| 描述:
【版本号】 V4.5R90F02.sp07
【升级基础版本】 V4.5R90F02,V4.5R90F02.sp01,V4.5R90F02.sp01.C236,V4.5R90F02.sp01.C236.HD,V4.5R90F02.sp02,V4.5R90F02.sp03,V4.5R90F02.sp04,V4.5R90F02.sp05,V4.5R90F02.sp06
【升级版本】 V4.5R90F02.sp07
【配套联动】 NTA: V4.5R90F02,V4.5R90F02.sp01,V4.5R90F02.sp02,V4.5R90F02.sp03,V4.5R90F02.sp04,V4.5R90F02.sp05,V4.5R90F02.sp06 ADSM: V4.5R90F02.sp09
【功能变更说明】
1.支持防护群组策略模板
2.支持配置主备DNS服务器; 邮件可设置多个收件人; SNMPTRAP支持配置2个服务器IP
3.优化云端认证功能
4.优化远程协助功能
5.反射规则新增防护规则
6.vADS支持本地认证
7.支持不同型号ADS的串联HA扩展需求
v4.5R90F02.sp05功能变更:
1.优化ADS自学习功能
2.支持通过syslog发送攻击事件top50源IP
3.ADS的攻击日志处增加对ADSM的介绍
4.注入路由支持查询功能
5.升级A接口版本至3.0.7
6.MPLS回注时支持对ldp邻居状态进行检查,发现ldp邻居异常后停止牵引
7.支持主主等价路由的链路检查功能,当等价路由都异常时停止对应的牵引
8.支持光润通240X bypass交换机
9.支持2020E/4020E/6025E和HD6500做串联HA
10.自动抓包功能支持将抓到的包上传到ADSM
11.手动抓包功能支持对群组进行抓包
12.增加设备基础信息采集接口
13.部分漏洞修复
v4.5R90F02.sp04功能变更:
1.在ADS集群中,支持将主设备上学习到的mpls标签同步给集群中的从设备,该功能需在ADSM的集群配置中勾选MPLS标签同步
2.支持6PE环境下的标签回注
3.在防护策略->URL-ACL防护规则页面,新增URL监测功能,即在规则的URL防护模式新增监测+黑名单的动作,并提供相应的配置
4.ADS-10000支持绿盟威胁情报功能,开关在高级应用->高级防护->绿盟威胁情报界面
5.ADS-10000支持HA功能,开关在系统管理->HA配置界面
6.将绿盟威胁情报功能同步的黑名单数量规格扩大至10w条
7.将防护策略下的缺省和群组防护策略的IP行为控制功能的开关细化,并增加统计周期配置项
8.在攻防运维->设备攻防状态->信任IP界面,添加清除信任按钮,支持清除某个IP的信任状态
9.在日志管理->防护日志->防护策略事件统计界面,提供清空日志按钮,清除已完成的事件
v4.5R90F02.sp03功能变更:
1.降低CF卡写入频率
v4.5R90F02.sp02功能变更:
1.GeoIP规则支持限速
2.防护群组新增运行模式:防护模式、告警模式、转发模式
3.日志管理新增防护策略事件统计
4.新增集群间协议报文同步
5.群组WebAPI兼容性优化
6.修改内存利用率计算方式
7.降低CF卡写入频率
8.新增状态采集日志服务
v4.5R90F02.sp01功能变更:
1. 端口检查升级,配置更灵活
2. UDP防护策略增加bps
3. 异常包过滤群组化
4. 更新logo
5. 不再支持8G内存设备升级
v4.5R90F02功能变更:
1. HTTP防护策略增加针对URL的防护
2. 支持对移动终端和PC端选择不同的HTTP防护策略
3. 黑名单可选择对通过代理访问的真实源IP过滤
4. 白名单可选择对通过代理访问的真实源IP放行
5. 支持对通过代理访问的真实源IP做IP行为控制的GET包速率控制
6. WEB实时监控页面可选择展示群组流量信息和URL流量信息
7. 增加防护策略丢包统计,攻击日志展示具体防护策略
8. WEB增加自定义页面访问权限用户
9. 新增展示手动抓包抓取报文的任务详情和报文信息
10. 新增一键根据报文信息配置多种静态防护策略
11. 记录NTP关键同步信息到操作日志中
12. 支持CLI下配置Portchannel注入负载均衡方式
13. 更新Geoip库,web增加查询IP所属国家/地区
14. 展示证书支持的服务模块
15. snmpagent增加业务接口信息OID
16. 增加全局可配置的异常包过滤规则开关
17. 算法添加的黑名单增加记录目的IP
18. 串口下添加可开启关闭web服务的命令
19. 新增MS SQL和CLDAP反射防护规则和对应攻击类型
20. 管理模式可配置ADS-M的端口
21. 新增大流量云呼救功能
22. ADS-8000新增支持串联部署
23. 扩展ADS-10000支持的管理设备数量
24. 新增支持BP2301型号外置bypass交换机
【BUG修复说明】 195588 【ADS——监控】ADS在日志和snmp监控中发现内存存在激增到85%的情况 194215 web页面的系统资源处,电源1,2亮红灯,cpu、主板温度为0 171116 手工流量牵引描述存在存储型XSS漏洞 196997 注入接口】注入接口配置,删除注入接口,如果存在牵引,不管那个牵引是否与删除的那个注入接口相关,都无法从引擎中将注入接口删除 193992 注入路由的被保护IP为包含牵引IP的网段,牵引IP正在牵引,仍然能停止或者删除注入路由 196959 【MAC地址表】静态MAC地址编辑不生效 197696 【绿盟云】连接设备发现设备不在线,事实上设备为在线状态 196318 【一键信息收集】CLI下执行命令info_collect start报错 199262 【管理口访问控制】启用访问控制规则为forbid all,并且配置的DNS服务器网络不可达时,应用或保存要很长时间 201276 【手工牵引】勾选取消注入路由检查后,启用手工牵引,手工牵引失败 201196 120位掩码ipv6地址段牵引,其中“是否展开”选择启用,下发时没有包含末尾全0的IPv6地址 201601 【外置bypass交换机】BP2100修改配置时,无密码输入选项 201327 【外置bypass交换机】BP2100查看交换机状态时,页面卡死 201477 【ssl证书导入】通过web导入带私钥得ssl证书,不成功,提示密钥不匹配
v4.5R90F02.sp06修复问题: Bug196954 【注入路由】ipv6注入路由的前缀长度在48-64之间时,牵引该网段内部分IP地址失败 Bug196995 【注入接口】注入接口配置ipv6地址的前缀小于64时,添加静态mac失败 Bug196749 【翻译】geoip规则中部分国家名称没有翻译
v4.5R90F02.sp05修复问题: Bug193338 【WEBAPI】API下发水印防护策略端口范围为端口段时接口报错 Bug195056 【WEBAPI】delete_ip删除防护群组中的ipv6地址时,删除的不是参数约定的IP地址 Bug194612 【Portchannel】先在物理口上配注入IP,然后将该物理口在内的多个物理课加入Portchannel,导致注入接口界面显示是Portchannel,但是实际生效的只是单个物理口 Bug195361 【CLI】cli通过ip/前缀长度 添加ip时未作冲突检验和前缀长度校验 Bug192820 【CLI】CLI添加群组无数量限制 Bug190767 【CLI】cli创建的群组,用cli添加ip,出现多个group_ip Bug195000 【防护群组】通过IP地址或者群组名过滤防护群组列表,展示不正确 Bug190562 【防护】ipv6 rst攻击源被加信任 Bug192821 【攻击日志】攻击日志统计图,统计数据不准 Bug190114 【标签注入】标签注入无法支持等价路由,建议web对此做出限制 Bug189963 【国际化】英文界面下新增的状态采集日志服务功能输出仍然只有中文 Bug192503 【黑名单】WEB界面删除黑名单中的IP之后,重启又恢复了 Bug195173 【黑名单】通过界面导入黑名单,IP导入失败,查看配置文件中已被写入 Bug194248 【云端认证】认证每成功一次,就会主动将包转发切换回非包转发模式
v4.5R90F02.sp04修复问题: Bug179645 【牵引】添加手工流量牵引牵引时,勾选超过15个BGP daemon会导致牵引下发失败 Bug180559 【集群】ADS集群环境,缺省ddos防护参数反复同步 Bug181456 【URL_ACL】webapi和CLI设置URL_ACL规则,没有规格限制 Bug187427 【群组】防护群组的IP列表为ipv6地址时,web和webapi接口交叉使用情况下的重复性检查不严格 Bug181461 【群组】CLI下设置群组描述,设置不成功 Bug181493 【群组】防护群组添加到最大规格时,最后一个群组策略无法下发到引擎
v4.5R90F02.sp03修复问题: Bug187477 SIP防护算法,在回探测报文时封包不正确,导致客户端无法加信任
v4.5R90F02.sp02修复问题: Bug174887 CLI下sroute命令封装不严谨,掩码配置错误的情况下,将linux命令route的帮助信息打印出来了 Bug177278 牵引路由表1k左右,查询ipv6地址,web界面卡死 Bug177280 web并发调用接口,出现报错 Bug177362 黑名单导入未去重 Bug180670 【黑名单】ipv6地址hash冲突,无法配置 Bug181362 设备重启后,清空IP地址配置,点击保存后,ifconfig查询IP地址仍生效 Bug171573 界面无法通过网段中单个ip搜索出防护群组
v4.5R90F02.sp01修复问题: Bug170962 牵引过滤规则 缺省允许被自动取消 Bug171838 telnet界面存在RCE漏洞 Bug168675 【许可证信息】火狐浏览器预览证书文件返回后,之前所选证书文件消失 Bug171912 【许可证信息】证书导入后,页面无任何提示,10s后才会提示导入成功 Bug173167 【防护群组】当配置有url规则时,修改删除群组ip地址,没有做删除前url规则应用的检验 Bug173458 【智能防护策略】部分ipv6报文的http指纹提取不成功 Bug173160 【WEBAPI文档】webapi文档对useragent规则需添加sync的相关示例和说明 Bug173516 【手动抓包】抓包规则由tcp/udp修改为其他协议,仍按修改前端口信息进行抓取 Bug173800 编辑无冲突的IP组显示IP冲突 Bug174172 启用MPLS标签学习,大量注入配置的情况下,牵引和回注功能异常 Bug174533 【DNS算法】DNS算法1会报两种攻击日志,流量统计有误导致统计翻倍 Bug174538 HTTP防护CC算法出现COLLCC重复字段 Bug175343 后台生成超过8万条手动流量牵引的配置文件,手工流量牵引页面空白 Bug175258 WEBAPI获取证书清洗能力为0
【注意事项】 无
- END -
[Version No.] V4.5R90F02.sp07
[Source Version] V4.5R90F02,V4.5R90F02.sp01,V4.5R90F02.sp01.C236,V4.5R90F02.sp01.C236.HD,V4.5R90F02.sp02,V4.5R90F02.sp03,V4.5R90F02.sp04,V4.5R90F02.sp05,V4.5R90F02.sp06
[Target Version] V4.5R90F02.sp07
[Matching Versions of Collaborative Devices] NTA: V4.5R90F02,V4.5R90F02.sp01,V4.5R90F02.sp02,V4.5R90F02.sp03,V4.5R90F02.sp04,V4.5R90F02.sp05,V4.5R90F02.sp06 ADSM: V4.5R90F02.sp09
[Function Changes]
1. Policy templates can be added for protection groups.
2. The master and slave DNS servers can be configured. Multiple receivers can be added for a specific mail. At most two server IP addresses can be specified to receive logs via SNMP trap.
3. The cloud authentication function is optimized.
4. The remote assistance function is optimized.
5. Protection rules are added to reflection rules.
6. Local authentication is available for vADS.
7. ADS devices of different models can implement the HA function in in-path mode.
Function changes in V4.5R90F02.sp05:
1. The auto-learning function is optimized.
2. Top 50 attack source IP addresses can be sent via syslog.
3. ADS M descriptions are added to attack logs on ADS.
4. Injection routes can be retrieved.
5. The A interface is upgraded to V3.0.7.
6. The LDP neighbor status will be checked during MPLS injection and the diversion will be withdrawn if the neighbor is found abnormal.
7. The link connectivity check function is added for active-active equal-cost routes and the corresponding diversion will be withdrawn if both routes are abnormal.
8. Access to GRT 240X series bypass switches is supported.
9. ADS 2020E/4020E/6025E and ADS HD6500 can be configured to implement the high availability function in in-path mode.
10. Packets that are captured automatically can be uploaded to ADS M.
11. Packets can be captured manually for protection groups.
12. An API is added to collect basic device information.
13. Some vulnerabilities are fixed.
Function changes in V4.5R90F02.sp04:
1. In ADS clusters, MPLS labels learned by the master device can be synchronized to the slave device. This function can be achieved by selecting MPLS Label Synchronization in the General Settings menu of ADSM clusters.
2. Label injection is available in 6PE environments.
3. On the URL-ACL Protection Rules page under Policies, the URL monitoring function is available through the addition of the Monitor + blacklist action with related configurations to URL Protection Mode.
4. ADS-10000 can collaborate with NSFOCUS Threat Intelligence (NTI) via the switch on the NTI page under Advanced > Advanced Protection.
5. ADS-10000 supports the high availability (HA) function via the switch on the HA Configuration page under System.
6. The number of blacklisted entries synchronized from NTI is increased to 100,000.
7. Amid default and group-specific protection policies, IP behavior control switches are classified in a fine-grained manner and Statistical Period is added for each switch.
8. On the Trusted IP page under O&M > Device Protection Status, the Clear Trust button is added to remove an IP address from the trust list.
9. On the Protection Event Statistics page under Logs > Protection Logs, the Clear Logs button is added to clear logs of finished events.
Function changes in V4.5R90F02.sp03:
1. Reduce the write frequency of CF card
Function changes in V4.5R90F02.sp02:
1. The GeoIP rule adds support of speed-limit
2. The group policy adds three new running-modes:protection,inactive,forwarding
3. The log's management adds the protection event statistics
4. Add synchronization of protocol packet in cluster
5. Optimize the WebAPI of usegroup
6. Modify the memory utilization calculation
7. Reduce the write frequency of CF card
8. Add status collection log service
Function changes in V4.5R90F02.sp01:
1. Update the port check, support more flexible configuration
2. The UDP protection adds bps support
3. The abnormal packet filter moves into group
4. Update logo
5. Do not support the upgrade of devices have 8G RAM
Function changes in V4.5R90F02:
1. HTTP protection is expanded to cover URLs.
2. Users are allowed to configure different HTTP protection policies for mobile devices and PCs.
3. Real source IP addresses that attempt to access target servers via proxies can be blacklisted.
4. Real source IP addresses that attempt to access target servers via proxies can be whitelisted.
5. For real source IP addresses that attempt to access target servers via proxies, users are allowed to implement IP behavior control by limiting the traffic rate of GET packets.
6. On the web-based manager, users can choose to display group- and URL-related traffic information on the real-time monitoring page.
7. Statistics about packets dropped according to protection policies are added and attack log information is expanded to cover protection policies.
8. On the web-based manager, a new user role with custom access is added.
9. Task details and packet information are also displayed for manual packet capture tasks.
10. A button is added for users to configure various static protection policies based on packet information.
11. Key NTP synchronization information is added in the operation log.
12. In the CLI window, users are also allowed to configure load balancing by means of port channels.
13. The GeoIP library is updated, allowing users to query the country/region of an IP address on the web-based manager.
14. Service modules covered by the license are also displayed.
15. OIDs of service interfaces are added for the SNMP agent.
16. A switch is added, allowing users to control whether to enable abnormal packet filtering globally.
17. In the blacklist of source IP addresses added by using algorithms, destination IP addresses are added.
18. In the console user interface, commands are added for enabling and disabling the web service.
19. MS SQL and CLDAP reflection protection and related attack types are added.
20. Users are allowed to specify a port for ADS M that is configured as the management platform.
21. The cloud signaling function is added for handling high-volume traffic.
22. ADS 8000 can now be deployed in in-path mode.
23. ADS 10000 supports more management devices.
24. A new model of external bypass switch, BP2301, is added.
[Fixed Bugs] 195588 ADS memory surges to 85% in log and SNMP monitoring. 194215 On the Real-Time Monitoring page, LEDs are red for both power supply 1 and 2 and temperatures are 0 for both the CPU and motherboard. 171116 A stored cross-site scripting (XSS) vulnerability exists in the description of manual diversion. 196997 [If the traffic diversion is ongoing, an injection interface, whether related to the diversion or not, cannot be deleted from the Injection Interfaces page. 193992 If an IP segment is specified for protection in an injection route, this route can be disabled or deleted even during the ongoing traffic diversion of such segment. 196959 The function of editing static MAC addresses in the MAC address table does not work. 197696 ADS is already properly connected to NSFOCUS cloud, while the connection status is displayed as offline. 196318 In CLI, when the info_collect start command is run, an error message is displayed. 199262 When "forbid all" is enabled as the access control rule and the configured DNS server network is inaccessible, it takes a long time to apply or save settings. 201276 – If injection route inspection is canceled, manual diversion fails after being enabled. 201196 – For diversion of an IPv6 segment with a 120-bit prefix, if you choose to list all IPv6 addresses in this segment, IPv6 addresses with all zeros in the last 16 bits are left out when it comes to diversion route dispatch. 201601 [External bypass switch] The password option is absent during the configuration modification of the BP2100 switch. 201327 [External bypass switch] The web page becomes unresponsive when users view the status of the BP2100 switch. 201477 [SSL license import] An SSL certificate with a private key cannot be imported on the web-based manager and a private key mismatch error is displayed during the import.
Fixed bugs in V4.5R90F02.sp06: Bug 196954: If the protected IP segment for an injection route has a prefix within the range of 48–64, traffic diversion may fail for certain IP addresses within the segment. Bug 196995: A static MAC address cannot be added for an IPv6 address with a prefix smaller than 64 configured for an injection interface. Bug 196749: Some country names involved in GeoIP rules are not translated into English.
Fixed bugs in V4.5R90F02.sp05: Bug 193338: An error will be reported when the watermark protection policy involving a port range is dispatched via an API. Bug 195056: When the delete_ip API is used to delete IPv6 addresses from a protection group, it delete others than the specified ones. Bug 194612: If an IP address is specified for an injection interface before the interface is added to a port channel, this port channel does not take effect. Bug 195361: Neither the conflict check nor prefix length check is performed for IP subnets (in the format of IP address/prefix length) added via CLI. Bug 192820: No limit is placed on the number of protection groups that can be created via CLI. Bug 190767: When an IP address is added through CLI to a protection group created via CLI, multiple group_IP parameters will appear. Bug 195000: Protection groups cannot be incorrectly filtered by IP address or protection group name. Bug 190562: IPv6 addresses of RST attack sources are added to the trust list. Bug 192821: Statistical graphs of attack logs may show incorrect statistical results. Bug 190114: Equal-cost routes are not supported for label injection. Bug 189963: Contents related to the new status collection log service are not translated into English. Bug 192503: Blacklisted IP addresses, though deleted on the web-based manager, appear in the blacklist again upon the system restart. Bug 195173: For a blacklist that fails to be imported to the system, IP addresses in it are already written into the configuration file. Bug 194248: Once cloud-based authentication succeeds, the system will automatically disable packet forwarding.
Fixed bugs in V4.5R90F02.sp04: Bug179645 [Diversion] When manual traffic diversion is added, selecting 15 BGP daemons will cause a diversion dispatch failure. Bug180559 [Cluster] In an ADS cluster environment, default distributed DDoS protection parameters are synchronized repeatedly. Bug181456 [URL_ACL] No limit is placed on how many URL-ACL rules can be configured via the web API or CLI. Bug187427 [Group] The web-based manager and web APIs fail to perform strict duplication checks on IP addresses involved in protection groups. Bug181461 [Group] Group description cannot be set via CLI. Bug181493 [Group] When the number of protection groups reaches the upper limit, policies of the last added group fail to be dispatched to the engine.
Fixed bugs in V4.5R90F02.sp03: Bug187477 When SIP protection algorithm sending reverse detection packet, the checksum value is not correct, caused the client cannot joining the trust list
Fixed bugs in V4.5R90F02.sp02: Bug174887 The sroute command in CLI prints redundant information when netmask is wrong Bug177278 Querying diversion routing table using ipv6 will leads web to be stuck when more than 1000 diversion routing tables Bug177280 Calling WebAPI concurrently will throws an error Bug177362 Importing blacklist does not delete duplicated records Bug180670 The ipv6 cannot add into blacklist when ipv6 addresses occur hash conflict Bug181362 Reboot device, clear the IP configurtion, then click the save button, the IP still can be seen in the ifconfig's output Bug171573 Can not search the protection group through IP in the network segment
Fixed bugs in V4.5R90F02.sp01: Bug170962 The cancel action of enable by default in filtering rules of traffice diversion will write into log Bug171838 Fix the RCE bug exists in the web page of telnet Bug168675 Preview the license file by FireFox, the license file will disappear after click the back button Bug171912 The page has hint only ten seconds later when import the license file Bug173167 Deleting IP from group configuration which has URL rules, no url rules check Bug173458 The http fingerprint acquisition of some ipv6 packet fails Bug173160 The useragent rule of webapi's document needs to add examaple and state of sync interface Bug173516 Change the caputre from TCP to others, the effective capture is still tcp Bug173800 Editing the group configuration will display ip conflict, while there is no ip conflict actually Bug174172 Enable the MPLS label learning, the functions of injectction and diversion will be abnormal, when there are too many injectction configurations; Bug174533 The DNS algorithm NO.1 will report two attack logs, this will lead traffic statistics to double Bug174538 The http's CC algorithm appears COLLLCC repeatedly Bug175343 The web page of manual diversion is blank when there are more than 80000 manual diversion configurations Bug175258 The webapi's processing capacity is 0
[Notes] None
- END -
|
