[License Type]
NX3-HD2200、NX3-HD2100、NX3-HD3000、NX5-HD3500、NTA VM
[Source Version]
V4.5R90F06,V4.5R90F06SP01
[Target Version]
V4.5R90F06SP02
[Matching Versions of Collaborative Devices]
ADS: V4.5R90F06SP02
ADSM: V4.5R90F06SP02
TAT: V2.0.0
MF: V4.5R90F01SP08,V4.5R90F01SP09,V4.5R90F01SP10
[Function Description]
1. FlowSpec diversion supports a new action redirect_ip, in compliance with draft-ietf-idr-flowspec-redirect-ip-02.
2. Added top 5 protocols, top 5 applications, top 5 countries/regions, top 5 packet lengths, and top 5 DSCPs in statistics sent to the cloud scrubbing platform.
3. Hardware status information can be sent to the cloud scrubbing platform via the heartbeat interface.
4. Fixed known bugs.

[Important Notes]
1. The web-based manager is inaccessible during system updating.
2. All engines are stopped during system updating.
3. After updating is complete, users need to refresh the web page as prompted.
4. During the upgrade, it is normal that the web-based manager displays an error message "502 Bad Gateway" or directly denies your access request.
Please refresh the web-based manager 5 minutes later, and then check Product Version in About. If the version is V4.5R90F06SP02, the upgrade succeeds.

[Bug List]
NTA-14173 [Web API validation] BGP diversion parameters in network segment-specific diversion policies need integrity checks.
NTA-14082 [Diagnosis – fault diagnosis] One-click information collection for troubleshooting may fail when there are a large number of logs.
NTA-12703 [FlowSpec] Continuous alerts trigger FlowSpec diversion. After this diversion route is manually withdrawn under Configuration > Global Divert Settings > BGP FlowSpec, FlowSpec diversion cannot be triggered again by the same alerts.
NTA-4515 [Diversion controller] After dual FlowSpec routes are withdrawn in bulk, only one such route can work when traffic is large enough to trigger FlowSpec diversion again.
NTA-14545 [SNMP] After FlowSpec diversion (redirect) is triggered, related logs cannot be sent via SNMP traps.
NTA-11434 [FlowSpec] A single IP address triggers multiple DDoS alerts, which, in turn, trigger FlowSpec diversion. After one of the routes ages out, diversion by the router will stop.
NTA-14565 [FlowSpec] Max Routing Entries does not work in BGP FlowSpec settings.
NTA-14576 [FlowSpec] The diversion allowlist does not work for automatic FlowSpec diversion.
NTA-14577 [FlowSpec] After the FlowSpec process is restarted, the ongoing alerts cannot trigger FlowSpec diversion again.

[License Type]
NX3-HD2200、NX3-HD2100、NX3-HD3000、NX5-HD3500、NTA VM
[Source Version]
V4.5R90F06
[Target Version]
V4.5R90F06SP01
[Matching Versions of Collaborative Devices]
ADS: V4.5R90F06SP01
ADSM: V4.5R90F06SP01
TAT: V2.0.0
MF: V4.5R90F01SP08,V4.5R90F01SP09,V4.5R90F01SP10
[Function Description]
1. Email notifications of diversion logs indicate the region/IP group/Default a destination IP address belongs to.
2. Diversion logs, audit logs, and FlowSpec diversion logs can be filtered by IP range.
3. A unit of time is added for Diversion Hold Time in the diversion policy creation and edit dialog boxes.
4. Known bugs are fixed.

[Important Notes]
1. The web-based manager is inaccessible during system updating.
2. All engines are stopped during system updating.
3. After updating is complete, users need to refresh the web page as prompted.
4. During the upgrade, it is normal that the web-based manager displays an error message "502 Bad Gateway" or directly denies your access request.
Please refresh the web-based manager 5 minutes later, and then check Product Version in About. If the version is V4.5R90F06SP01, the upgrade succeeds.

[Bug List]
NTA-13855 [Diversion detector] The diversion level, after being changed in the Region DDoS Attack Alert for a Network Segment area of the Region DDoS Attack Alert page, does not take effect.
NTA-13128 [Web] Under Configuration > Global Alert Settings > Network Segment-based DDoS Detection, the indicative information of IP group-based attack detection in the Basic Settings area is not accurate.

[Upgrade Notes]
If hot standby has been configured, after the system is upgraded, hot standby settings must be reset and then reconfigured.

[License Type]
NX5-HD3500
[Source Version]
V4.5R01M01SP11C621
[Target Version]
V4.5R90F06
[Matching Versions of Collaborative Devices]
ADS: V4.5R90F06
ADSM: V4.5R90F06
TAT: V2.0.0
MF: V4.5R90F01SP08,V4.5R90F01SP09,V4.5R90F01SP10
[Function Description]
1. Functions of NTA-DFI and NTA-DPI are incorporated into one device.
2. NTA can be switched between NTA-DFI and NTA-DPI modes.
3. NTA-DPI does not display any router-related information.
4. Remote assistance is optimized.
5. License expiration warnings are added.
6. Threat intelligence can be uploaded.
7. Description is added to the interface list.
8. Interfaces can be marked as favorites.
9. The web-based manager shows the power supply status.
10. A URL for upgrading NTI outside of China is provided.
11. Expired licenses cannot be imported.
12. IP-specific statistics configuration is ported to the console and CLI.
13. Exception IP addresses can be configured for IP groups.
14. LDAP authentication can work for Windows.
15. User-defined SNMP locations are supported.
16. Contact information is updated on English web pages..
17. Normalization of traffic statistics.
18. The HTTP slow attack detection is added for regions and IP groups in the DPI mode.
19. The IP segment attack detection is added for regions and IP groups.
20. The sampling ratio of packet capture is configurable in the DPI mode.
21. A mail reminder is provided when the license is about to expire.
22. A system user now can be authenticated by password + email.
23. The device security is improved.
24. The online help is now available.
25. The user name of admin can be changed.
26. Touchpoint specifications are updated to include after-sales implementation specifications, new indicative information on the System Upgrade page, and introduction to functional modules not covered by the license.
27. TI time can be independently controlled.
28. The system will not automatically restart upon a license update.
29. The alert allowlist supports custom periods of time.
30. A secondary NTP server is allowed.
31. The DDoS attack report provides information about allowed IP addresses.
32. A secondary RADIUS server is allowed.
33. The lockout time can be set in minutes for accounts locked due to too many failed login attempts.
34. Alert logs sent via syslog provide information about peak values of traffic.
35. Support for network segment-based DDoS attack detection for regions, IP groups, and the global scope.
36. Support for netmask/prefix length customization for network segment-specific diversion.
37. Support for sending of power status information via SNMP traps.
38. The NSFOCUS logo is added on the login page.
39. Third-party interfaces are optimized.
40. The A interface is upgraded.
41. Known bugs are fixed.
（1）NTA-12536 [DPI] When HTTP flood traffic initiated by xddos exceeds the SYN flood threshold and triggers a related alert, no HTTP flood alert is reported.
（2）NTA-12488 [A device produced in the production center cannot have port 50022 opened for SSH access] Port 50022 cannot be used for SSH access on the web-based manager.
（3）NTA-11666 [HTTP slow attack] A link to NTI is provided (not removed as expected) in the source IP information of HTTP slow attack alerts.
（4）NTA-12539: After password strength checking is enabled, the password error message displayed for an invalid password does not provide complete information of special characters.
（5）NTA-12537: Resetting access control settings does not work after the settings are configured and saved.
（6）NTA-11906 [Cloud-side authentication] After manual selection of cloud-side authentication and the authorization status changes from unauthorized to authorized, a message is displayed, providing information different from what has actually happened.
（7）NTA-11655 [Logo] The product logo is missing in the upper-left corner of pages of the web-based manager.
（8）NTA-13117: When configuring BGP FlowSpec settings, users can set passwords although the Encryption check box is cleared.


[Important Notes]
1. The web-based manager is inaccessible during system updating.
2. All engines are stopped during system updating.
3. After updating is complete, users need to refresh the web page as prompted.
4. During the upgrade, it is normal that the web-based manager displays an error message "502 Bad Gateway" or directly denies your access request.
Please refresh the web-based manager 5 minutes later, and then check Product Version in About. If the version is V4.5R90F06, the upgrade succeeds.

[License Type]
NX3-HD2200、NX3-HD2100、NX3-HD3000、NTA VM
[Source Version]
V4.5R90F05,V4.5R90F05SP01,V4.5R90F05SP02
[Target Version]
V4.5R90F06
[Matching Versions of Collaborative Devices]
ADS: V4.5R90F06
ADSM: V4.5R90F06
TAT: V2.0.0
MF: V4.5R90F01SP08,V4.5R90F01SP09,V4.5R90F01SP10
[Function Description]
1. Support for network segment-based DDoS attack detection for regions, IP groups, and the global scope.
2. Support for netmask/prefix length customization for network segment-specific diversion.
3. Support for sending of power status information via SNMP traps.
4. The NSFOCUS logo is added on the login page.
5. Third-party interfaces are optimized.
6. The A interface is upgraded.
7. Known bugs are fixed.
（1）NTA-12536 [DPI] When HTTP flood traffic initiated by xddos exceeds the SYN flood threshold and triggers a related alert, no HTTP flood alert is reported.
（2）NTA-12488 [A device produced in the production center cannot have port 50022 opened for SSH access] Port 50022 cannot be used for SSH access on the web-based manager.
（3）NTA-11666 [HTTP slow attack] A link to NTI is provided (not removed as expected) in the source IP information of HTTP slow attack alerts.
（4）NTA-12539: After password strength checking is enabled, the password error message displayed for an invalid password does not provide complete information of special characters.
（5）NTA-12537: Resetting access control settings does not work after the settings are configured and saved.
（6）NTA-11906 [Cloud-side authentication] After manual selection of cloud-side authentication and the authorization status changes from unauthorized to authorized, a message is displayed, providing information different from what has actually happened.
（7）NTA-11655 [Logo] The product logo is missing in the upper-left corner of pages of the web-based manager.
（8）NTA-13117: When configuring BGP FlowSpec settings, users can set passwords although the Encryption check box is cleared.

[Important Notes]
1. The web-based manager is inaccessible during system updating.
2. All engines are stopped during system updating.
3. After updating is complete, users need to refresh the web page as prompted.
4. During the upgrade, it is normal that the web-based manager displays an error message "502 Bad Gateway" or directly denies your access request.
Please refresh the web-based manager 5 minutes later, and then check Product Version in About. If the version is V4.5R90F06, the upgrade succeeds.