The FLEX 100 supports the latest VPN protocols including IKEv2, IPSec, SSL, and L2TP/IPSec. With remote access so important right now (and likely going forward), Zyxel has made setting up VPN connections easier (don’t mistake that as calling it “easy,” though) through some wizard-like walkthroughs to speed up and automate some of the process (pictured below).
Given the size business this firewall is targeted for, its VPN chops will be quite an upgrade for many. It’s rated for 270 Mbps VPN throughput, and can handle 40 concurrent VPN tunnels, 30 SSL VPN users, and 64 concurrent logins. Models up the chain can handle additional capacity.
Security and Performance
Like most UTM appliances, the FLEX 100 has a lot of important security features, far too many to cover here in detail. Among the most important are a stateful packet inspection firewall with highly configurable policies, as well as anomaly detection and prevention with customizable profiles. The Application Patrol service allows for certain applications to be prioritized, throttled, or blocked outright. A powerful content filter has extensive configuration options to block content, URLs, and more, and there’s an anti-malware feature to scan files. Intrusion detection and prevention (IDP) with deep packet inspection (DPI) can be enabled to detect threats, like hacking attempts, from nefarious third parties (albeit at a significant impact to performance). There’s a robust email security service as well.
All of that can feed back data (in anonymous, semi-anonymous, or full detail) to view in Zyxel’s SecuReporter tool in the cloud, which provides centralized visibility of network activities, further threat analysis, and the information needed to help prevent future threat events.
That’s just the tip of the iceberg, but it’s important to note that most of these are locked away behind yearly licensing. There is flexibility, however (hence the FLEX in the name), as licenses can be purchased individually or in a bundle (in most regions), and even transferred from older USG devices.
With a firewall, it’s hard to talk about security without also talking about speed given that turning on security features negatively impacts performance. There are some bold performance claims, and Zyxel relies heavily on its cloud query service to pull them off. The FLEX 100 not only offers impressive UTM performance, but also a higher detection rate.
Throughput is where the rubber meets the road for firewalls, and the FLEX 100 doesn’t disappoint. The SPI firewall is rated for 900 Mbps throughput, which is in line with my testing. Enabling IDP or any feature that requires DPI will chop that number to the low 500s, while enabling anti-malware will drop throughput into the mid 300s. That’s impressive for a fully unified threat management appliance, and actual performance will improve as known apps, services, signatures, and URLs are whitelisted from impacting performance.