[Version No.] V4.5R90F02.sp07
[Source Version] V4.5R90F02,V4.5R90F02.sp01,V4.5R90F02.sp01.C236,V4.5R90F02.sp01.C236.HD,V4.5R90F02.sp02,V4.5R90F02.sp03,V4.5R90F02.sp04,V4.5R90F02.sp05,V4.5R90F02.sp06
[Target Version] V4.5R90F02.sp07
[Matching Versions of Collaborative Devices] NTA: V4.5R90F02,V4.5R90F02.sp01,V4.5R90F02.sp02,V4.5R90F02.sp03,V4.5R90F02.sp04,V4.5R90F02.sp05,V4.5R90F02.sp06 ADSM: V4.5R90F02.sp09
1. Policy templates can be added for protection groups.
2. The master and slave DNS servers can be configured. Multiple receivers can be added for a specific mail. At most two server IP addresses can be specified to receive logs via SNMP trap.
3. The cloud authentication function is optimized.
4. The remote assistance function is optimized.
5. Protection rules are added to reflection rules.
6. Local authentication is available for vADS.
7. ADS devices of different models can implement the HA function in in-path mode.
Function changes in V4.5R90F02.sp05:
1. The auto-learning function is optimized.
2. Top 50 attack source IP addresses can be sent via syslog.
3. ADS M descriptions are added to attack logs on ADS.
4. Injection routes can be retrieved.
5. The A interface is upgraded to V3.0.7.
6. The LDP neighbor status will be checked during MPLS injection and the diversion will be withdrawn if the neighbor is found abnormal.
7. The link connectivity check function is added for active-active equal-cost routes and the corresponding diversion will be withdrawn if both routes are abnormal.
8. Access to GRT 240X series bypass switches is supported.
9. ADS 2020E/4020E/6025E and ADS HD6500 can be configured to implement the high availability function in in-path mode.
10. Packets that are captured automatically can be uploaded to ADS M.
11. Packets can be captured manually for protection groups.
12. An API is added to collect basic device information.
13. Some vulnerabilities are fixed.
Function changes in V4.5R90F02.sp04:
1. In ADS clusters, MPLS labels learned by the master device can be synchronized to the slave device. This function can be achieved by selecting MPLS Label Synchronization in the General Settings menu of ADSM clusters.
2. Label injection is available in 6PE environments.
3. On the URL-ACL Protection Rules page under Policies, the URL monitoring function is available through the addition of the Monitor + blacklist action with related configurations to URL Protection Mode.
4. ADS-10000 can collaborate with NSFOCUS Threat Intelligence (NTI) via the switch on the NTI page under Advanced > Advanced Protection.
5. ADS-10000 supports the high availability (HA) function via the switch on the HA Configuration page under System.
6. The number of blacklisted entries synchronized from NTI is increased to 100,000.
7. Amid default and group-specific protection policies, IP behavior control switches are classified in a fine-grained manner and Statistical Period is added for each switch.
8. On the Trusted IP page under O&M > Device Protection Status, the Clear Trust button is added to remove an IP address from the trust list.
9. On the Protection Event Statistics page under Logs > Protection Logs, the Clear Logs button is added to clear logs of finished events.
Function changes in V4.5R90F02.sp03:
1. Reduce the write frequency of CF card
Function changes in V4.5R90F02.sp02:
1. The GeoIP rule adds support of speed-limit
2. The group policy adds three new running-modes:protection,inactive,forwarding
3. The log's management adds the protection event statistics
4. Add synchronization of protocol packet in cluster
5. Optimize the WebAPI of usegroup
6. Modify the memory utilization calculation
7. Reduce the write frequency of CF card
8. Add status collection log service
Function changes in V4.5R90F02.sp01:
1. Update the port check, support more flexible configuration
2. The UDP protection adds bps support
3. The abnormal packet filter moves into group
4. Update logo
5. Do not support the upgrade of devices have 8G RAM
Function changes in V4.5R90F02:
1. HTTP protection is expanded to cover URLs.
2. Users are allowed to configure different HTTP protection policies for mobile devices and PCs.
3. Real source IP addresses that attempt to access target servers via proxies can be blacklisted.
4. Real source IP addresses that attempt to access target servers via proxies can be whitelisted.
5. For real source IP addresses that attempt to access target servers via proxies, users are allowed to implement IP behavior control by limiting the traffic rate of GET packets.
6. On the web-based manager, users can choose to display group- and URL-related traffic information on the real-time monitoring page.
7. Statistics about packets dropped according to protection policies are added and attack log information is expanded to cover protection policies.
8. On the web-based manager, a new user role with custom access is added.
9. Task details and packet information are also displayed for manual packet capture tasks.
10. A button is added for users to configure various static protection policies based on packet information.
11. Key NTP synchronization information is added in the operation log.
12. In the CLI window, users are also allowed to configure load balancing by means of port channels.
13. The GeoIP library is updated, allowing users to query the country/region of an IP address on the web-based manager.
14. Service modules covered by the license are also displayed.
15. OIDs of service interfaces are added for the SNMP agent.
16. A switch is added, allowing users to control whether to enable abnormal packet filtering globally.
17. In the blacklist of source IP addresses added by using algorithms, destination IP addresses are added.
18. In the console user interface, commands are added for enabling and disabling the web service.
19. MS SQL and CLDAP reflection protection and related attack types are added.
20. Users are allowed to specify a port for ADS M that is configured as the management platform.
21. The cloud signaling function is added for handling high-volume traffic.
22. ADS 8000 can now be deployed in in-path mode.
23. ADS 10000 supports more management devices.
24. A new model of external bypass switch, BP2301, is added.
[Fixed Bugs] 195588 ADS memory surges to 85% in log and SNMP monitoring. 194215 On the Real-Time Monitoring page, LEDs are red for both power supply 1 and 2 and temperatures are 0 for both the CPU and motherboard. 171116 A stored cross-site scripting (XSS) vulnerability exists in the description of manual diversion. 196997 [If the traffic diversion is ongoing, an injection interface, whether related to the diversion or not, cannot be deleted from the Injection Interfaces page. 193992 If an IP segment is specified for protection in an injection route, this route can be disabled or deleted even during the ongoing traffic diversion of such segment. 196959 The function of editing static MAC addresses in the MAC address table does not work. 197696 ADS is already properly connected to NSFOCUS cloud, while the connection status is displayed as offline. 196318 In CLI, when the info_collect start command is run, an error message is displayed. 199262 When "forbid all" is enabled as the access control rule and the configured DNS server network is inaccessible, it takes a long time to apply or save settings. 201276 – If injection route inspection is canceled, manual diversion fails after being enabled. 201196 – For diversion of an IPv6 segment with a 120-bit prefix, if you choose to list all IPv6 addresses in this segment, IPv6 addresses with all zeros in the last 16 bits are left out when it comes to diversion route dispatch. 201601 [External bypass switch] The password option is absent during the configuration modification of the BP2100 switch. 201327 [External bypass switch] The web page becomes unresponsive when users view the status of the BP2100 switch. 201477 [SSL license import] An SSL certificate with a private key cannot be imported on the web-based manager and a private key mismatch error is displayed during the import.
Fixed bugs in V4.5R90F02.sp06: Bug 196954: If the protected IP segment for an injection route has a prefix within the range of 48–64, traffic diversion may fail for certain IP addresses within the segment. Bug 196995: A static MAC address cannot be added for an IPv6 address with a prefix smaller than 64 configured for an injection interface. Bug 196749: Some country names involved in GeoIP rules are not translated into English.
Fixed bugs in V4.5R90F02.sp05: Bug 193338: An error will be reported when the watermark protection policy involving a port range is dispatched via an API. Bug 195056: When the delete_ip API is used to delete IPv6 addresses from a protection group, it delete others than the specified ones. Bug 194612: If an IP address is specified for an injection interface before the interface is added to a port channel, this port channel does not take effect. Bug 195361: Neither the conflict check nor prefix length check is performed for IP subnets (in the format of IP address/prefix length) added via CLI. Bug 192820: No limit is placed on the number of protection groups that can be created via CLI. Bug 190767: When an IP address is added through CLI to a protection group created via CLI, multiple group_IP parameters will appear. Bug 195000: Protection groups cannot be incorrectly filtered by IP address or protection group name. Bug 190562: IPv6 addresses of RST attack sources are added to the trust list. Bug 192821: Statistical graphs of attack logs may show incorrect statistical results. Bug 190114: Equal-cost routes are not supported for label injection. Bug 189963: Contents related to the new status collection log service are not translated into English. Bug 192503: Blacklisted IP addresses, though deleted on the web-based manager, appear in the blacklist again upon the system restart. Bug 195173: For a blacklist that fails to be imported to the system, IP addresses in it are already written into the configuration file. Bug 194248: Once cloud-based authentication succeeds, the system will automatically disable packet forwarding.
Fixed bugs in V4.5R90F02.sp04: Bug179645 [Diversion] When manual traffic diversion is added, selecting 15 BGP daemons will cause a diversion dispatch failure. Bug180559 [Cluster] In an ADS cluster environment, default distributed DDoS protection parameters are synchronized repeatedly. Bug181456 [URL_ACL] No limit is placed on how many URL-ACL rules can be configured via the web API or CLI. Bug187427 [Group] The web-based manager and web APIs fail to perform strict duplication checks on IP addresses involved in protection groups. Bug181461 [Group] Group description cannot be set via CLI. Bug181493 [Group] When the number of protection groups reaches the upper limit, policies of the last added group fail to be dispatched to the engine.
Fixed bugs in V4.5R90F02.sp03: Bug187477 When SIP protection algorithm sending reverse detection packet, the checksum value is not correct, caused the client cannot joining the trust list
Fixed bugs in V4.5R90F02.sp02: Bug174887 The sroute command in CLI prints redundant information when netmask is wrong Bug177278 Querying diversion routing table using ipv6 will leads web to be stuck when more than 1000 diversion routing tables Bug177280 Calling WebAPI concurrently will throws an error Bug177362 Importing blacklist does not delete duplicated records Bug180670 The ipv6 cannot add into blacklist when ipv6 addresses occur hash conflict Bug181362 Reboot device, clear the IP configurtion, then click the save button, the IP still can be seen in the ifconfig's output Bug171573 Can not search the protection group through IP in the network segment
Fixed bugs in V4.5R90F02.sp01: Bug170962 The cancel action of enable by default in filtering rules of traffice diversion will write into log Bug171838 Fix the RCE bug exists in the web page of telnet Bug168675 Preview the license file by FireFox, the license file will disappear after click the back button Bug171912 The page has hint only ten seconds later when import the license file Bug173167 Deleting IP from group configuration which has URL rules, no url rules check Bug173458 The http fingerprint acquisition of some ipv6 packet fails Bug173160 The useragent rule of webapi's document needs to add examaple and state of sync interface Bug173516 Change the caputre from TCP to others, the effective capture is still tcp Bug173800 Editing the group configuration will display ip conflict, while there is no ip conflict actually Bug174172 Enable the MPLS label learning, the functions of injectction and diversion will be abnormal, when there are too many injectction configurations; Bug174533 The DNS algorithm NO.1 will report two attack logs, this will lead traffic statistics to double Bug174538 The http's CC algorithm appears COLLLCC repeatedly Bug175343 The web page of manual diversion is blank when there are more than 80000 manual diversion configurations Bug175258 The webapi's processing capacity is 0
- END -