[Version No.]
V4.5R90F06.sp03

[Source Version]
V4.5R90F06, V4.5R90F06.sp01, or V4.5R90F06.sp02

[Target Version]
V4.5R90F06.sp03

[Matching Versions of Collaborative Devices]
NTA: V4.5R90F02 to V4.5R90F06.sp02
ADS M: V4.5R90F06.sp03
ADBOS: V4.5R90F06.sp03

[Function Changes]
1. JA4 and JA4S fingerprint templates are added for SSL/TLS keyword checking.
2. Smart identification is added for carpet bombing protection.

Function changes in V4.5R90F06.sp02:
1. The heartbeat API now also sends hardware status information.
2. The manual traffic diversion rules support one-click operations.
3. The MTU can be configured for a GRE tunnel.
4. The Policy page is easier to use.
5. UDP sessions can be checked.
6. The number of group-specific ACL rules is increased.
7. IP addresses on a manual allowlist will not be subject to pattern matching rules, IP and group rate limiting, or other policies.
8. The botnet & IP behavior control policy provides more granular traffic statistics.
9. Protocols of a port channel can be synchronized.
10. Time sequence check rules can be configured for the 3-SeqCheck SYN protection algorithm.
11. Trust association is added to a UDP protection policy.
12. The Trust Scope can be set to Group.

Function changes in V4.5R90F06.sp01:
1. Attack logs now show proxy IP address and payload data.
2. Restoration of default configurations and deletion of all logs can be done on the console of ADS.
3. The SNMPGET command obtains the device name.
4. The TI database can be updated via a proxy.

[Fixed Bugs]
ADS-57935 [Blocklist] In most cases, concurrent addition of entries to the blocklist through the web API will fail.
ADS-58492 [Collaboration with ADBOS] Sometimes, data reported in short intervals contains errors. Occasionally, an empty archive is sent.
ADS-58499 [ADS_SNMP] Abnormal values are provided in the case of the SNMP agent failing to send memory data in an unsolicited manner.
ADS-58558 [BGP Routing Parameters] When the neighbor parameter passive is set to yes and eBGP Multihop is empty, applying the configuration results in an error.
ADS-58583 [Traffic Statistics] Incorrect TCP traffic statistics reported to ADSM after ACK attack packets are dropped.

Fixed bugs in V4.5R90F06.sp02:
ADS-57881 [ADS_manual diversion] The web-based manager is stuck for a long time when the traffic of /8 IPv4 addresses is manually diverted.
ADS-57893 [SNMP] On a device with hard disks, the disk usage obtained through SNMP is 0, which is inconsistent with the value shown on the Real-Time Monitoring page.
ADS-57944 Disk status is in red by mistake.
ADS-58252 The system memory usage is exhausted by accumulated XML files.
ADS-58300 After successive system upgrades, one rollback, and system restart, a system exception occurs.
ADS-58310 [ADS_blocklist] A global blocklist file imported and saved occasionally fails to load after immediate system restart.
ADS-58315 After a formal license expires, vADS no longer provides protection due to failure to send authentication requests to the cloud.

Fixed bugs in V4.5R90F06.sp01:
ADS-57716 [ADS_injection route] In the case of primary-secondary injection routes, the IP address can be pinged, but the injection route occasionally shows block.
ADS-57827 [ADS] Enabling HTTPS algorithms occasionally crashes SSL and cfeapp.
ADS-57843 [Route] The long-uptime device fails to learn MPLS labels.

[Web API Interface Change Description]
1. For carpet bombing protection, smart_switch is added for load, setup, and add actions.
2. For SSL/TLS keyword checking, more template options are added for load, setup, and add actions, and new parameters check_type, fingerprint_result, and fingerprint_original are added.

Web API interface changes in version V4.5R90F06.sp02:
1. Parameters related to UDP trust association, UDP session check, and time sequence check rules for the 3-SeqCheck SYN protection algorithm are added to the defenderGroup and defenderGroupTemplate interfaces.
2. Parameters are added to the load and sync actions under the flagset interface.
3. Parameters are added to the search action under the trustStatus interface.

Web API interface changes in version V4.5R90F06.sp01:
1. The parameters for the load action under the NTI interface are modified.

[Important Notes]
None.

- END -

[Version No.]
V4.5R90F06

[Source Version]
V4.5R90F05, V4.5R90F05.sp01, V4.5R90F05.sp02, or V4.5R90F05.sp03

[Target Version]
V4.5R90F06

[Matching Versions of Collaborative Devices]
NTA: V4.5R90F02 to V4.5R90F06
ADS M: V4.5R90F06
ADBOS: V4.5R90F06

[Function Changes]
1. The SSD firmware version can be displayed via CLI.
2. The IP of protection groups supported by the ADS NX5-HD8500 model is increased to 524,287.
3. A BGP neighbor can be configured to work in active (Passive Mode set to No) or passive (Passive Mode set to Yes) mode.
4. Allowed access IP addresses can be configured for SNMP agents.
5. The Server Name Indication parameter is added for a SSL/TLS keyword checking rule.
6. For a DNS protection policy, two CNAME protection algorithms (5-DNS_CNAME and 6-DNS_NS&CNAME) are added, and the original 3-DNS_CNAME is renamed to 3-DNS_NS.
7. The HTTPS fingerprint protection policy is added for protection groups.
8. Carpet bombing protection is moved from Anti-DDoS > Protection Groups and Access Control to become an independent element under Anti-DDoS.
9. Both the global and group-specific DNS subdomain allowlists support auto-learning.
10. Custom information can be added to syslog logs.
11. The built-in bypass function can be controlled via web APIs in the in-path mode.
12. The PCAP files obtained from an attack-triggered packet capture task can be directly uploaded to ADS M.
13. The policy configured for a protection group can be saved as a group policy template.
14. When an IP address included in a new protection group is in use by another protection group, it can be automatically added to the exception IP list of that group.
15. The SSD/CF card status is now displayed on the web-based manager.
16. The web-based manager is easier to use.

[Fixed Bugs]
ADS-52605 [ADS_manual diversion] A manual diversion rule dispatched by ADS for specific IP addresses in a subnet contains neither the network address nor broadcast address when viewed on the router.
ADS-54768 [SNMP] HA logs are sent via SNMP traps at the specified frequency, regardless of no new log.
ADS-55245 [SNMP trap] Power value shown in SNMP traps is incorrect.
ADS-54847 [ak4] On the interface card of 4 x 1000M electrical port + 4 x 1000M optical port, the optical ports are incorrectly displayed as electrical ports.
ADS-55439 [Blocklist] Failed to add, query, or delete an IP address starting with 0, with an error indicating incorrect format.
ADS-56474 [Protection group] Failed to delete a protection group that has been created before the engine starts.
ADS-56503 [Protection group-specific ACL] Failed to create ACL rules in the case that only the default protection group exists, with an error indicating the IP address is in use by another protection group.
ADS-57401 [Cluster synchronization] The injection routes repeatedly synchronize in a cluster.
ADS-57661 [Protection group] If the total number of IP addresses in protection groups is large, adding or deleting IP addresses takes a longer time than expected.

[Web API Interface Change Description]
1. The parameters for load, add, setup, and sync actions under the defenderGroup interface are modified.
2. The parameters for load, add, setup, and sync actions under the defenderGroupTemplate interface are modified.
3. The parameters for load_on_attack_events and edit_on_attack_events actions under the autocapture interface are modified.

[Important Notes]
If carpet bombing protection is enabled and effective for groups, but disabled for a specific group before the upgrade, the default carpet bombing protection rule is disabled after the upgrade. In this case, new carpet bombing protection rules should be configured as required.

- END -