ZyXEL USG60W UTM review

ZyXEL’s affordable USG60W could be the perfect all-in-one security appliance for SMBs.

IT Pro Value
  • Top value; Extensive security features; 2.4GHz and 5GHz wireless; Fan-less appliance
  • UTM performance less than claimed; Some features complex to set up

ZyXEL's next generation of UTM appliances offer small businesses a one-stop shop for all their gateway security needs. Along with an SPI firewall and support for IPsec and SSL VPNs, they can be beefed up with web content filtering, anti-virus, anti-spam, IDP and ZyXEL's own application patrol.

The USG60W on review goes one step beyond as it provides dual band 5GHz and 2.4GHz wireless services and can manage up to 10 wireless APs. The USG60W supports 60 users although this is more a limitation of the hardware as ZyXEL doesn't employ a per-user licensing scheme.

Advertisement - Article continues below

It hits the spot for value as the base appliance with firewall and support for 2 SSL VPNs costs a shade under 300. A full one year bundle with all security services pushes this to only 348.

The appliance has Gigabit all round with four LAN ports and two for WAN connections where it can perform load balancing or failover. The two USB ports support storage devices for storing logs on or mobile broadband adapters which can be used for failover.

The dashboard uses status widgets which can be easily moved around as required

Easy deployment

To deploy the USG60W just point a web browser at its default address and follow the quick start wizard. This is designed to get Internet access up and running first so it can download the latest firmware.

Advertisement - Article continues below

ZyXEL's web console opens with a tidy dashboard using widgets for various status readouts. You can decide which widgets you want to see and customise the dashboard by dragging them around to suit.

Advertisement - Article continues below

The four LAN ports can be grouped into one of three zones each with their own DHCP server. The appliance defaults to having all ports as members of the LAN1 zone but it's easy enough to change them.

It's worth sorting out your network objects next as these define things such as users, groups, services, schedules, applications and wireless AP profiles. When creating security policies you'll find objects are referenced in most of them.

The UTM components include anti-spam which is configured using profiles and rules

Security policies

Each port zone is assigned a security policy with firewall rules defining inbound and outbound routes, time schedules, users and services. UTM profiles are enabled within policies and for web content filtering you can create multiple profiles and choose from over 60 URL categories to block or allow. 

For IDP profiles you have preconfigured rule sets which can be tweaked to suit. Kaspersky handles anti-virus duties but there isn't much to do here as you just decide whether to have it destroy infected files, log all activities and peer into ZIP and RAR archives.

Advertisement - Article continues below

The USG60W functions as a transparent gateway so it can scan email straight from the box. First, you enable the sender reputation, mail content analysis and virus outbreak detection global features and then create profiles that log, drop or tag suspected spam messages.

The appliance can send web filtering data to ZyXEL's web portal for use in graphical reports

Application patrol and wireless

The application patrol feature controls a wide range of apps and ZyXEL provides details of over 3,000. These include apps such as IM, P2P, VoIP, media streaming, file transfer and mail.

Advertisement - Article continues below

You define application objects first where you search by category though the list and choose those you want to control. Now you can add the objects to a profile and decide whether to allow or deny this traffic.

There are some useful management tools for social networking with both Facebook and Twitter on the list. For the latter you can decide whether to allow users to tweet, follow or post messages while for Facebook you only have options to block users logging in or accessing media.

Advertisement - Article continues below

Separate objects are used to control the 2.4GHz and 5GHz radios and each can present up to 8 SSIDs. Profiles defining a security scheme are assigned to each SSID and you can block users on one SSID from seeing those on another. 

The lab's Ixia Xcellon-Ultra NP blades recorded an average of 65Mbits/sec with AV and IDP enabled

Ixia performance tests

We tested performance with the lab's Ixia XM2 chassis and its two Xcellon-Ultra NP blades. ZyXEL claims a raw firewall throughput of 1,000Mbits/sec but this test doesn't give an indication of real world speeds as it only uses lightweight UDP packets.

With an IxLoad test configured for 512KB HTTP web pages, we saw firewall throughput of around 180Mbits/sec. With AV enabled in our policy, this fell to 70Mbits/sec 20Mbits/sec less than ZyXEL claims.

UTM performance stayed fairly steady as with IDP also enabled, performance dropped marginally to 65Mbits/sec. We can't argue with ZyXEL's 40,000 concurrent connection (CCs) claim as with 1byte web pages and a 50,000 CC load objective, IxLoad reported a tidy 39,998 CCs.

Advertisement - Article continues below

Reporting and conclusion

The console's monitor tab provides statistics tables on all UTM components, interfaces and traffic plus managed wireless APs and clients. It also sends web content filter data to ZyXEL's web portal where you can pull up graphical reports on blocked or allowed categories and URLs.

Small businesses may struggle with the complex relationship between the numerous security policies and profiles but it's worth persevering as they offer a versatile range of security measures. The price for a 1-year bundle is remarkably low and made all the more tempting by the integral dual-band wireless and AP management features.


The USG60W offers an impressive range of security measures and tops them off with dual-band wireless. Configuration can get complicated but small businesses will be hard pushed to find better value elsewhere.

Chassis: Desktop/rack mount chassis

Network: 6 x Gigabit (2 x WAN, 4 x LAN/DMZ)

Wireless: Concurrent 5GHz and 2.4GHz - 802.11a/b/g/n

Other ports: 2 x USB2, serial port

Power: External PSU

Management: Web browser

Warranty: 5 years

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now



University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular


How to find RAM speed, size and type

24 Jun 2020
Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020