Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Wi-Fi Router Charts

Click for Wi-Fi Router Charts

Mesh System Charts

Click for Wi-Fi Mesh System Charts

Next-Gen Unified Security Gateway-Performance Series
At a glance
ProductZyxel Next-Gen Unified Security Gateway-Performance Series (USG40)   [Website]
SummaryDual WAN UTM router with Gigabit ports, IPsec and SSL gateways, one-to-one NAT, bandwidth management and more
Pros• Big performance gain over USG20
• VPN solutions for IPSec, SSL, and L2TP
• Powerful application management features
Cons• L2TP configuration is challenging
• More than 10 IPsec & 2 SSL tunnels cost extra
• IPsec client not bundled
• UTM bundle license renewal is very expensive

Typical Price: $463  Buy From Amazon


Updated 12/11/14: Various updates & corrections

In June, ZyXEL introduced its new Performance and Advanced series Unified Threat Management (UTM) devices. The Performance series includes the USG40, USG40W, USG60, and USG60W. The Advanced series includes the USG110, USG210, and USG310.

The Performance series models with "W" indicate Wi-Fi. The USG40W has an integrated N300 class 2.4 GHz only access point and the USG60W has an integrated dual-band N600 class AP. ZyXEL recommends the USG40/USG40W for networks with 1-10 users, and the USG60/USG60W for networks with 10-25 users.

ZyXEL refers to the Performance series devices as "all-in-one Next Generation Firewalls." In this review, I'm going to take a look at the ZyXEL USG40, which is a significant update to the ZyXEL USG20 I reviewed awhile back.


The USG40 is housed in a gray metal case with red trim, similar to ZyXEL's styling for the USG20 and ZyWALL 110. The USG40 measures 9.53"W x 6.89"H x 1.42" H. The power supply is external. Unlike the USG20 and ZyWALL 110, the USG40 has passive cooling, thus it runs silent which is nice if the router is located near humans. The USG40 has adhesive rubber feet for desktop use.

The front of the USG40, as shown in the diagram below, presents the status and port LEDs.



The rear of the USG40, as shown in the diagram below, is where you'll find the RJ45 ports and USB port.



Internally, the USG40 has a single-core Cavium CN6010 CPU, 1 GB DDR3 RAM, 4 GB Flash and a Qualcomm Atheros AR8327-BL1A 7 port Gigabit Ethernet switch. A shot of the USG40 mainboard is below. The USG60 has the same RAM and flash but swaps in a dual-core Cavium CN6020 and adds a Qualcomm Atheros AR8033-AL1A Gigabit Ethernet PHY.

USG 40 Main Board

USG 40 Main Board


The USG40 is a feature-rich device as you can see in the below list compiled from ZyXEL's data sheet and website.

  • (5) 10/100/1000 RJ45 ports
  • (1) USB port
  • OPT port can be used for DUAL WAN or LAN
  • Fanless
Performance Ratings
  • 400 Mbps Firewall throughput
  • 100 Mbps VPN throughput
  • 50 Mbps UTM throughput
  • 20,000 max sessions
  • 802.1Q VLAN (8 VLAN Interfaces)
  • WAN connection failover via 3G and 4G USB modems
  • PPPoE
  • Static routing
  • Dynamic routing (RIPv1/v2 and OSPF)
  • Policy-based routing
  • Policy-based NAT (SNAT)
  • Dynamic DNS support
  • Per host session limit
  • Guaranteed and max bandwidth controls
  • Priority-bandwidth utilization
  • Bandwidth limits per user and IP
  • Dual stack
  • IPv4 tunneling (6rd and 6to4 transition tunnel)
  • DHCPv6
  • 802.11b/g/n 2.4 GHz (USG40W)
  • 802.11a/b/g/n 2.4 GHz & 5 GHz (USG60W)
  • ZyXEL AP Controller (APC) 1.0 compliant
  • IEEE 802.1x authentication
  • Captive portal Web authentication
  • RADIUS authentication
  • Wi-Fi Multimedia (WMM) wireless QoS
  • CAPWAP discovery protocol
IPsec and L2TP VPN
  • Encryption: AES (256-bit), 3DES and DES
  • Authentication: SHA-2 (512-bit), SHA-1 and MD5
  • PKI (X.509) certificate support
  • VPN High Availability (HA): load-balancing and failover
  • L2TP over IPsec
  • GRE and GRE over IPsec
  • NAT over IPsec
  • ZyXEL VPN client provisioning
  • Supports Windows and Mac OS X
  • Full tunnel mode
  • 2-step authentication
  • Customizable user portal
  • UTM features: anti-virus, anti-spam, IDP, content filtering, application intelligence, firewall (ACL)
  • Unified policy management interface
  • Policy criteria: zone, source and destination IP address, user, time
  • Stateful packet inspection
  • User-aware policy enforcement
  • SIP/H.323 NAT traversal
  • ALG support
  • Protocol anomaly detection and protection (ADP)
  • Traffic anomaly detection and protection (ADP)
  • Flooding detection and protection
  • DoS/DDoS protection
  • Anti-malware protection
Intrusion Detection and Prevention (IDP)
  • Routing and transparent (bridge) mode
  • Signature-based and behavior-based scanning
  • Automatic signature updates
  • Customizable protection profile
  • Customized signatures supported
Application Intelligence and Optimization
  • Identifies and controls over 3,000 applications and behaviors
  • Supports over 15 application categories
  • Application bandwidth management
  • Supports user authentication
  • Real-time statistics and reports
  • Kaspersky SafeStream II gateway anti-virus
  • Identifies and blocks over 650,000 viruses
  • Stream-based anti-virus engine
  • HTTP, FTP, SMTP, POP3 and IMAP4 protocol support
  • Automatic signature updates
  • Transparent mail interception via SMTP and POP3 protocols
  • Configurable POP3 and SMTP ports
  • Sender-based IP reputation filter
  • Recurrent Pattern Detection (RPD) technology
  • Zero-hour virus outbreak protection
  • X-Header support
  • Blacklist and whitelist support
  • Supports DNSBL checking
  • Spam tag support
  • Statistics report
Content Filtering
  • Social media filtering
  • Malicious Website filtering
  • URL blocking and keyword blocking
  • Blacklist and whitelist support
  • Blocks java applets, cookies and ActiveX
  • Dynamic, cloud-based URL filtering database
  • Unlimited user license support
  • Customizable warning messages and redirection URL
  • Local user database
  • Microsoft Windows Active Directory integration
  • External LDAP/RADIUS user database
  • XAUTH, IKEv2 with EAP VPN authentication
  • Web-based authentication
  • Forced user authentication (transparent authentication)
  • IP-MAC address binding
  • SSO (Single Sign-On) support
System Management
  • 3-tier configuration: object-based, profile-based, policy-based
  • Role-based administration
  • Multiple administrator logins
  • Multi-lingual Web GUI (HTTPS and HTTP)
  • Command line interface (console, Web console, SSH and TELNET)
  • SNMP v2c (MIB-II)
  • System configuration rollback
  • Firmware upgrade via FTP, FTP-TLS and Web GUI
  • Dual firmware images
Logging and Monitoring
  • Local logging
  • Syslog (to up to 4 servers)
  • Email alerts (to up to 2 servers)
  • Real-time traffic monitoring
  • Built-in daily report

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Don't Miss These

  • 1
  • 2