| Description:
[Version No.]
V4.5R90F07
[Source Version]
V4.5R90F06
V4.5R90F06.sp01
V4.5R90F06.sp02
V4.5R90F06.sp03
V4.5R90F06.sp04
[Target Version]
V4.5R90F07
[Matching Versions of Collaborative Devices]
NTA: V4.5R90F02 to V4.5R90F07
ADS M: V4.5R90F07
ADBOS: V4.5R90F07
[Function Changes]
1. Added time sequence check controls under Policy > Hardware-Side Control.
2. Added SYN-ACK, ACK, UDP, ICMP, DNS query, and DNS response time sequence checks in group policies.
3. Added botnet & IP connection anomaly detection as a new group policy.
4. Added the QUIC protection policy for group protection.
5. Added threshold auto-learning for carpet bombing protection.
6. Added support for DNS flood detection under carpet bombing protection.
7. Added the Target Type parameter (values: Dst IP and Dst IP+Dst port) for carpet bombing protection.
8. Optimized GeoIP rules: Users can configure a GeoIP rule by specifying a protocol, a port, and multiple source locations, and rules in the list can be moved up or down.
9. Modified the Protection Port parameter in the group-specific HTTPS protection policy, allowing users to specify multiple ports.
10. Modified the Method parameter in HTTP keyword checking rules by providing more methods for selection.
11. Added support for the scenario where both IPv4 and IPv6 proxies are used.
12. Added the Packet Length Range parameter in reflection protection rules.
13. Added support for change of the scope of IP addresses matched against the threat intelligence database in the CLI.
14. Increased the threshold of traffic control by dst IP in group policies.
15. Added BGP FlowSpec diversion under Diversion & Injection.
16. Added support for port synchronization of IN/OUT interface pairs.
17. Added SSL as an encrypted transmission method for log sending via email.
18. Added support for import and export of only specified configurations.
19. Added support for export of access control rules.
20. Added support for retrieval of web API logs.
21. Increased the use of messages requiring a system restart to cover more scenarios.
22. From F07 onwards, some upgrade packages may not require a system restart after being installed.
23. The name of an imported SSL certificate can contain at most one dot (.).
24. Added support for viewing of the BGP/LDP settings and neighbor status in the CLI.
25. Deleted the built-in blocklist.
26. Deleted the Severity column in the attack log.
27. Removed the Save button from the web UI.
28. Modified some parameters in group DDoS protection policies: changed Threshold 1 to Mitigation Threshold, changed Threshold 2 to Rate Limit, and moved Threshold 2 for SYN flood protection to TCP Control Parameters as a SYN control parameter with the new name of Reverse Detection Rate.
29. Added Yes/No for turning on/off the reverse detection rate control for DNS queries.
30. Modified the IP Address field for management platform configuration, allowing users to configure a CIDR block (IP/mask).
[Fixed Bugs]
ADS-58591 [Policy] ADS in in-path mode scrubs traffic on the OUT interface, though it is not supposed to, when a reflection protection rule, programmable protection rule, allowlist, or LAND protection policy is triggered.
ADS-59875 [Attack log] A rack-mounted device generates a lot of attack logs when multiple boards become faulty and there is no service traffic at all.
ADS-60017 [Traffic diversion log] Sometimes logs cannot be properly loaded on the page.
ADS-57894 [Manual traffic diversion] If there are multiple enabled manual diversion rules that contain overlapping IP addresses, after one rule is disabled, the active routes on the Diversion Routing Table page do not match the manual diversion rules.
ADS-60001 [Injection route] After injection routes are synchronized to a secondary device, disabled routes are still working on the engine of the secondary device.
ADS-58953 [External bypass] Sometimes the external bypass cannot be disabled.
ADS-58523 [Management interface access control] Sometimes a blocked IP address can still access the device.
ADS-54844 [Rack] A rack-mounted device occasionally encounters these failures: license update failure, failure to obtain board resources, and IPMItool command execution failure.
ADS-58564 [Group diversion] When a user attempts to modify the IP addresses of a protection group, for which a group diversion rule has been configured, the system displays a pop-up message saying "undefined."
ADS-59915 [System resources] The CPU temperature of an HD4500 model displayed on the Real-Time Monitoring page is much lower than the actual temperature.
ADS-60065 [Attack traffic statistics] Traffic statistics shown in the traffic trend and attack traffic charts are not accurate.
ADS-60008 [HA] Configuration synchronization fails on ADS in active/active mode.
ADS-59876 [GeoIP] Group-specific GeoIP rules added after policies for that group are deployed do not take effect until group policies are deployed again.
ADS-58951 [System resources] The disk status indicator on the Real-Time Monitoring page of the web-based manager is red, but the disk is actually available.
ADS-60071 [User management] In the case of TACACS+ authentication, when the password expires, a message is displayed, prompting the user to change the password. In fact, TACACS+ authentication should not check the password age.
ADS-60093 [HA] After the IP address of the management interface is changed, Local IP on the HA edit page cannot be changed accordingly.
ADS-60094 [System] When the device is powered up with the hard drive removed, Apache fails to start, resulting in web pages being inaccessible.
ADS-60097 [Compatibility] Some browsers do not support Ukey authentication.
[Web API Changes]
1. load, sync, add, and setup methods of the GeoIP endpoint: parameter changes
2. load, sync, add, and setup methods of the defenderGroup endpoint: parameter changes
3. load, sync, add, and setup methods of the defenderGroupTemplate endpoint: parameter changes
4. load, setup, and add methods of the SegScanProtection endpoint: parameter changes
5. learn_load, learn_start, learn_setup, learn_stop, and learn_result methods of the SegScanProtection endpoint: new methods
6. load, add, setup, and delete methods of the FlowSpec endpoint: new endpoint
7. load, route_load, add, setup, delete, enable, and disable methods of the FlowSpecCluster endpoint: new endpoint
[Notes]
1.Devices with a 2 GB CF card cannot be upgraded to this version. In the upgrade process, if a message is displayed, saying that pre-upgrade processing failed, check whether the device uses a 2 GB CF card. If so, contact the after-sales personnel for the replacement of a larger card before upgrading the system.
2.This upgrade package only supports the following models for upgrade:
HD1000,HD2500,HD4500,HD5000,HD6000,HD6500,HD8500,VN01,8000,10000,12000,20000
- END -
|