All devices are assembled in 1U-high metal cases, but of different widths, so you can install them in a Telecom Cabinet or just on a Desk, in the spirit of Edge.
As for VPN, it supports up to 200 simultaneous IPSec tunnels, 50 SSL tunnels, as well as support for Microsoft Azure and Amazon VPC. The SSL VPN tunnel organizes the connection to the gateway on port 443 to access the private network. Client for VPN you can download directly from the gateway, or rather from its web interface. The OpenVPN standard is not supported, probably due to low SoC performance.
Interestingly, there is no firewall in the form of a table with Accept / Drop / Forward checkboxes, and from my point of view this is a minus, because no matter how much you do everything in the form of services, you should always leave the possibility for manually prescribing rules through the Web interface.
Of course, the highlight of the ATP-series is all sorts of filters that protect you from:
- Intrusions into your network from the Internet
- Infiltration of infected files and Trojans into the network
- DoS and DDoS attacks
- Visits by your employees to questionable sites
All this filtering works transparently for the user, and even the device administrator is given the opportunity to only enable/disable a particular filter and configure the categories of unwanted sites from the proposed ones. Of course, for an integrator or an intermediary company that needs to quickly deploy network protection and throw all the work of the device on the vendor is a gift, but if you are used to thoroughly configure everything - you will be disappointed.
For example, Zyxel ATP 500 uses DNSBL technology, blacklisting addresses from which malicious traffic is generated. You can’t define and configure subscription sources, and if everything is enabled with the default settings, even large websites lose their normal appearance.
In part, this is due to ad blocking and trackers. Today, this stuff does not block unless the lazy, and I must say - very effectively.
With a powerful DDoS attack, you will have no choice but to fight off entire continents and countries, and above all, with a dubious reputation. Of course, you can immediately limit traffic to only the area you are working for, disabling for example, Vietnam, all of Africa, or all of Eastern Europe, if necessary. But it will have to be done manually: such a useful setting ,such as “1000 positives from Africa - block the entire continent” is not here, but for the corporate network it is, in general, not a problem.
Anti-virus protection, the so-called “Sandbox” works completely transparently for the user: infected files are cleared by the security gateway (scored with zeros). This feature works both when surfing the web and when scanning mail, and to effectively detect threats when surfing the web over the secure https Protocol, you only need to create an appropriate profile.
But how many times have you seen on the forums the screams of the nerds: "Help me to block Youtube on Mikrotik?"Here the answer is as simple as a white day: you have all the sites in the world are divided into categories, and the lists are regularly updated and are part of The ZyXEL service. You can block all types of sites, such as pornographic or entertainment content, and a separate line in the black list to put Youtube, so that the enemy did not get through your barrier.
Interestingly, filtering is used for different interfaces, that is, you can configure some rules for VPN and others for GE/2, and thus apply the separation of powers within your organization.
Zyxel ATP 500 allows you to create up to 64 VLAN networks, tying them to physical or logical ports. From the standard functions of the router, port forwarding and NAT are available to you.
The access point controller logically combines hotspots into groups, allowing you to create different WLAN networks on the site. IEEE 802.11 g/r seamless roaming, suspicious access point detection and automatic radio module calibration are supported. When you capture access points, their own management interface is disabled, so you do not have to worry about the safety of hotspots.
As a Mesh function, ZyXEL is used-the proprietary zymesh Protocol, which is different from the traditional Mesh network. The thing is that in a normal Mesh-space, the entire network is peer-to-peer, and access points are equivalent. A large network may not even notice the loss of one access point, and the connection between hot spots passes both over Wi-Fi and over the wire. In the case of ZyMesh, you set the roles of root hotspots and repeaters.
The former are connected to the Internet only by cable, and for the backhaul channel, both have one of the radio modules (2.4 GHz or 5 GHz) reserved. In relation to the root hotspots, repeaters can be organized in a chain or star, there is also used some analogue of STP to find the fastest route, but communication between repeaters is carried out only on the radio channel.
In general, ZyMesh was first described back in 2015 at the first stage of the transition from WDS to peer-to-peer networks, but today, at the end of 2019, I can not give you any reason why Zymesh is better than the usual Mesh, implemented for example in Zyxel Multy X. However, if the number of hops on which you scale a wireless network is small, well, say 2-3, then the topology is not so important, and even on the edge of such a network, clients will have a speed of about 70-80 Mbit/s.