | This shows the index number of the Switch configuration backup. |
Switch | This shows the name of the Switch. |
Description | This shows the descriptive name of the backup. When you click Add to create a new backup, you need to enter a name for the backup in order to save it to the NCC. |
Model | This shows the model number of the Switch. |
Date (UTC) | This shows the date and time the backup was saved on the NCC server. |
Admin | This shows the name of the administrator account who performed the backup. |
Remove | Click the remove icon to delete the backup. |
Add | Click this button to create a new configuration backup of a specific Switch. This button is selectable only when you have at least one Switch in the organization. |
Restore from backup | Select the backup you want to restore. |
Restore to device(s) | Select one or more Nebula Switches to which you want to restore the specified configuration backup. You can restore the backup to the same Switch or Switches of the same model and registered to a site in the organization. |
Restore | Click this button to overwrite the settings of the Switches with the selected configuration backup. |
Configuration Templates
A configuration template is a virtual site. The settings you configured in a template will apply to the real sites which are bound to the template. If you do not want to apply any new settings from the template to a site, just unbind that site. If you want to configure some specific settings directly in a site after the site is bound to a template, turn on the local override function (see Local Override).
Use this screen to create and manage configuration templates. You can then bind or unbind a site from the template (see Site Binding).
A site can only be bound to one template. The same template can be used by multiple sites. The sites and the template should belong to the same organization for binding.If the NCC service is downgraded from Nebula Professional Pack to Nebula Base, all the sites will be unbound from the templates but retain the settings already applied from the template.Click Organization-wide > Organization-wide manage > Configuration templates to access this screen.
Organization-wide > Organization-wide manage > Configuration templates
The following table describes the labels in this screen.
Label | Description |
|---|---|
Create | Click this button to create a new configuration template. You can copy settings from an existing site or configuration template, or have a new template with default settings. It is optional to bind one or more sites to the template when you are creating a template.  |
Delete | Click this button to remove the selected templates. A window pops up asking you to confirm that you want to delete the templates. If you remove a template that is being used by a site, the site will be unbound from the template automatically and retain the settings previously applied from the template.  |
Search | Enter a key word as the filter criteria to filter the list of templates. |
Templates | This shows how many templates match the filter criteria and how many templates are created in total. |
Name | This shows the name of the template. |
# Bound sites | This shows the number of the sites bound to the template. |
Bound sites | This shows the name of the sites bound to the template. |
Site Binding
Use this screen to bind or unbind a site from a template. Click an existing template from the list in the Organization-wide > Organization-wide manage > Configuration templates screen to access this screen. To go back to the previous screen, click the Configuration templates list link.
Organization-wide > Organization-wide manage > Configuration templates: Template
The following table describes the labels in this screen.
Label | Description |
|---|---|
Bind additional site | Click this button to bind more sites to the template. A window displays. Select the name of the sites in the Target sites field and click Bind.  |
Unbind | Click this button to remove the selected sites from the template. The site which is unbound from the template still retains the settings applied from the template. |
Search | Enter a key word as the filter criteria to filter the list of sites. |
Sites | This shows how many sites match the filter criteria and how many sites are bound to the template in total. |
Name | This shows the name of the site bound to the template. |
Tag | This shows the tags added to the site. |
Device | This shows the number of Nebula Devices which are assigned to the site. |
Local override | This shows which settings in the template do not apply to the site. |
Template settings
An administrator that has full access to the organization can modify the template configurations. To access a template’s configuration screen, select the template name from the Site field in the NCC title bar. It also shows the number of sites that are bound to the template on each configuration screen.
At the time of writing, you can use a template to configure site-wide, Switches, and access points settings.Local Override
When a site is bound to a template, you can see the name of the template on the site’s configuration screens (which are also available in a template and can be configured).
There is also an option to make the changes you made locally to a site persist. If you select the override check box of the site’s configuration screen, all the configuration screens under the same menu tab (Site-Wide or Switches) are configurable. Settings in these screens will not be affected and modified by the template. If the override check box is not selected, any changes of the same configuration screen in the template apply to the site.
Switch Port Profile and Configuration
Just as a configuration template is a virtual site, so is a profile to a Switch. The settings you configured in a profile will apply to the Switches which are bound to the profile. If you do not want to apply any new settings from the profile to a Switch, just unbind that Switch. If you want to configure some specific settings directly in a Switch (For example, a port’s Broadcast (pps) value. See Update ports for details.) after the Switch is bound to a profile, turn on the local override function (see Local Override).
VPN Orchestrator
VPN Orchestrator enables you to automatically create Virtual Private Network (VPN) connections between sites within an organization. This allows the Security Gateway of each site and the Nebula Devices behind it to communicate securely.
You can manually create VPN connections between sites at Site-wide > Configure > Security Gateway > Site-to-Site VPN or Site-wide > Configure > Firewall > Site-to-Site VPN.Topology Overview
There are two topologies you can use when creating a site-to-site VPN.
• Fully Meshed: In a fully-meshed VPN topology (1 in the figure below), there is a VPN connection between every two sites in the organization. Sites can communicate directly with each other, but having permanent tunnels between every site takes up more resources.
• Hub-and-spoke: In a hub-and-spoke topology (2 in the figure below), every site is either a hub or a spoke. There is a VPN connection between each spoke site (B, C, D, and E) and the hub site (A). Traffic from each spoke site must first go through the hub site. If the hub site fails, the site-to-site VPN network fails. To avoid this, you can assign more than one hub site.
VPN Topologies (Fully Meshed and Hub-and-Spoke)
VPN Areas
An organization can contain multiple VPN areas. Each VPN area is an independent VPN with its own sites, settings, and topology. Every organization has a default VPN area called Default, which cannot be deleted. Sites in different VPN areas within the same organization can communicate if you enable the Area communication setting.
VPN Orchestrator Screen
Use this screen to manage and create site-to-site VPNs within the current organization. Click Organization-wide > Organization-wide manage > VPN orchestrator to access this screen.
Organization-wide > Organization-wide manage > VPN orchestrator
The following table describes the labels in this screen.
Label | Description |
|---|---|
VPN Topology | |
VPN Area | Select the name of a VPN area to view on the map. Select Overview to view all VPN areas in this organization on the map. |
Smart VPN | |
VPN Area | Select the name of a VPN to configure. Select + Create VPN area to create a new VPN within the organization. |
 | Click the remove icon to delete the VPN area. |
Topology | Click this to select a topology for the VPN area. For details on topologies, see Topology Overview. Select Disable to disable VPN connections for all sites in the VPN area. |
The following settings are shown when Topology is set to Hub-and-Spoke. | |
Branch to Branch VPN | Enable this to allow spoke sites to communicate with each other in the VPN area. When disabled, spoke sites can only communicate with hub sites. |
Spoke | Select one or more sites and then click this to assign the sites as spokes. The sites are added to the spoke list. |
Hub | Select one or more sites and then click this to assign the sites as hubs. The sites are added to the hubs list. |
Security Gateway | Enter the name of a site or Nebula Device to filter the list of sites. |
Hub site | This shows the number of hub site. Only one hub site is supported. |
Spoke site: N | This shows the number of spoke sites (N) in the spoke list. |
# | This shows the priority of the hub site. If the VPN area contains multiple hub sites, then the spoke sites always send traffic through the available hub with the highest priority. You can change the priority of a site by clicking the move icon (  ), and then dragging the site up or down in the list. |
Site | This shows the name of the site in the VPN area. |
Model | This shows the model of the site’s Security Gateway device. |
VPN enable | Click this to enable or disable site-to-site VPN on the site’s Security Gateway. If you disable this setting, the site will leave the VPN area. |
Subnets | This shows the IP subnets of all LAN interfaces behind the site’s Security Gateway. |
NAT traversal | If the Security Gateway is behind a NAT router, enter the public IP address or the domain name that is configured and mapped to the Security Gateway on the NAT router. |
Area communication | Enable this to allow the site to communicate with sites in different VPN areas within the organization. If Topology is set to Site-to-Site, then you must assign at least one site in each VPN area as the Area Leader. The area leaders create VPN tunnels between VPN areas. |
Gateway status | This shows whether the site’s Security Gateway is currently online. |
VPN status | This shows whether the VPN is currently connected. |
WAN status | This shows the IP address of the WAN interface and the public IP address of the site’s Security Gateway. |
Non-Nebula VPN peers | Configure this section to add a non-Nebula gateway, such as an on-premise ZyWALL series device or non-Zyxel gateway, to the VPN area. |
+ Add | Click this button to add a non-Nebula gateway to the VPN area. |
Enabled | Select the check box to enable VPN connections to the non-Nebula gateway. |
Name | Enter the name of the non-Nebula gateway. |
Public IP | Enter the public IP address of the non-Nebula gateway. The public IP address supports both FQDN (Fully Qualified Domain Name) and IP formats. |
Private Subnet | Enter the IP subnet that will be used for VPN connections. The IP range must be reachable from other Nebula Devices in the VPN area. |
IPSec policy | Click to select a pre-defined policy or have a custom one. See Custom IPSec Policy for detailed information. |
Preshared secret | Enter a pre-shared key (password). The Nebula Security Gateway and peer gateway use the key to identify each other when they negotiate the IKE SA. |
Address | Enter the address (physical location) of the Nebula Device. |
| Click the remove icon to delete the entry. |
Security Profile Sync
Security profile sync allows you to share the same Security Firewall gateway device security service settings with multiple sites in an organization. This replaces the Unified Threat Management (UTM) settings configured for each site at Site-wide > Configure > Firewall > Security service.
Configuring Security Profile Sync
Follow the steps below to enable security profile sync in an organization.
1 Go to Organization-wide > Organization-wide manage > Security profile sync. Select Enabled, and then under Sync sites add the sites that you want to share security settings.
You can only add sites that have a Security Firewall gateway device.2 Configure security service settings for Content filtering, Application Patrol, URL Threat Filter, Anti-Malware, and Intrusion Detection / Prevention. Then click Save.
All security settings are synced to the selected sites.
All security settings are synced to the selected sites.
3 If you change the settings in the Security profile sync screen, the changes will be copied to all selected sites.
4 If you want to modify security settings for an individual site, go to Site-wide > Configure > Firewall > Security service and select Override security profile sync.
Security Profile Sync Screen
Use this screen to enable and configure security profile sync. Click Organization-wide > Organization-wide manage > Security profile sync to access this screen.
Organization-wide > Organization-wide manage > Security Profile Sync
The following table describes the labels in this screen.
Label | Description |
|---|---|
Security profile sync | |
Enabled | Click this to enable or disable security profile sync for the organization. |
Sync sites | Select one or more sites that you want to sync the security settings on this screen to. Select All sites to sync security settings with all sites in the organization. You can only add sites that have a Security Firewall gateway device. |
Content Filtering | |
Drop connection when there is an HTTPS connection with SSL v3 (or previous version) | Select On to have the Security Gateway block HTTPS web pages using SSL V3 or a previous version. |
Denied Access Message | Enter a message to be displayed when content filter blocks access to a web page. Use up to 127 characters (0–9a–zA–Z;/?:@&=+$\.–_!~*'()%,”). For example, “Access to this web page is not allowed. Please contact the network administrator”. It is also possible to leave this field blank if you have a URL specified in the Redirect URL field. In this case if the content filter blocks access to a web page, the security gateway just opens the web page you specified without showing a denied access message. |
Redirect URL | Enter the URL of the web page to which you want to send users when their web access is blocked by content filter. The web page you specify here opens in a new frame below the denied access message. Use “http://” or “https://” followed by up to 262 characters (0–9a–zA–Z;/?:@&=+$\.-_!~*'()%). For example, http://192.168.1.17/blocked access. |
Enabled | Select the check box to enable the content filtering profile. |
Description | Enter a description for this profile. |
 | Click this icon to change the profile settings. |
| Click this icon to remove the profile. |
Add | Click this to create a content filtering profile. See Create a Content Filtering Profile for more information. |
Application Patrol Application profiles | |
Name | Enter a name for this profile for identification purposes. |
Description | Enter a description for this profile. |
| Click this icon to change the profile settings. |
| Click this icon to remove the profile. |
Add | Click this icon to create an application patrol profile. See Add Application Patrol Profile for more information. |
DNS/URL Threat Filter | |
Log | Select whether to have the Nebula Device generate a log (log), log and alert (log alert) or not (no) when the policy is matched to the criteria listed above. |
DNS Threat Filter | Select On to turn on the rule. Otherwise, select Off to turn off the rule. |
DNS Threat Filter policy | Select Pass to have the Nebula Device allow the DNS query packet and not reply with a DNS reply packet containing a default or custom-defined IP address. Select Redirect to have the Nebula Device reply with a DNS reply packet containing a default or custom-defined IP address. |
DNS Threat Filter Redirect IP | Enter the IP address to have the Nebula Device reply with a DNS reply packet containing a default or custom-defined IP address when a DNS query packet contains an FQDN with a bad reputation. The default IP is the dnsft.cloud.zyxel.com IP address. If you select a custom-defined IP, then enter a valid IPv4 address in the text box. |
URL Threat Filter | Select On to turn on the rule. Otherwise, select Off to turn off the rule. |
URL Threat Filter Policy | Select Pass to allow users to access web pages that the external web filtering service has not categorized. Select Block to prevent users from accessing web pages that the external web filtering service has not categorized. When the external database content filtering blocks access to a web page, it displays the denied access message that you configured in the Content Filter General screen along with the category of the blocked web page. Select Warn to display a warning message before allowing users to access web pages that the external web filtering service has not categorized. |
URL Threat Filter Denied Access Message | Enter a message to be displayed when content filter blocks access to a web page. Use up to 127 characters (0–9a–zA–Z;/?:@&=+$\.-_!~*'()%,”). For example, “Access to this web page is not allowed. Please contact the network administrator”. It is also possible to leave this field blank if you have a URL specified in the Redirect URL field. In this case if the content filter blocks access to a web page, the Nebula Device just opens the web page you specified without showing a denied access message. |
URL Threat Filter Redirect URL | Enter the URL of the web page to which you want to send users when their web access is blocked by content filter. The web page you specify here opens in a new frame below the denied access message. Use “http://” or “https://” followed by up to 262 characters (0–9a–zA–Z;/?:@&=+$\.-_!~*'()%). For example, http://192.168.1.17/blocked access. |
Test Threat Category | Enter a URL using http://domain or https://domain and click the Test button to check if the domain belongs to a URL threat category. |
Category List | These are categories of web pages based on their content. Select categories in this section to control access to specific types of Internet content. |
Block list | Sites that you want to block access to, regardless of their content rating, can be blocked by adding them to this list. Enter host names such as www.bad-site.com into this text field. Do not enter the complete URL of the site – that is, do not include “http://”. All sub-domains are also blocked. For example, entering “bad-site.com” also blocks “www.badsite.com”, “partner.bad-site.com”, “press.bad-site.com”, and so on. You can also enter just a top level domain. For example, enter .com to block all .com domains. Use up to 127 characters (0–9 a–z). The casing does not matter. |
Allow list | Sites that you want to allow access to, regardless of their content rating, can be allowed by adding them to this list. Enter host names such as www.good-site.com into this text field. Do not enter the complete URL of the site – that is, do not include “http://”. All sub-domains are allowed. For example, entering “zyxel.com” also allows “www.zyxel.com”, “partner.zyxel.com”, “press.zyxel.com”, and so on. You can also enter just a top level domain. For example, enter .com to allow all .com domains. Use up to 127 characters (0–9 a–z). The casing does not matter. |
URL Threat Filter external block list | The Nebula Device uses black list entries stored in a file on a web server that supports HTTP or HTTPS. The Nebula Device blocks incoming and outgoing packets from the black list entries in this file. |
Enabled | Select this to have the Nebula Device block the incoming packets that come from the listed addresses in the block list file on the server. |
Name | Enter an identifying name for the block list file. You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long. |
External DB | Enter the exact file name, path and IP address of the server containing the block list file. The file type must be ‘txt’. For example, http://172.16.107.20/blacklist-files/myip-ebl.txt The server must be reachable from the Nebula Device. |
Description | Enter a description of the block list file. You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long. |
| Click this icon to remove the entry. |
Add | Click this button to create a new entry. |
Schedule update | The signatures for DNS Filter and URL Threat Filter are the same. These signatures are continually updated as new malware evolves. New signatures can be downloaded to the Nebula Device periodically if you have subscribed for the URL Threat filter signatures service. You need to create an account at myZyxel, register your Nebula Device and then subscribe for URL Threat filter service in order to be able to download new signatures from myZyxel. Select Daily to set the time of the day, or Weekly to set the day of the week and the time of the day. Schedule signature updates for a day and time when your network is least busy to minimize disruption to your network. |
IP Reputation | |
Enabled | Select this option to turn on IP blocking on the Nebula Device. |
Log | Select this option to create a log on the Nebula Device when the packet comes from an IPv4 address with bad reputation. |
Policy | Select Pass to have the Nebula Device allow the packet to go through. Select Block to have the Nebula Device deny the packets and send a TCP RST to both the sender and receiver when a packet comes from an IPv4 address with bad reputation. |
Threat level threshold | Select the threshold threat level to which the Nebula Device will take action (High, Medium and above, Low and above). The threat level is determined by the IP reputation engine. It grades IPv4 addresses. • High: an IPv4 address that scores 0 to 20 points. • Medium and above: an IPv4 address that scores 0 to 60 points. • Low and above: an IPv4 address that scores 0 to 80 points. For example, a score of “10” will cause the Nebula Device to take action whether you set the Threat level threshold at High, Medium and above, or Low and above. But a score of “61” will not cause the Nebula Device to take any action if you set the Threat level threshold at Medium and above. |
Test Category | Enter an IPv4 address of a website, and click the Test button to check if the website associates with suspicious activities that could pose a security threat to users or their computers. |
Category list | Select the categories of packets that come from the Internet and are known to pose a security threat to users or their computers. |
Block list | Sites that you want to block access to, regardless of their content rating, can be blocked by adding them to this list. Add the IPv4 addresses that the Nebula Device will block the incoming packets. |
Allow list | Sites that you want to allow access to, regardless of their content rating, can be allowed by adding them to this list. Add the IPv4 addresses that the Nebula Device will allow the incoming packets. |
External block list | |
Enabled | Select this check box to have the Nebula Device block the incoming packets that come from the listed addresses in the block list file on the server. |
Name | Enter the identifying name for the block list file. You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long. |
External DB | Enter the file name, path and IP address of the server containing the block list file. For example, http://172.16.107.20/blacklist-files/myip-ebl.txt |
Description | Enter a description of the block list file. You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long. |
| Click this icon to remove the entry. |
Add | Click this button to create a new entry. |
Schedule update | New IP reputation signatures can be downloaded to the Nebula Device periodically if you have subscribed for the IP reputation signatures service.You need to create an account at myZyxel, register your Nebula Device and then subscribe for IP reputation service in order to be able to download new signatures from myZyxel. Select Daily to set the time of the day, or Weekly to set the day of the week and the time of the day. Schedule signature updates for a day and time when your network is least busy to minimize disruption to your network. |
Anti-Malware | |
Enabled | Select On to turn on the rule. Otherwise, select Off to turn off the rule. |
Log | Select whether to have the Nebula Device generate a log when the policy is matched to the criteria listed above. |
Scan mode | |
Express mode | In this mode you can define which types of files are scanned using the File Type For Scan fields. The Nebula Device then scans files by sending each file’s hash value to a cloud database using cloud query. This is the fastest scan mode. |
Stream mode | In this mode the Nebula Device scans all files for viruses using its anti-malware signatures to detect known virus pattens. This is the deepest scan mode. |
Hybrid mode | In this mode you can define which types of files are scanned using the File Type For Scan fields. The Nebula Device then scans files by sending each file’s hash value to a cloud database using cloud query. It also scans files using anti-malware signatures, and Threat Intelligence Machine Learning. This mode combines Express Mode and Stream Mode to offer a balance of speed and security. |
Cloud Query | Select the Cloud Query supported file types for the Nebula Device to scan for viruses. |
Block list | This field displays the file or encryption pattern of the entry. Enter a file pattern that would cause the Nebula Device to log and modify this file. •Use up to 80 characters. Alphanumeric characters, underscores (_), dashes (-), question marks (?) and asterisks (*) are allowed. •A question mark (?) lets a single character in the file name vary. For example, use “a?.zip” (without the quotation marks) to specify aa.zip, ab.zip and so on. •Wildcards (*) let multiple files match the pattern. For example, use “*a.zip” (without the quotation marks) to specify any file that ends with “a.zip”. A file named “testa.zip would match. There could be any number (of any type) of characters in front of the “a.zip” at the end and the file name would still match. A file named “test.zipa” for example would not match. •A * in the middle of a pattern has the Nebula Device check the beginning and end of the file name and ignore the middle. For example, with “abc*.zip”, any file starting with “abc” and ending in “.zip” matches, no matter how many characters are in between. •The whole file name has to match if you do not use a question mark or asterisk. •If you do not use a wildcard, the Nebula Device checks up to the first 80 characters of a file name. |
Allow list | Enter the file or encryption pattern for this entry. Specify a pattern to identify the names of files that the Nebula Device should not scan for viruses. •Use up to 80 characters. Alphanumeric characters, underscores (_), dashes (-), question marks (?) and asterisks (*) are allowed. •A question mark (?) lets a single character in the file name vary. For example, use “a?.zip” (without the quotation marks) to specify aa.zip, ab.zip and so on. •Wildcards (*) let multiple files match the pattern. For example, use “*a.zip” (without the quotation marks) to specify any file that ends with “a.zip”. A file named “testa.zip would match. There could be any number (of any type) of characters in front of the “a.zip” at the end and the file name would still match. A file named “test.zipa” for example would not match. •A * in the middle of a pattern has the Nebula Device check the beginning and end of the file name and ignore the middle. For example, with “abc*.zip”, any file starting with “abc” and ending in “.zip” matches, no matter how many characters are in between. •The whole file name has to match if you do not use a question mark or asterisk. •If you do not use a wildcard, the Nebula Device checks up to the first 80 characters of a file name. |
Sandboxing | Sandboxing provides a safe environment to separate running programs from your network and host devices. Unknown or untrusted programs/codes are uploaded to the Defend Center and executed within an isolated virtual machine (VM) to monitor and analyze the zero-day malware and advanced persistent threats (APTs) that may evade the Nebula Device’s detection, such as anti-malware. Results of cloud sandboxing are sent from the server to the Nebula Device. |
Enabled | Select this option to turn on sandboxing on the Nebula Device |
Log | Enable this option to allow the Security Firewall to create a log when a suspicious file is detected. |
Policy | Specify whether the Nebula Device deletes (Destroy) or forwards (Allow) malicious files. Malicious files are files given a high score for malware characteristics by the Defend Center. |
Inspect selected downloaded files | Select this option to have the Nebula Device hold the downloaded file for up to 2 seconds if the downloaded file has never been inspected before. The Nebula Device will wait for the Defend Center’s result and forward the file in 2 seconds. Sandbox detection may take longer than 2 seconds, so infected files could still possibly be forwarded to the user. The Nebula Device only checks the file types you selected for sandbox inspection.The scan result will be removed from the Nebula Device cache after the Nebula Device restarts. |
File submission options | Specify the type of files to be sent for sandbox inspection. |
Intrusion Detection/Prevention | |
Detection | Select On to enable Detection. |
Prevention | Select On to enable Prevention. |
Firmware Management
Use this screen to upgrade Nebula Device firmware, or schedule a firmware upgrade for Nebula Devices within the sites in the organization. Click Organization-wide > Organization-wide manage > Firmware management to access this screen.
Firmware Management Overview Screen
Use this screen to view and/or schedule a firmware upgrade for Nebula Devices within each site in the organization. You can make different schedules for different sites in the organization. Click Organization-wide > Organization-wide manage > Firmware management > Overview to access this screen.
Organization-wide > Organization-wide manage > Firmware management > Overview
You can select Nebula Devices by device type and by site, but you cannot select individual Nebula Devices. For example, you can upgrade all Switches in Site A and all APs in Site B. To upgrade individual Nebula Devices, go to Organization-wide > Organization-wide manage > Firmware management > Devices.
This is a Nebula Professional Pack feature. If your Nebula Professional Pack license expires, existing firmware upgrades will still run as scheduled.Firmware Upgrade Priority
NCC prioritizes the different Nebula Device firmware upgrade schedules as follows, from highest to lowest:
1. Individual Nebula Device upgrade schedule (set at Organization-wide > Organization-wide manage > Firmware management > Devices).
2. Organization-wide or site-wide upgrade schedule. If both are set, the schedule that was most recently set takes priority.
3. NCC default per-device upgrade schedule and default site-wide upgrade schedule (14 days after new firmware is released).
2. Organization-wide or site-wide upgrade schedule. If both are set, the schedule that was most recently set takes priority.
3. NCC default per-device upgrade schedule and default site-wide upgrade schedule (14 days after new firmware is released).
Firmware Management Overview Screen
The following table describes the labels in this screen.
Label | Description |
|---|---|
Site | Select a site in your organization. By default, all the sites are displayed (Any). |
Device type | Select the type of Nebula Device. By default, all the Nebula Devices are displayed (Any). |
Status | Select the status of the Nebula Device’s firmware. By default, all the status are displayed (Any). Select Good to display the Nebula Devices running a stable firmware with no immediate action is required. Select Warning to display the Nebula Devices with a newer firmware available and immediate action is recommended. The newer firmware may contain security enhancements, new features, and performance improvements. Select Critical to display the Nebula Devices with a newer firmware available and immediate action is required. The existing firmware may have security vulnerabilities and/or lack key performance improvements. Select N/A to display the Nebula Devices that are offline and its firmware status is not available. |
Availability | Select to show the Nebula Devices with Up to date firmware, there is firmware update available for the Nebula Device (Upgrade available), or a specific version of firmware has been installed by Zyxel customer support (Locked). By default, all the available firmware are displayed (Any). |
Upgrade Now | Click this to immediately upgrade the firmware on all selected sites. This button is selectable only when there is firmware update available for the Nebula Devices for the selected sites. |
Schedule Upgrade | Click this to pop-up a window where you can set a specific date and time to upgrade the Nebula Devices firmware on the selected sites.  Nebula Devices are upgraded according to the time zone of the site they are in. |
Reset | Select one or more Site-wide firmware upgrade Schedules, and then click Reset to restore the default site-wide settings (Every Monday at 02:00). Select one or more Per device firmware upgrade Schedules, and then click Reset to allow the Nebula Devices to follow the site-wide firmware management settings. |
Site-wide/Per device | Select your desired filter criteria to filter the list of firmware upgrade schedules. |
| Drag the following column headings to change the order. Click the column heading to change the sorting, ascending or descending order. | |
Status | This shows the status of the Nebula Device’s firmware. • Green: All Nebula Devices are running Stable or above firmware. • Amber: One or more Nebula Devices is not running the Latest firmware. • Red: One or more Nebula Devices is running firmware that may have security vulnerabilities and/or lack key performance improvements. • Gray: No schedule is set for upgrading the Nebula Device’s firmware. |
Site | This shows which site the Nebula Device is in. Click the site name to go to the site’s Dashboard. |
Device type | This shows the type of Nebula Device. |
Schedule | This shows the day and time when a new firmware upgrade is scheduled to occur. Site-wide settings means the Nebula Device is following the site-wide firmware schedule. Per device settings means a firmware schedule is set for the Nebula Device and it will not follow the site-wide firmware schedule. |
# of devices | This shows the number of Nebula Devices in the site for a particular Schedule status. Click this to change the schedule (see the Schedule upgrade field in Organization-wide > Organization-wide manage > Firmware management > Devices for more information). |
Availability | This shows whether the firmware on the Nebula Device is Up to date, there is firmware update available for the Nebula Device (Upgrade available), or a specific version of firmware has been installed by Zyxel customer support (Locked). |
 | Click this icon to show and hide columns in the table. |
Firmware Management Devices Screen
Use this screen to make different firmware upgrade schedules for the Nebula Devices in the organization. Click Organization-wide > Organization-wide manage > Firmware management > Devices to access this screen.
While installing a firmware update, the Nebula Device will continue to operate normally until it reboots. The reboot will take 3 to 5 minutes, so it is best to pick an upgrade time that has minimal impact on your network.Organization-wide > Organization-wide manage > Firmware management > Devices
The following table describes the labels in this screen.
Label | Description |
|---|---|
Site/Status/Device type/Tag/Model/Current version/Firmware status/Firmware type/Availability/Locked | Specify your desired filter criteria to filter the list of Nebula Devices. |
Upgrade Now | Click this to immediately install the firmware on the selected Nebula Devices. This button is selectable only when there is firmware update available for the selected Nebula Devices. |
Schedule upgrade | Click this to pop up a window where you can create a new schedule for the selected Nebula Devices. You can select to upgrade firmware according to the organization-wide schedule configured for the Nebula Device type in the site, create a recurring schedule, edit the schedule with a specific date and time when firmware update is available for all the selected Nebula Devices, or immediately install the firmware. With a recurring schedule, the NCC will check and perform a firmware update when a new firmware release is available for any of the selected Nebula Devices. If the NCC service is downgraded from Nebula Professional Pack to Nebula Base, the Nebula Devices automatically changes to adhere to the organization-wide schedule.  |
Reset | Select one or more Nebula Devices, and then click Reset to allow the Nebula Devices to follow the site-wide firmware management settings. |
Status | This shows the status of the Nebula Device. • Green: The Nebula Device is online and has no alerts. • Amber: The Nebula Device has alerts. • Red: The Nebula Device is offline. • Gray: The Nebula Device has been offline for 7 days or more. |
Device type | This shows the type of the Nebula Device. |
Model | This shows the model number of the Nebula Device. |
Tag | This shows the tag created and added to the Nebula Device. |
Name | This shows the descriptive name of the Nebula Device. |
MAC address | This shows the MAC address of the Nebula Device. |
S/N | This shows the serial number of the Nebula Device. |
Site | This shows the descriptive name of the site. |
Current version | This shows the version number of the firmware the Nebula Device is currently running. It shows N/A when the Nebula Device goes offline and its firmware version is not available. |
Firmware status | The status shows Good if the Nebula Device is running a stable firmware and no immediate action is required. See the description of a stable firmware on the next field Firmware type. The status shows Warning if a newer firmware is available and immediate action is recommended. The newer firmware may contain security enhancements, new features, and performance improvements. The status shows Critical if a newer firmware is available and immediate action is required. The firmware may have security vulnerabilities and/or lack key performance improvements. The status shows Custom if the Nebula Device is running a firmware with specialized features that is not available to the general public. The status changes to Upgrading... after you click Upgrade Now to install the firmware immediately. |
Firmware type | This shows Stable when the installed firmware may not have the latest features but has passed Zyxel internal and external testing. This shows Latest when the installed firmware is the most recent release with the latest features, improvements, and bug fixes. This shows General Availability when the installed firmware is a release before Latest, but is still undergoing Zyxel external testing. This shows Dedicated when the installed firmware is locked and Zyxel support is monitoring. Contact Zyxel customer support if you want to unlock the firmware in order to upgrade to a later one. This shows Beta when the installed firmware is a release version for testing the latest features and is still undergoing Zyxel internal and external testing. This shows N/A when the Nebula Device is offline and its firmware status is not available. See Firmware Type Version Progression Example for an example Firmware type version progression example scenario. |
Availability | This shows whether the firmware on the Nebula Device is Up to date, there is firmware update available for the Nebula Device (Upgrade available), or a specific version of firmware has been installed by Zyxel customer support (Locked). |
Upgrade scheduled | This shows the date and time when a new firmware upgrade is scheduled to occur. Otherwise, it shows Follow upgrade time and the Nebula Device sticks to the site-wide schedule or No when the firmware on the Nebula Device is up-to-date or the Nebula Device goes offline and its firmware status is not available. A lock icon displays if a specific schedule is created for the Nebula Device, which means the Nebula Device firmware will not be upgraded according to the schedule configured for all Nebula Devices in the site. |
Last upgrade time | This shows the last date and time the firmware was upgraded on the Nebula Device. |
Schedule upgrade version | This shows the version number of the firmware which is scheduled to be installed. |
| Click this icon to display a greater or lesser number of configuration fields. |
Firmware Type / Version Progression
The following table shows an example firmware version progression scenario.
version number timeline | firmware type | version number timeline | firmware type |
|---|---|---|---|
V6 | Latest | V5 | General Availability |
V7 | Latest | V6 | General Availability |
Zyxel will select a previous version, (for example, V3) as a Stable release if no major issues have been reported by users.There can only be one Latest and one Stable firmware.
Cloud Authentication
Use this screen to view and manage the user accounts which are authenticated using the NCC user database, rather than an external RADIUS server. Click Organization-wide > Organization-wide manage > Cloud authentication to access this screen.
The changes you made in this screen apply to all sites in the organization. To change the cloud authentication settings for a specific site, go to Site-wide > Configure > Cloud authentication (see Configure).User Account Types
NCC has the following types of user accounts. For details on using these accounts for WiFi and network authentication, see SSID Advanced Settings.
Account Type | Description | Authentication Methods |
|---|---|---|
User | The user account can gain access to the networks by authenticating using a pre-created user name and password, or their email address. This type of user account also supports DPPSK and two-factor authentication. | • WiFi authentication (WPA-Enterprise) • Network access through captive portal • VPN Access • WiFi authentication + network authentication through DPPSK |
MAC | The Nebula Device account that can gain access to the networks by authenticating using its MAC address. | • MAC-based Nebula Device authentication (combined with DPPSK) |
DPPSK | A user that can gain access to the network using a unique dynamic Personal Pre-Shared key that is linked to their user account. | • WiFi authentication + network authentication through DPPSK |
Cloud Authentication User Screen
Use this screen to view and manage regular NCC network user accounts. Click Organization-wide > Organization-wide manage > Cloud authentication > User to access this screen.
Organization-wide > Organization-wide manage > Cloud authentication > User
The following table describes the labels in this screen.
Some of the actions on this screen are only available if your administrator account has full access to the organization.Label | Description |
|---|---|
Authorization | Select one or more than one user account and click this button to configure the authorization settings for the selected user accounts.  |
Remove users | Select one or more than one user account and click this button to remove the selected user accounts. |
VPN access | Select one or more than one user account and click this button to configure whether the accounts can be used to connect to the organization’s networks through VPN. |
VLAN attribute | Select one or more than one user account and click this button to assign the users to a specific VLAN ID, or clear the VLAN ID. Then click Update.  |
Print | Click this button to print information about each selected user account, such as their user name and password. |
Search users | Enter a key word as the filter criteria to filter the list of user accounts. |
N User | This shows how many user accounts (N) match the filter criteria and how many user accounts of the selected type are created in total. |
Import | Click this button to create user accounts in bulk by importing a complete list of all new users in an Excel file.  |
Add | Click this button to create a new user account. See Create/Update User Account. |
Export | Click this button to save the account list as a CSV or XML file to your computer. |
Email | This shows the email address of the user account. |
Username | This shows the user name of the user account. |
Description | This shows the descriptive name of the user account. |
802.1X | This shows whether 802.1X (WPA-Enterprise) authentication is enabled on the account. |
VPN access | This shows whether the accounts can be used to connect to the organization’s networks through VPN. |
Authorized | This shows whether the user has been authorized or not (No). If the user is authorized, it shows All sites or the name of the site to which the user is allowed access. |
Expire in (UTC) | This shows the date and time that the account expires. This shows -- if authentication is disabled for this account. This shows Never if the account never expires. This shows Multiple value if the account has different Expire in values across different sites. |
Login by | This shows whether the user needs to log in with the email address and/or user name. |
DPPSK | This shows the account’s dynamic personal pre-shared key (DPPSK), if one is set. |
VLAN assignment | This field is available only when the account type is set to User. This shows the VLAN assigned to the user. |
2FA Status | This shows whether the account has set up two-factor authentication yet. |
Bypass 2FA | This shows whether the account is allowed to bypass two-factor authentication, if two-factor authentication is enabled on a captive portal or VPN gateway. |
Authorized by | This shows the email address of the administrator account that authorized the user. If the account has been authorized by different admins across different sites, it shows Multiple value. |
Created by | This shows the email address of the administrator account that created the user. |
Created at | This shows the date and time that the account was created. |
| Click this icon to display a greater or lesser number of configuration fields. |
Create/Update User Account
In the Site-wide or Organization-wide > Organization-wide manage > Cloud authentication > User screen, click the Add button to create a new user account or double-click an existing account entry to modify the account settings.
Organization-wide > Organization-wide manage > Cloud authentication > User: Create/Update user
The following table describes the labels in this screen.
Label | Description |
|---|---|
Account type | This shows the type of the user account. |
Email | Enter the email address of the user account, which is used to log into the networks. |
Username | Enter a user name for this account. This field is optional if Login by is set to Email. |
Description | Enter a descriptive name for the account. |
Password | Enter the password of this user account. It can consist of 4 – 31 alphanumeric characters. You can click Generate to have NCC create a password for the account automatically. |
DPPSK | Enter a dynamic personal pre-shared key (DPPSK) for this DPPSK user account, if you want to be able to authenticate using DPPSK in addition to a user name and password. It can consist of 8 – 31 alphanumeric characters. You can click Generate to have the NCC create a DPPSK for the account automatically. |
802.1X | Select this to allow the account to be used for single sign-on (SSO) network and WiFi authentication using 802.1X (WPA-Enterprise). |
VPN Access | Select this to allow the account to be used to connect to the organization’s networks through VPN. |
Authorized | Set whether you want to authorize the user of this account. You can select to authorize the user’s access to All Sites or Specified Sites in the organization. If you select Specified Sites, a field displays allowing you to specify the sites to which the user access is authorized. |
Expire in | This field is available only when the user is authorized. Click Change to specify the number of minutes/hours/days/weeks the user can be logged into the network in one session before the user of this account has to log in again. If the account has been set with different Expire in values across different sites, it will show Multiple value and the Change link.Otherwise, select Never and the user of this account will never be logged out. |
Login by | Select whether the user needs to log in with the email address and/or user name. |
VLAN assignment | This allows you to assign a user to a specific VLAN based on the user credentials instead of using a RADIUS server. |
Bypass two-factor authentication | This shows whether the account is allowed to bypass two-factor authentication, if two-factor authentication is enabled on a captive portal or VPN gateway. |
Email account information to user | Select this to send a copy of the information on this screen to the account email address, after the account has been created. |
Close | Click this button to exit this screen without saving. |
Print | Click this button to print the account information. |
Create user | Click this button to save your changes and close the screen. |
Cloud Authentication MAC Screen
Use this screen to view and manage NCC Nebula Device user accounts, used for MAC-based authorization. Click Organization-wide > Organization-wide manage > Cloud authentication > MAC to access this screen.
Organization-wide > Organization-wide manage > Cloud authentication > MAC
The following table describes the labels in this screen.
Some of the actions on this screen are only available if your administrator account has full access to the organization.Label | Description |
|---|---|
Authorization | Select one or more than one account and click this button to configure the authorization settings for the selected user accounts. |
Remove users | Select one or more than one user account and click this button to remove the selected user accounts. |
Search users | Enter a key word as the filter criteria to filter the list of user accounts. |
N User | This shows how many user accounts (N) match the filter criteria and how many user accounts of the selected type are created in total. |
Import | Click this button to create user accounts in bulk by importing a complete list of all new users in an Excel file. |
Add | Click this button to create a new user account. See Create/Update MAC Account. |
Export | Click this button to save the account list as a CSV or XML file to your computer. |
Email | This shows the email address of the user account. |
MAC address | This shows the MAC address of the user account. |
Description | This shows the descriptive name of the user account. |
Account type | This shows the type of user account: USER, MAC, or DPPSK. |
Authorized | This shows whether the user has been authorized or not (No). If the user is authorized, it shows All sites or the name of the site to which the user is allowed access. |
Authorized by | This shows the email address of the administrator account that authorized the user. If the account has been authorized by different admins across different sites, it shows Multiple value. |
Expire in (UTC) | This shows the date and time that the account expires. This shows -- if authentication is disabled for this account. This shows Never if the account never expires. This shows Multiple value if the account has different Expire in values across different sites. |
Created at | This shows the date and time that the account was created. |
| Click this icon to display a greater or lesser number of configuration fields. |
Create/Update MAC Account
In the Site-wide or Organization-wide > Organization-wide manage > Cloud authentication > MAC screen, click the Add button to create a new user account or double-click an existing account entry to modify the account settings.
Organization-wide > Organization-wide manage > Cloud authentication > MAC: Create/Update user
The following table describes the labels in this screen.
Label | Description |
|---|---|
Account type | This shows the type of the user account. |
Description | Enter a descriptive name for the account. |
MAC address | Enter a MAC address for this account. |
Authorized | Set whether you want to allow the user of this account access to sites. Select All Sites or Specified sites to allow the user access to all or some sites in the organization. If you select Specified sites, a field displays allowing you to specify the sites to which the user access is authorized. Select Not authorized to prevent the user access to all the sites in the organization. |
Expires | Specify the number of minutes/hours/days/weeks the user has access to site(s) in the organization. |
Close | Click this button to exit this screen without saving. |
Print | Click this button to print the account information. |
Create user | Click this button to save your changes and close the screen. |
Cloud Authentication DPPSK Screen
Use this screen to view and manage DPPSK network user accounts. Click Organization-wide > Organization-wide manage > Cloud authentication > DPPSK to access this screen.
Organization-wide > Organization-wide manage > Cloud authentication > DPPSK
The following table describes the labels in this screen.
Label | Description |
|---|---|
Authorization | Select one or more than one user account and click this button to configure the authorization settings for the selected user accounts. |
Remove users | Select one or more than one user account and click this button to remove the selected user accounts. |
Print | Click this button to print the unique dynamic personal pre-shared key (DPPSK) and expiry time of each selected user account. The account details can be cut into cards, and then given to users in order to grant them WiFi network access.  |
Search users | Enter a key word as the filter criteria to filter the list of user accounts. |
N Users | This shows how many user accounts (N) match the filter criteria and how many user accounts of the selected type are created in total. |
Import | Click this button to create user accounts in bulk by importing a complete list of all new users in an Excel file. |
Add | Click this button to create a single new account, or a batch of accounts. • Single DPPSK: See Add/Edit DPPSK Account. • Batch create DPPSK: See Batch Create DPPSK Accounts. |
Export | Click this button to save the account list as a CSV or XML file to your computer. |
Email | This shows the email address of the user account. |
Username | This shows the user name of the user account. |
Account type | This shows the type of user account: USER, MAC, or DPPSK. |
DPPSK | This shows the account’s dynamic personal pre-shared key (DPPSK). |
VLAN ID | This shows the VLAN assigned to the account. |
Description | This shows the descriptive name of the user account. |
Authorized | This shows whether the user has been authorized or not (No). If the user is authorized, it shows All sites or the name of the site to which the user is allowed access. |
Expire in (UTC) | This shows the date and time that the account expires. This shows -- if authentication is disabled for this account. This shows Never if the account never expires. This shows Multiple value if the account has different Expire in values across different sites. |
Created by | This shows the email address of the administrator account that created the user. |
Created at | This shows the date and time that the account was created. |
| Click this icon to display a greater or lesser number of configuration fields. |
Add/Edit DPPSK Account
In the Site-wide or Organization-wide > Organization-wide manage > Cloud authentication > DPPSK screen, click Add > Single DPPSK to create a new user account or double-click an existing account entry to modify the account settings.
Organization-wide > Organization-wide manage > Cloud authentication > DPPSK: Create/Update DPPSK user
The following table describes the labels in this screen.
Label | Description |
|---|---|
Account type | This shows the type of the user account. |
Email | Enter the email address of the user account, which is used to log into the networks. |
Username | Enter a user name for this account. |
Description | Enter a descriptive name for the account. |
DPPSK | Enter a dynamic personal pre-shared key (DPPSK) for this DPPSK user account. It can consist of 8 – 31 alphanumeric characters. You can click Generate to have the NCC create a DPPSK for the account automatically. |
VLAN id | Enter the ID of a VLAN to assign a user to a specific VLAN. |
Authorized | Set whether you want to authorize the user of this account. You can select to authorize the user’s access to All Sites or Specified Sites in the organization. If you select Specified Sites, a field displays allowing you to specify the sites to which the user access is authorized. |
Expire in | This field is available only when the user is authorized. Click Change to specify the number of minutes/hours/days/weeks the user can be logged into the network in one session before the user of this account has to log in again. If the account has been set with different Expire in values across different sites, it will show Multiple value and the Change link.Otherwise, select Never and the user of this account will never be logged out. |
Email account information to user | Select this to send a copy of the information on this screen to the account email address, after the account has been created. |
Close | Click this button to exit this screen without saving. |
Print | Click this button to print the account information. |
Create user | Click this button to save your changes and close the screen. |
Batch Create DPPSK Accounts
To have NCC create multiple DPPSK user accounts, each with a unique dynamic personal pre-shared key (DPPSK), go to the Site-wide or Organization-wide > Organization-wide manage > Cloud authentication > DPPSK screen, click Add, and then select Batch Create DPPSK.
Organization-wide > Organization-wide manage > Cloud authentication: Batch Create DPPSK
The following table describes the labels in this screen.
Label | Description |
|---|---|
Number of accounts | Enter how many DPPSK user accounts you want to create. |
VLAN id | Assign the users to a specific VLAN based on the user’s dynamic personal pre-shared key (DPPSK). |
E-mail account info to | Send a copy of each user account’s dynamic personal pre-shared key (DPPSK) and expiry date to the specified email address. This information is in a printable format. The expiry date includes a time and date in UTC format. |
Authorized | Set whether you want to authorize the user of this account. You can select to authorize the user’s access to All Sites or Specified Sites in the organization. If you select Specified Sites, a field displays allowing you to specify the sites to which the user access is authorized. |
Expire in | This field is available only when the user is authorized. Click Change to specify the number of minutes/hours/days/weeks the user can be logged into the network in one session before the user of this account has to log in again. If the account has been set with different Expire in values across different sites, it will show Multiple value and the Change link.Otherwise, select Never and the user of this account will never be logged out. |
Close | Click this button to exit this screen without saving. |
Create user | Click this button to save your changes and close the screen. |
Change Log
Use this screen to view logged messages for changes in the specified organization. Click Organization-wide > Organization-wide manage > Change log to access this screen.
When the log is full, it deletes older entries one by one to make room for new ones.
Organization-wide > Organization-wide manage > Change log
The following table describes the labels in this screen.
Label | Description |
|---|---|
Search | Click to enter one or more key words as the search criteria to filter the list of logs. |
Range/Before | Select Range to set a time range or select Before to choose a specific date/time and the number of hours/minutes to display only the log messages generated within a certain period of time (before the specified date/time). The maximum allowable time range is 30 days. |
Search | Click this to update the list of logs based on the search criteria. |
Reset filters  | Click this to return the search criteria to the previously saved time setting. |
Newer/Older | Click to view a list of log messages with the most recent or oldest message displayed first. |
This shows the total number of the log messages that match the search criteria. It also shows the date and time the very first log was created. | |
Export | Click this button to save the log list as a CSV or XML file to your computer. |
Time (UTC) | This shows the date and time in UTC+00:00 (or UTC+0) when the log was recorded. UTC is a standard time for use around the world (formerly known as Greenwich Mean Time or GMT). UTC is an international abbreviation that is neither French nor English. It means both "Temps Universel Coordonné" and "Coordinated Universal Time". |
Site Time | This shows the date and time of the site, to which the change was applied, when the log was recorded. |
Admin | This shows the name of the administrator who made the changes. |
Site | This shows the name of the site to which the change was applied. |
SSID | This shows the SSID name to which the change was applied. |
Page | This shows the name of the NCC menu in which the change was made. |
Label | This shows the reason for the log. |
Old value | This shows the old setting that was discarded and overwritten with the new attribute value. |
New value | This shows the new setting that was adopted. |
| Click this icon to display a greater or lesser number of configuration fields. |
Organization Settings
Use this screen to change your general organization settings, such as the organization name and security. Click Organization-wide > Organization-wide manage > Organization settings to access this screen.
Organization-wide > Organization-wide manage > Organization settings
The following table describes the labels in this screen.
Label | Description |
|---|---|
Name | Enter a descriptive name for the organization. |
Country | Select the country where the organization is located. This field is only for reference. It does not affect any other fields or features in NCC. |
Security | |
Idle timeout | Select ON and enter the number of minutes each user can be logged in and idle before the NCC automatically logs out the user. Select OFF if you do not want the NCC to log out idle users. |
Login IP ranges | Select ON and specify the IP address range of the computers from which an administrator is allowed to log into the NCC. Select OFF to allow any IP address of the computer from which an administrator can log into the NCC. |
Import certificate | |
Use my certificate | Select ON to import a certificate that can be used by connected Nebula Access Points in WPA2 authentication. |
Name | Enter a name for the certificate (up to 64 letters). |
File Path | Click to find the certificate file you want to upload. |
Import | Click this button to save a new certificate to the NCC. |
Password | Enter the certificate file’s password. |
Override device ownership | By default, your Nebula Device can transfer to another administrator’s organization by using the Nebula Mobile app to scan the QR code. Click this switch to the right to prohibit Nebula Device transfer between administrators. |
Delete this organization | Click the Delete organization button to remove the organization when it does not have any sites, Nebula Devices or users. You will be redirected to the Choose organization page after this organization is deleted. |