Zyxel USG FLEX 50H Firewall
Delivering higher levels of performance and flexibility
List Price:
Our Price: $274.99
List Price:
Our Price: $349.99
List Price:
Our Price: $329.99
List Price:
Our Price: $399.99
More pricing below, click here!
Overview:
USG FLEX H series, named for its groundbreaking high performance, gives ultra firewall/UTM/VPN throughput with powerful multi-gig and PoE+ interfaces to get you ready for the multi-gig era. Empowered by Zyxel AI cloud, USG FLEX H series unleashes best-in-breed multi-layered protection to blank your corporate premises with seamless safety against mounting cyber threats. To make the great even greater, USG FLEX H, with enhanced SecuExtender, makes it easier to extend the same security to all your remote networks, proving that small or mid-sized business users can also enjoy enterprise-grade security at lightning speed.
Cloud & on-prem security integrated with smart sync
Firewall/VPN/UTM ultra high performance
Multi-gig user-definable WAN/ LAN Ethernet ports with up to 10Gbps speed
Optional 802.3at PoE+ enables eco-friendly deployments without AC adapters
High assurance multi-layered protection against cyber threats
Comprehensive Reputation Filter includes IP/URL/DNS inspection
SecuExtender VPN utility supports both IKEv2 & SSL VPN
Benefits:
Our new Fast and Powerful uOS
The USG FLEX H series introduces our latest powerful uOS. It is designed to increase security, minimize system response time, apply configuration changes instantly and optimize configuration and security policy management with its new intuitive UX design.
AI-powered cloud cybersecurity
Block malicious threats and restrict inappropriate user behaviors. The USG FLEX H series leverages AI-powered cloud intelligence to operate multi-layered protection such as sandboxing, anti-malware, DNS/IP/URL filtering, IPS, and application patrol over your premises.
Our new Fast and Powerful uOS
The USG FLEX H series introduces our latest powerful uOS. It is designed to increase security, minimize system response time, apply configuration changes instantly and optimize configuration and security policy management with its new intuitive UX design.
Cloud & on-prem in sync
Nebula revolutionizes network management with Smart Sync, enabling seamless cloud-based configuration of on-premise firewalls. Effortlessly enforce unified security policies, monitor threats in real time, and optimize performance from anywhere. This cutting-edge solution delivers unmatched convenience, scalability, and robust protection across hybrid cloud environments.
Preemptive defense by Reputation Filter
Stop 70% of common cyberattacks with Reputation Filter service without sacrificing your network performance thanks to its low computing requirement. Reputation Filter consist of IP Reputation, DNS Filter, and URL threat filter. Analyzes IP, domain, URL addresses with up-to-date cloud reputation databases and determines if addresses are safe or not. Automatically blocks access to compromised sources, providing granular protection.
Deep insights of devices
Device insight gives a centralized dashboard of your network activities and information from all connected devices. Tune your access policies based on attributes such as OS version or device categories to achieve network segmentation for limited attack surface and prevent threat from spreading. Easily trace issues and prevent future threat incidents with SecuReporter, provides comprehensive threat analysis and correlations between events.
Friendly for OS-native VPN clients
IKEv2 is a de-facto VPN protocol known for its security, reliability, and efficiency, a safer and more enhanced protocol than L2TP. It’s widely adopted so it comes with outstanding interoperability with various types of VPN clients, OS, and VPN gateways. Easy wizard ensures in-a-few-clicks compatibility with free-of-charge OS-native IKEv2 VPN clients such as Windows, macOS, iOS, and Android (via StrongSwan app).
High assurance multi-layered protection
Designed with multi-layer protection that blocks both outside malicious threats as well as internal inappropriate user behaviors. Restrict high-risk applications or web access from inside your network. Industry-leading DNS filter with TLS 1.3 eliminates all blind spots in all encrypted traffic without the need to deploy SSL inspection.
Specifications:
| Model | USG FLEX 50H/HP | USG FLEX 100H/HP | USG FLEX 200H/HP | USG FLEX 500H | USG FLEX 700H |
|---|---|---|---|---|---|
| Interface ports | 5 x 1GbE Ethernet 50HP: 1 x PoE+ Ethernet (802.3at, 30W max.) |
8 x 1GbE Ethernet 100HP: 1 x PoE+ Ethernet (802.3at, 30W max.) |
2 x 2.5GbE Ethernet 6 x 1GbE Ethernet 200HP: 1 x PoE+ Ethernet (802.3at, 30W max.) |
2 x 2.5GbE Ethernet 2 x 2.5GbE/PoE+ Ethernet (802.3at, total 30W) 8 x 1GbE Ethernet |
2 x 2.5GbE Ethernet 2 x 10GbE/PoE+ Ethernet (802.3at, total 30W) 8 x 1GbE Ethernet 2 x 10GbE SFP+ |
| USB 3.0 ports | 1 | 1 | 1 | 1 | 1 |
| Console port | Yes (RJ-45) | Yes (RJ-45) | Yes (RJ-45) | Yes (RJ-45) | Yes (RJ-45) |
| Rack-mountable | - | - | Yes | Yes | Yes |
| Fanless | Yes | Yes | Yes | - | - |
| System Capacity & Performance 1 | |||||
| SPI firewall throughput (Mbps) 2 | 2,000 | 4,000 | 6,500 | 10,000 | 15,000 |
| VPN throughput (Mbps) 3 | 500 | 900 | 1,200 | 2,000 | 3,000 |
| IPS throughput (Mbps) 4 | 1,000 | 1,500 | 2,500 | 4,500 | 7,000 |
| Anti-Malware throughput (Mbps) 4 | 600 | 1,000 | 1,800 | 3,000 | 4,000 |
| UTM throughput (Anti-Malware and IPS) 4 | 600 | 1,000 | 1,800 | 3,000 | 4,000 |
| Max. TCP concurrent sessions 5 | 100,000 | 300,000 | 600,000 | 1,000,000 | 2,000,000 |
| Max. concurrent IPSec VPN tunnels 6 | 20 | 50 | 100 | 300 | 1,000 |
| Recommended gateway-to-gateway IPSec VPN tunnels | 5 | 20 | 50 | 150 | 300 |
| Concurrent SSL VPN users | 15 | 25 | 50 | 150 | 500 |
| VLAN interface | 8 | 16 | 32 | 64 | 128 |
| Speedtest Performance | |||||
| SPI firewall throughput (Mbps) 7 | 926.76 | 931.61 | 929.97 | 938.1 | 921.64 |
| Security Service 8 | |||||
| Anti-Malware | Yes | Yes | Yes | Yes | Yes |
| IPS | Yes | Yes | Yes | Yes | Yes |
| Application Patrol | Yes | Yes | Yes | Yes | Yes |
| Web Filtering | Yes | Yes | Yes | Yes | Yes |
| Reputation Filter | Yes | Yes | Yes | Yes | Yes |
| SecuReporter | Yes | Yes | Yes | Yes | Yes |
| Sandboxing | Yes | Yes | Yes | Yes | Yes |
| Device Insight | Yes | Yes | Yes | Yes | Yes |
| Secure WiFi | Yes | Yes | Yes | Yes | Yes |
| VPN | |||||
| VPN Protocol | IKEv2, IPSec, SSL 9 | IKEv2, IPSec, SSL 9 | IKEv2, IPSec, SSL 9 | IKEv2, IPSec, SSL 9 | IKEv2, IPSec, SSL 9 |
| Nebula SD-VPN | Yes | Yes | Yes | Yes | Yes |
| Auto-link VPN | Yes | Yes | Yes | Yes | Yes |
| Manual-link VPN | Yes | Yes | Yes | Yes | Yes |
| VPN Topology | Yes | Yes | Yes | Yes | Yes |
| WLAN Management | |||||
| Default Number of Managed AP | 8 | 8 | 8 | 8 | 8 |
| Secure WiFi 8 | Yes | Yes | Yes | Yes | Yes |
| Maximum Number of Tunnel-Mode AP 10 | 3 | 6 | 10 | 18 | 130 |
| Maximum Number of Managed AP | 12 | 24 | 40 | 72 | 520 |
| Recommend max. AP in 1 AP Group | 10 | 10 | 20 | 60 | 200 |
| Management & Connectivity | |||||
| Nebula Centralized Management | Yes | Yes | Yes | Yes | Yes |
| Device HA | - | - | Yes | Yes | Yes |
| Link Aggregation (LAG) | Yes | Yes | Yes | Yes | Yes |
| Concurrent devices logins (max.) 11 | 64 | 64 | 200 | 500 | 2,000 |
| Burst login rate (users/30sec) | 64 | 64 | 200 | 220 | 220 |
| Power Requirements | |||||
| Power input | 50H: 12V DC, 2A 50HP: 19V DC, 3.42A |
100H: 12V DC, 2A max. 100HP: 19V DC, 3.42A |
200H: 12V DC, 2A max. 200HP: 19V DC, 3.42A |
19V DC, 4.736A | 100 - 240V AC, 50/60Hz, 2A |
| Max. power consumption (Watt max.) | 50H: 8.86 50HP: 48.65 |
100H: 17 100HP: 51.2 |
200H: 22 200HP: 62 |
68 | 86.7 |
| Heat dissipation (BTU/hr) | 50H: 32.42 50HP: 175.73 |
100H: 40.365 100HP: 194.5 |
200H: 58.75 200HP: 191.9 |
211.3 | 235 |
| Physical Specifications | |||||
| Dimensions (WxDxH) (mm/in.) | 216 x 143 x 33/ 8.50 x 5.63 x 1.30 | 216 x 143 x 33/ 8.50 x 5.80 x 1.30 | 272 x 187 x 36/ 10.7 x 7.36 x 1.42 | 300 x 182 x 43.5/11.81 x 7.17 x 1.71 | 430 x 250 x 43.5/16.93 x 9.84 x 1.71 |
| Weight (kg/lb.) | 50H: 1.02/2.26 50HP: 1.04/2.31 |
100H: 1.04/2.29 100HP: 1.05/2.31 |
200H: 1.52/3.34 200HP: 1.52/3.35 |
1.64/3.62 | 3.14/6.93 |
| Included accessories | • Power adapter • Power cord (50HP only) • RJ-45 to RS-232 cable for console connection |
• Power adapter • Power cord (100HP only) • RJ-45 to RS-232 cable for console connection |
• Power adapter • Power cord (200HP only) • RJ-45 to RS-232 cable for console connection • Rack mounting kit (optional, by regions) |
• Power adapter & Power cord • RJ-45 to RS-232 cable for console connection • Rack mounting kit |
• Power cord • RJ-45 to RS-232 cable for console connection • Rack mounting kit |
| Environmental Specifications | |||||
| Operating Temperature | 0°C to 40°C/32°F to 104°F | 0°C to 40°C/32°F to 104°F | 0°C to 40°C/32°F to 104°F | 0°C to 40°C/32°F to 104°F | 0°C to 40°C/32°F to 104°F |
| Operating Humidity | 10% to 90% (non-condensing) | 10% to 90% (non-condensing) | 10% to 90% (non-condensing) | 10% to 90% (non-condensing) | 10% to 90% (non-condensing) |
| Storage Temperature | -30°C to 70°C/ -22°F to 158°F | -30°C to 70°C/ -22°F to 158°F | -30°C to 70°C/ -22°F to 158°F | -30°C to 70°C/-22°F to 158°F | -30°C to 70°C/-22°F to 158°F |
| Storage Humidity | 10% to 90% (non-condensing) | 10% to 90% (non-condensing) | 10% to 90% (non-condensing) | 10% to 90% (non-condensing) | 10% to 90% (non-condensing) |
| MTBF (hr) | 50H: 40°C/596100.85308 hr 25°C/945046.81927 hr 50HP: 40°C/402515.716 hr 25°C/665839.12962 hr |
100H: 40°C/353878.1057 hr 25°C/602150.9604 hr 100HP: 40°C/289845.2327 hr 25°C/518347.4294 hr |
200H: 40°C/306768.409 hr 25°C/528037.0106 hr 200HP: 40°C/227747.9662 hr 25°C/392638.3847 hr |
40°C/346653.298 hr 25°C/491775.8384 hr |
40°C/431877.9743 hr 25°C/669031.2966 hr |
| Acoustic noise | - | - | - | 16.86dBA on < 25°C operating temperature, 43.76dBA on full FAN speed |
16.85dBA on < 25°C operating temperature, 47.84dBA on full FAN speed |
| Certifications | |||||
| EMC | FCC Part 15 (Class B), CE EMC (Class B), RCM (Class B), BSMI | FCC Part 15 (Class B), CE EMC (Class B), RCM (Class B), BSMI | FCC Part 15 (Class B), CE EMC (Class B), RCM (Class B), BSMI | FCC Part 15 (Class A), CE EMC (Class A), RCM (Class A), BSMI | FCC Part 15 (Class A), CE EMC (Class A), RCM (Class A), BSMI |
| Safety | LVD (EN62368-1), BSMI | LVD (EN62368-1), BSMI | LVD (EN62368-1), BSMI | LVD (EN62368-1), BSMI | LVD (EN62368-1), BSMI |
1 Actual performance may vary depending on system configuration, network conditions, and activated applications.
2 Maximum throughput based on RFC 2544 (1,518-byte UDP packets).
3 VPN Throughput measurement are based on RFC2544 (1,424-byte UDP packet).
4 Anti-Malware (with Express Mode) and IPS throughput is measured using the industry standard HTTP performance test (1,460-byte HTTP packets). Testing done with multiple flows.
5 Maximum sessions are measured using the industry standard IXIA IxLoad testing tool.
6 Including Gateway-to-Gateway and Client-to-Gateway.
7 The Speedtest result is conducted with 1Gbps WAN link in real world and it is subject to fluctuate due to quality of the ISP link.
8 Requires a Zyxel service license to enable or extend feature capacity. SSL (HTTPS) inspection and Two-Factor Authentication are default
supported features for any registered USG FLEX H device.
9 Local GUI only.
10 Available in Q4, 2025
11 This is the recommend maximum number of concurrent logged-in devices.
Software Features:
Security Service
Firewall
- Routing and transparent (bridge) modes
- Stateful packet inspection
- Source IP Spoofing Prevention
- FTP/SIP ALG
- Dos Prevention (Preventing Flood and Sweep Attacks)
- Per host session limit
- Support External IP Block List
- Flooding detection and protection
Security Policy
- Unified policy management interface
- Support Content Filtering, Application Patrol, firewall (ACL)
- Firewall: SSL inspection
- Policy criteria: source and destination IP address, user group, time
- Policy criteria: zone, user
Intrusion Prevention System (IPS)
- Streamed-based engine
- Signature-based scanning
- Support both intrusion detection and prevention
- Support allow list (whitelist) to deal with false positives involving known benign activity
- Support exploit-based and vulnerability-based protection
- Support Web attacks like XSS and SQL injection
- Automatic new signature update mechanism support
Application Patrol
- Smart single-pass scanning engine
- Identifies and control thousands of applications and their behaviors
- Support up to 25 application categories
- Granular control over the most popular applications
- Real-time application statistics and reports
- Identify and control the use of DoH (DNS over HTTPS)
Anti-Malware
- High performance query-based scan engine (Express Mode)
- Works with over 30 billion of known malicious file identifiers and still growing
- Wild range file type examination
- Support HTTP/SMTP/POP3/FTP scan
Sandboxing
- Cloud-based multi-engine inspection
- Support HTTP/SMTP/POP3/FTP scan
- Wild range file type examination
- Real-time threat synchronization
IP Reputation Filter
- IP-based reputation filter
- Supports 9 Cyber Threat Categories
- Inbound & Outbound traffic filtering
- Support Block and Allow List
DNS Threat Filter
- Block clients to access malicious domain
- Block and Allow List support
- Monitoring or blocking the use of DoH/DoT
URL Threat Filter
- Botnet C&C websites blocking
- Malicious URL blocking
- upport Block and Allow List
External Block List
- Importing malicious IP/URL from external sources
- Works with IP Reputation and URL Threat Filter
Web Filtering
- HTTPs domain filtering
- DNS domain filtering
- Allow List websites enforcement
- Customizable warning messages and redirect URL
- URL categories increased to 111
- CTIRU (Counter-Terrorism Internet Referral Unit) support
- Support Block and Allow List
SSL Inspection
- Deep packet inspection for TLS
- Support inspect TLS1.3
- Support untrusted certificate blocking
- Works with IPS/Anti-Malware/ Sandboxing/Application Patrol/ Web Filtering
Device Insight
- Agentless Scanning for discovery and classification of devices
- View all devices on the network, including wired, wireless, BYOD, IoT, and SecuExtender (remote endpoint) on SecuReporter
- Visibility of network devices (switches, wireless access points, firewalls) from Zyxel or 3rd party vendors
- Visibility of networks devices from Astra Client
Geo Enforcer
- Geo IP blocking
- Geographical visibility on logs
IP Exception
- Provides granular control for target source and destination IP
- Supports security service scan bypass for IPS, Anti-Malware and URL Threat Filter
VPN
IPSec VPN
- Route-based and Policy-based Site to Site
- Client remote access (IKEv2 MS-CHAPv2)
- IKEv2 (EAP, configuration payload)
- Encryption: DES, 3DES, AES (256-bit)
- Authentication: MD5, SHA1, SHA2 (512-bit)
- Perfect forward secrecy (DH groups) support 2, 5, 14-16, 19-21, 28-30
- PSK and PKI (X.509) certificate authentication
- IPSec NAT traversal (NAT-T)
- Dead Peer Detection (DPD) and relay detection
- NAT over IPSec
- SecuExternder VPN Client provision
Support native Windows, iOS/macOS and Android (StrongSwan) client provision - Support 2FA Google Authenticator/ Microsoft Authenticator
SSL VPN
- Client remote access*
- Full/Split tunnel mode
- SecuExtender VPN client provision
- Support 2FA Google Authenticator/ Microsoft Authenticator
Tailscale VPN 2
- Mesh-capable VPN
- Supports native identity providers, including Google, Microsoft Entra ID, Apple ID, etc.
- Supports Windows, Linux, Android, and iOS agents
Networking
Connection
- Routing/Transparent mode
- Ethernet and PPPoE
- NAT and PAT
- VLAN tagging (802.1Q)
- Static route
- Policy-based routing (user-aware)
- Policy-based NAT (SNAT)
- DHCP client/server/relay
- Dynamic DNS support
- Multi-WAN load balancing/failover (Round Robin, LLF, Split over)
- Bandwidth Management
- Link Aggregation support (LAG)
WLAN Management
- Supports AP Controller (APC)
- WPA3 support on 802.11ax AP
- WPA2 Enterprise (802.1x)
- 802.11r/k/v support
- Support auto AP firmware update
- Dynamic Channel Selection (DCS)
- Band steering (Band select)
- Auto healing
- Wireless L2 Isolation
- CAPWAP discovery method
- Multiple SSID with VLAN
- Supports Smart Mesh
Management 2
Nebula Centralized Management
- Centralized device, client, and application usage monitoring (logs and statistics)
- Cloud & on-prem security integrated with smart sync
- Security Profile Sync
- Nebula SD-VPN
- Auto-link VPN
- Manual-link VPN
- VPN Topology
- Monitor device on/off status
- Keep event log up to 1 year
- Firmware upgrade operation
- Remote SSH for accessing device GUI
- Backup and restore firewall configurations (requires Nebula Pro Pack)
Authentication
- Local user database
- External user database
- IKEv2 with EAP-MSCHAPv2 VPN authentication
- Supports 2FA authentication (Google Authenticator, Microsoft Authenticator)
- 802.1x Authentication
- Captive Portal Web Authentication
System Management
- Multi-lingual Web GUI (HTTPS and HTTP)
- Command line interface (console, SSH)
- SNMP v1, v2c, v3
- System configuration rollback
- Configuration auto backup
- Recovery Manager (one-click full backup of configuration, certificates)
- Firmware upgrade via FTP, FTP-TLS
- Firmware upgrade via Web GUI
- New firmware notifications and auto upgrade
- Dual firmware images
Logging and Monitoring
- Comprehensive local logging
- Syslog (to up to 4 servers 1)
- Event Notification and Email alerts
- Real-time traffic monitoring
- Built-in daily report
- SecuReporter supported
* Compatible with OpenVPN Connect
1 Up to 4 servers via CLI, default 2 servers
2 Local GUI only
Why USG FLEX H Series?
The Zyxel USG FLEX H Series is designed to provide robust network security solutions, here are some key differences that set the USG FLEX H Series apart:
- Port Flexibility and Speed: The USG FLEX H Series features multi-gigabit speed support, ranging from 1G to 2.5G and up to 10G, providing greater capacity to accommodate growing network demands. This is particularly beneficial for businesses experiencing rapid growth or increased network traffic.
- Enhanced Performance: The USG FLEX H Series delivers a significant increase in performance, with higher throughputs for firewall, VPN, and Unified Threat Management (UTM). This includes triple performance in these areas compared to the standard competitor firewalls.
- AI-Powered Security: The H Series uses AI-driven cloud intelligence for advanced protection, including features like sandboxing, anti-malware, and DNS/IP/URL filtering. This level of security is particularly important in an era of increasing cyber threats.
- PoE+ Interfaces: The USG FLEX H Series is equipped with Power over Ethernet Plus (PoE+) interfaces, which are not typically found in the standard USG FLEX Series. This feature allows the firewall to power other devices, adding to the flexibility and utility of the network setup.
- Effortless Management with Nebula: The H Series simplifies network management via Zyxel's Nebula Cloud, allowing for easy switching between device GUI and Nebula Control Center. This feature is ideal for businesses looking for streamlined and centralized control of their network security.
- Enhanced User Experience with uOS: The new uOS operating system in the USG FLEX H Series offers a more intuitive and user-friendly interface, which is particularly helpful for network admins who need to manage complex configurations and respond quickly to threats.
- Software-Defined Ports: The USG FLEX H Series allows more flexibility in port configuration (WAN or LAN), supported by next-generation multi-core hardware and Fastpath technology, enhancing both flexibility and performance.
Documentation:
Download the Zyxel USG FLEX H Firewall Data Sheet (PDF).
Pricing Notes:
- Pricing and product availability subject to change without notice.
List Price:
Our Price: $274.99
List Price:
Our Price: $349.99
List Price:
Our Price: $329.99
List Price:
Our Price: $399.99
List Price:
Our Price: $174.99
List Price:
Our Price: $279.99