【版本号】
V4.5R90F03.sp04

【升级基础版本】
V4.5R90F03,V4.5R90F03PRE.M01,V4.5R90F03.sp01,V4.5R90F03.sp02,V4.5R90F03.sp03

【升级版本】
V4.5R90F03.sp04

【配套联动】
NTA: V4.5R90F02,V4.5R90F02.sp01,V4.5R90F02.sp02,V4.5R90F02.sp03,V4.5R90F02.sp04,V4.5R90F02.sp05,V4.5R90F02.sp06,V4.5R90F02.sp07,V4.5R90F03,V4.5R90F03.sp01
ADSM: V4.5R90F03.sp02

【功能变更说明】
无

V4.5R90F03SP02功能变更：
1.GEOIP规则群组化
2.支持双因素认证-邮件认证
3.优化DNS配置
4.UDP会话认证
5.界面展示磁盘用量
6.基于攻击事件自动抓包

V4.5R90F03SP01功能变更：
1.反射防护规则支持配置TCP协议
2.GEOIP库国内支持按省/直辖市/地区进行过滤
3.登录认证支持TACACS+和LDAP认证
4.虚拟化版本支持vmware部署
5.PortChannel支持LACP动态链路聚合模式
6.更新英文版用户许可协议

【BUG修复说明】
ADS-51923 【SNMP】通过snmp agent获取内存利用率异常
ADS-52029 【端口同步】获取接口状态错误 导致接口异常up/down

V4.5R90F03SP03修复问题
ADS-51159 【DNS防护】合规的DNS响应报文被丢包
ADS-51158 【流量统计】低概率出现实时监控页面流量统计图均不显示
ADS-51141 【ADS_WEBAPI_手工流量牵引】手工牵引较多的是时候,使用load接口获取手工流量牵引，会出现乱码
ADS-51161 【模式匹配API】API配置模式匹配规则限速阈值不生效
ADS-51174 【webapi】当feature_type=geoip的sync接口，传参创建时间参数需要生效，否则影响集群反复同步
ADS-51165 【群组自学习】无法启动群组自学习
ADS-51547 【webAPI】GeoIP库search接口带language参数无效
ADS-51329 【接口状态】杀掉cfe进程后页面接口显示"离线"不是"不可用“
ADS-51610 【管理模式】同时启用管理模式配置--三方设备且syslog配置中启用攻击事件日志，按一定操作修改管理模式，出现大量的流量文件，得不到清理导致内存占用
ADS-51636 【HTCA启动】HTCA设备超过四张板卡启动时消息阻塞，无法保存

V4.5R90F03SP02修复问题：
ADS-50517 [优化]HD6500/HD8500在全局动态满规格的情况下，算法加黑打不满群组动态黑名单
ADS-50521 【webapi】GEOIP库search无法查询到IP归属地
ADS-50532 新建HTTP防护策略只对URL规则防护的防护群组，查看群组在引擎生效，但是URL规则不防护
ADS-50533 mpbgp等小问题汇总
ADS-50537 【ADS_syslog】syslog在发送日志的时候，概率出现日志不完整的情况
ADS-50538 【ADS_Http】http开启syn_cookie_URL算法，在遇到一个特定五元组的报文会导致cfeapp部分线程死循环
ADS-50539 【手工抓包】gre回注下，抓包条件勾选群组时，抓发送报文问题汇总
ADS-50540 【MTU分片】打异常分片报文到ADS后并开启包转发，导致引擎异常
ADS-50548 【ADS_syslog】syslog在发送攻击事件日志时，格式不统一
ADS-50551 【ADS_白名单】设备启动时，建议修改白名单下发机制为批量下发，优化启动时间
ADS-50552 【webapi】geoip的webapi中的国家地区分别采用了src_country和src_city两个字段
ADS-50555 【手工牵引】设备重启运行正常后启用的手工牵引一段时间后会被停用，可能会导致牵引状态和配置不一致
ADS-50612 【引擎】打源IP随机带vlan头的攻击报文，后台查看cfe_stat文件发现队列收包不均衡
ADS-50618 【硬件告警】当CPU主板或者风扇其中一个出现异常时，操作日志打印硬件异常信息的同时会再记录一条电源故障恢复的日志
ADS-50619 【串口】特定前提下，串口重置admin密码不成功
ADS-50634 【安全设置】在不操作界面情况下达到超时自动退出设置的时间后，web没有退出回到登录界面
ADS-50763 【DNS防护】dns算法选择cname时，构造特定报文放行后，手工抓包抓丢弃能够抓到该报文
ADS-50769 【集群同步】MPLS标签同步至从设备后，从设备对应的注入路由不能自动生效
ADS-50772 【web】上传10W条白名单数据文件提示文件读取失败
ADS-50798 【正则规则CLI】正则规则被群组引用时CLI命令可成功删除该条规则
ADS-50806 【功能优化】关于modcom等下发配置场景的优化
ADS-50879 【https】在防护状态下ipv6 https业务访问失败
ADS-50887 【安全设置】登录安全设置内允许IP访问列表配置16位掩码格式，匹配IP无法登录
ADS-50901【牵引路由】下发或删除牵引路由掩码不同时，牵引路由表与bgp路由不一致
ADS-51000 【关键字检查规则CLI】DNS/HTTP关键字规则被群组引用时CLI命令可删除
ADS-51101 【ADS_注入路由】ads配置注入路由连通性检查，在没有达到切换次数的情况下，会出现偶发切换注入路由的情况
ADS-51112 【防护策略统计】无法查询ADSM下发的群组攻击事件
ADS-51114 【MAC地址表】MAC地址表删除后添加无法更新生效顺序，导致集群一直同步
ADS-51117 【MAC地址表】通过M集群同步MAC地址表时间较长

V4.5R90F03SP01修复问题：
ADS-49809 【CLI】cli命令无法删除被保护地址为0.0.0.0的注入路由
ADS-50432 【WEB】https应用层防护配置web界面在分辨率1024*768下展示重叠
ADS-49813 【WEB】http防护策略，只对URL规则防护下，能够开启SYN Cookie URL
ADS-49814 【WEB】防护策略事件统计,不进行查询，群组只能选择ALL
ADS-49861 【WEB】反射防护规则/DNS关键字,勾选多个规则时，点击某一规则最右侧的删除，删除了所有的防护规则
ADS-50338 【WEB】攻击日志页面，鼠标移动到防护策略为Invalid_DNS_Packet 上时，没有相应说明
ADS-49812 【WEB】bgp路由参数修改界面，双击两次确定后会出现无参数界面
ADS-50341 【WEB】注入路由VPN选择自学习/6pe后，点击编辑会先出现提示信息
ADS-50337 【WEB】防护群组配置，在代理开启的时候，再修改syn_cookie为启用时可以配置下去的，未作互斥校验
ADS-49808 【WEBAPI】调用webapi删除页面添加的邻居后重新刷新页面依然能观察到已被删除的邻居配置
ADS-50429 【SNMP】snmp agent主动获取内存数据失败时，会出现异常值
ADS-49815 【邮件】当邮件服务器解析失败或不存在时，导致sendmail进程一直阻塞在后台
ADS-50455 【牵引注入】ADS在配置大量手工流量牵引后，下发引擎耗时时间过长，需要优化
ADS-50430 【升级回退】从低版本升级失败后重新升级成功，再回退版本，回退后的版本不是升级前的版本
ADS-49810 【URL-ACL】开启url-acl功能后会导致https算法的性能下降

【注意事项】
无

【版本号】
V4.5R90F03.sp03

【升级基础版本】
V4.5R90F03,V4.5R90F03PRE.M01,V4.5R90F03.sp01,V4.5R90F03.sp02

【升级版本】
V4.5R90F03.sp03

【配套联动】
NTA: V4.5R90F02,V4.5R90F02.sp01,V4.5R90F02.sp02,V4.5R90F02.sp03,V4.5R90F02.sp04,V4.5R90F02.sp05,V4.5R90F02.sp06,V4.5R90F02.sp07,V4.5R90F03,V4.5R90F03.sp01,V4.5R90F03.sp02
ADSM: V4.5R90F03.sp02,V4.5R90F03.sp03

【功能变更说明】
无

V4.5R90F03SP02功能变更：
1.GEOIP规则群组化
2.支持双因素认证-邮件认证
3.优化DNS配置
4.UDP会话认证
5.界面展示磁盘用量
6.基于攻击事件自动抓包

V4.5R90F03SP01功能变更：
1.反射防护规则支持配置TCP协议
2.GEOIP库国内支持按省/直辖市/地区进行过滤
3.登录认证支持TACACS+和LDAP认证
4.虚拟化版本支持vmware部署
5.PortChannel支持LACP动态链路聚合模式
6.更新英文版用户许可协议

【BUG修复说明】
ADS-51159 【DNS防护】合规的DNS响应报文被丢包
ADS-51158 【流量统计】低概率出现实时监控页面流量统计图均不显示
ADS-51141 【ADS_WEBAPI_手工流量牵引】手工牵引较多的是时候,使用load接口获取手工流量牵引，会出现乱码
ADS-51161 【模式匹配API】API配置模式匹配规则限速阈值不生效
ADS-51174 【webapi】当feature_type=geoip的sync接口，传参创建时间参数需要生效，否则影响集群反复同步
ADS-51165 【群组自学习】无法启动群组自学习
ADS-51547 【webAPI】GeoIP库search接口带language参数无效
ADS-51329 【接口状态】杀掉cfe进程后页面接口显示"离线"不是"不可用“
ADS-51610 【管理模式】同时启用管理模式配置--三方设备且syslog配置中启用攻击事件日志，按一定操作修改管理模式，出现大量的流量文件，得不到清理导致内存占用
ADS-51636 【HTCA启动】HTCA设备超过四张板卡启动时消息阻塞，无法保存

V4.5R90F03SP02修复问题：
ADS-50517 [优化]HD6500/HD8500在全局动态满规格的情况下，算法加黑打不满群组动态黑名单
ADS-50521 【webapi】GEOIP库search无法查询到IP归属地
ADS-50532 新建HTTP防护策略只对URL规则防护的防护群组，查看群组在引擎生效，但是URL规则不防护
ADS-50533 mpbgp等小问题汇总
ADS-50537 【ADS_syslog】syslog在发送日志的时候，概率出现日志不完整的情况
ADS-50538 【ADS_Http】http开启syn_cookie_URL算法，在遇到一个特定五元组的报文会导致cfeapp部分线程死循环
ADS-50539 【手工抓包】gre回注下，抓包条件勾选群组时，抓发送报文问题汇总
ADS-50540 【MTU分片】打异常分片报文到ADS后并开启包转发，导致引擎异常
ADS-50548 【ADS_syslog】syslog在发送攻击事件日志时，格式不统一
ADS-50551 【ADS_白名单】设备启动时，建议修改白名单下发机制为批量下发，优化启动时间
ADS-50552 【webapi】geoip的webapi中的国家地区分别采用了src_country和src_city两个字段
ADS-50555 【手工牵引】设备重启运行正常后启用的手工牵引一段时间后会被停用，可能会导致牵引状态和配置不一致
ADS-50612 【引擎】打源IP随机带vlan头的攻击报文，后台查看cfe_stat文件发现队列收包不均衡
ADS-50618 【硬件告警】当CPU主板或者风扇其中一个出现异常时，操作日志打印硬件异常信息的同时会再记录一条电源故障恢复的日志
ADS-50619 【串口】特定前提下，串口重置admin密码不成功
ADS-50634 【安全设置】在不操作界面情况下达到超时自动退出设置的时间后，web没有退出回到登录界面
ADS-50763 【DNS防护】dns算法选择cname时，构造特定报文放行后，手工抓包抓丢弃能够抓到该报文
ADS-50769 【集群同步】MPLS标签同步至从设备后，从设备对应的注入路由不能自动生效
ADS-50772 【web】上传10W条白名单数据文件提示文件读取失败
ADS-50798 【正则规则CLI】正则规则被群组引用时CLI命令可成功删除该条规则
ADS-50806 【功能优化】关于modcom等下发配置场景的优化
ADS-50879 【https】在防护状态下ipv6 https业务访问失败
ADS-50887 【安全设置】登录安全设置内允许IP访问列表配置16位掩码格式，匹配IP无法登录
ADS-50901【牵引路由】下发或删除牵引路由掩码不同时，牵引路由表与bgp路由不一致
ADS-51000 【关键字检查规则CLI】DNS/HTTP关键字规则被群组引用时CLI命令可删除
ADS-51101 【ADS_注入路由】ads配置注入路由连通性检查，在没有达到切换次数的情况下，会出现偶发切换注入路由的情况
ADS-51112 【防护策略统计】无法查询ADSM下发的群组攻击事件
ADS-51114 【MAC地址表】MAC地址表删除后添加无法更新生效顺序，导致集群一直同步
ADS-51117 【MAC地址表】通过M集群同步MAC地址表时间较长

V4.5R90F03SP01修复问题：
ADS-49809 【CLI】cli命令无法删除被保护地址为0.0.0.0的注入路由
ADS-50432 【WEB】https应用层防护配置web界面在分辨率1024*768下展示重叠
ADS-49813 【WEB】http防护策略，只对URL规则防护下，能够开启SYN Cookie URL
ADS-49814 【WEB】防护策略事件统计,不进行查询，群组只能选择ALL
ADS-49861 【WEB】反射防护规则/DNS关键字,勾选多个规则时，点击某一规则最右侧的删除，删除了所有的防护规则
ADS-50338 【WEB】攻击日志页面，鼠标移动到防护策略为Invalid_DNS_Packet 上时，没有相应说明
ADS-49812 【WEB】bgp路由参数修改界面，双击两次确定后会出现无参数界面
ADS-50341 【WEB】注入路由VPN选择自学习/6pe后，点击编辑会先出现提示信息
ADS-50337 【WEB】防护群组配置，在代理开启的时候，再修改syn_cookie为启用时可以配置下去的，未作互斥校验
ADS-49808 【WEBAPI】调用webapi删除页面添加的邻居后重新刷新页面依然能观察到已被删除的邻居配置
ADS-50429 【SNMP】snmp agent主动获取内存数据失败时，会出现异常值
ADS-49815 【邮件】当邮件服务器解析失败或不存在时，导致sendmail进程一直阻塞在后台
ADS-50455 【牵引注入】ADS在配置大量手工流量牵引后，下发引擎耗时时间过长，需要优化
ADS-50430 【升级回退】从低版本升级失败后重新升级成功，再回退版本，回退后的版本不是升级前的版本
ADS-49810 【URL-ACL】开启url-acl功能后会导致https算法的性能下降

【注意事项】
无

- END -

[Version No.]
V4.5R90F03.sp03

[Source Version]
V4.5R90F03, V4.5R90F03PRE.M01, V4.5R90F03.sp01 or V4.5R90F03.sp02

[Target Version]
V4.5R90F03.sp03

[Matching Versions of Collaborative Devices]
NTA: V4.5R90F02, V4.5R90F02.sp01, V4.5R90F02.sp02, V4.5R90F02.sp03, V4.5R90F02.sp04, V4.5R90F02.sp05, V4.5R90F02.sp06, V4.5R90F02.sp07, V4.5R90F03, V4.5R90F03.sp01,V4.5R90F03.sp02
ADS M: V4.5R90F03.sp02,V4.5R90F03.sp03

[Function Changes]
None.

Function changes in V4.5R90F03SP02:
1. The GeoIP rules can be configured specific to a protection group.
2. A system user now can be authenticated by password + email.
3. The DNS configuration is more user-friendly.
4. A UDP session authentication policy can now be configured for a protection group.
5. The disk usage is now displayed.
6. The attack-triggered automatic packet capture is now supported.

Function changes in V4.5R90F03SP01:
1. TCP is added as a new protocol supported in reflection protection rules.
2. The GeoIP library provides information about the province, municipality, or region if the queried IP address is located in China.
3. TACACS+ and LDAP are added for login authentication.
4. The virtual version of ADS can now be deployed on VMware.
5. Port channels can now be configured to work dynamically using the Link Aggregation Control Protocol (LACP).
6. The End User License Agreement (EULA) is updated.

[Fixed Bugs]
ADS-51159 【DNS protection】Legitimate DNS response message is abnormally discarded
ADS-51158 【Traffic statistic】The flow statistical chart of the real-time monitoring page is not displayed with a low probability
ADS-51141 【WEBAPI_Manual diversion】When there are many manual diversion configurations, using the load interface to obtain manual diversion information will return garbled codes
ADS-51161 【WEBAPI_Pattern matching】When webapi is used to configure pattern matching rules, the speed limit threshold parameter does not take effect
ADS-51174 【WEBAPI】When calling the sync interface of geoip, the incoming creation time parameter needs to be effective, otherwise the cluster will be repeatedly synchronized
ADS-51165 【Group Auto-learning】Cannot start group auto-learning
ADS-51329 【Interface status】After killing the CFE process, the status of the network interface displayed on the web page is "offline", not "unavailable"
ADS-51547 【WEBAPI】When using the webapi interface "search" of geoip, the "language" parameter is invalid
ADS-51610 【Management mode】Enables the management mode and syslog functions at the same time, and the attack event log is enabled in the syslog configuration. After modifying the management mode configuration according to certain operations, a large number of traffic information files will appear, resulting in a large amount of memory occupation
ADS-51636 【HTCA device startup】When the number of boards of HTCA device exceeds four, there will be message blocking and the configuration cannot be saved during startup

Fixed bugs in V4.5R90F03SP02:
ADS-50517 [Blacklist] For ADS NX5-HD6500/HD8500 models, the blacklist specific to protection groups cannot reach the upper limit after the global blacklist entries are full.
ADS-50521 [Web API] The location of IP addresses cannot be found in the GeoIP library.
ADS-50532 [URL rule] When Only on the rules of URL protection is selected for a new HTTP protection policy, the protection group takes effect, but it is not protected by URL rules.
ADS-50533 Several minor bugs, such as MPBGP, need to be fixed.
ADS-50537 [Syslog] The syslog logs are occasionally incomplete.
ADS-50538 [HTTP] After the SYN Cookie URL protection is enabled for an HTTP protection policy, packets with particular quintuplets lead to endless loops in the cfeapp process.
ADS-50539 [Manual packet capture] Problems of capture of sent packets occurring when a protection group is selected for the manual packet capture rule in the case of GRE reinjection were aggregated.
ADS-50540 [MTU fragmentation] Sending abnormal packet fragments to ADS with packet forwarding mode enabled causes engine exception.
ADS-50548 [Syslog] The syslog attack event logs are inconsistent in format.
ADS-50551 [Whitelist] The whitelist entries should be bulk dispatched to the engine when the device starts, thus shortening the start time.
ADS-50552 [Web API] The src_country and src_city fields respectively refer to country and city in the GeoIP Library.
ADS-50555 [Manual diversion] After the device is restarted and runs normally, the manual diversion is disabled after a period of time, while its status configured is enabled.
ADS-50612 [Engine] After the source IP address sends attack packets with random VLAN headers, the cfe_stat file shows that packets received by queues are different.
ADS-50618 [Hardware alert] When either the CPU motherboard or the fan is faulty, there are two operation logs: hardware exception log and power failure recovery log.
ADS-50619 [Console] The initial password of web administrator fails to be reset on the console if certain conditions exist.
ADS-50634 [Login security settings] When a user is idle for the period specified by Auto Idle Logout, the system does not return to the login page.
ADS-50763 [DNS protection] When a packet passes through DNS responses authenticated by the CNAME protection algorithm, the packet is captured although the manual packet capture rule applies to dropped packets.
ADS-50769 [Cluster synchronization] After the MPLS label is synchronized to a slave device, the injection route of the slave device cannot take effect automatically.
ADS-50772 [Web] When a file containing 100,000 whitelist entries is uploaded, the file fails to be read.
ADS-50798 [Regular expression rule CLI] A regular expression rule referenced in a protection group can be deleted via CLI.
ADS-50806 [Configuration dispatch] The configuration dispatch scenarios, such as modcom, need to be updated.
ADS-50879 [HTTPS] A protected IPv6 address cannot access the HTTPS service.
ADS-50887 [Security setting] An IP address included in the allowed IP list configured with a 16-bit netmask cannot log in.
ADS-50901 [Diversion route] When two traffic diversion rules with the same IP prefix and different netmasks are dispatched or deleted, the routes shown in the diversion routing table and BGP route are inconsistent.
ADS-51000 [Keyword checking rule CLI] A DNS or HTTP keyword checking rule referenced in a protection group can be deleted via CLI.
ADS-51101 [Injection route] When the injection connectivity check is configured on ADS for an injection route, the switchover occurs occasionally before the switch limit is reached.
ADS-51112 [Protection policy statistics] When searching for attack events of a group created by ADS M, the system prompts that the group name is incorrect.
ADS-51114 [MAC address table] Adding a deleted MAC address table does not change the sequence, causing the cluster to always synchronize the same MAC address table.
ADS-51117 [MAC address table] It takes a long time to synchronize the MAC address table through the M cluster.

Fixed bugs in V4.5R90F03SP01:
ADS-49809 [CLI] Injection routes with 0.0.0.0 as the protected address cannot be deleted with CLI commands.
ADS-50432 [Web] The HTTPS application-layer protection page is improperly displayed (text overlapping) when the screen resolution is 1024 x 768 pixels.
ADS-49813 [Web] When Only on the rules of URL protection is selected for HTTP protection, SYN Cookie URL can still be enabled.
ADS-49814 [Web] Under Logs > Protection Logs > Protection Event Statistics, only All is available for Group during the first query.
ADS-49861 [Web] On the Reflection Protection Rules or DNS Keyword Checking Rules page, after multiple rules are selected and Delete is clicked, all listed rules, instead of only the selected ones, are deleted.
ADS-50338 [Web] On the Attack Details page, when the mouse is moved to Invalid_DNS_Packet, no description is displayed as expected.
ADS-49812 [Web] On the BGP route modification page, double-clicking OK will result in the page showing no parameter.
ADS-50341 [Web] On the Injection Routes page, clicking the edit button displays a message, prompting information related to auto-learning or 6PE, which, in fact, has not been selected.
ADS-50337 [Web] In protection group configuration, when the proxy is enabled, if the syn_cookie setting is changed to Enable, configuration can still proceed, indicating that no mutex check is conducted.
ADS-49808 [Web API] After the web API is called to delete new neighbors added on the web-based manager, these neighbors are still there after the page is refreshed.
ADS-50429 [SNMP] An abnormal value will be returned when the SNMP agent fails to obtain memory data.
ADS-49815 [Email] When the email server fails to parse the request or does not exist, the sendmail process will persist, causing congestion in the background.
ADS-50455 [Diversion and injection] After a large number of manual diversion routes are configured, it will take the engine an unreasonably long time to dispatch these routes. This needs to be optimized.
ADS-50430 [Version rollback] If a second upgrade succeeds after the failed first upgrade, version rollback results in a different version than the one before the upgrade.
ADS-49810 [URL-ACL] Enabling URL-ACL leads to a significant drop in the performance of HTTPS algorithms.

[Important Notes]
None.

- END -

【版本号】
V4.5R90F03.sp02

【升级基础版本】
V4.5R90F03,V4.5R90F03PRE.M01,V4.5R90F03.sp01

【升级版本】
V4.5R90F03.sp02

【配套联动】
NTA: V4.5R90F02,V4.5R90F02.sp01,V4.5R90F02.sp02,V4.5R90F02.sp03,V4.5R90F02.sp04,V4.5R90F02.sp05,V4.5R90F02.sp06,V4.5R90F02.sp07,V4.5R90F03,V4.5R90F03.sp01
ADSM: V4.5R90F03.sp02

【功能变更说明】
1.GEOIP规则群组化
2.支持双因素认证-邮件认证
3.优化DNS配置
4.UDP会话认证
5.界面展示磁盘用量
6.基于攻击事件自动抓包

V4.5R90F03SP01功能变更：
1.反射防护规则支持配置TCP协议
2.GEOIP库国内支持按省/直辖市/地区进行过滤
3.登录认证支持TACACS+和LDAP认证
4.虚拟化版本支持vmware部署
5.PortChannel支持LACP动态链路聚合模式
6.更新英文版用户许可协议

【BUG修复说明】
ADS-50517 [优化]HD6500/HD8500在全局动态满规格的情况下，算法加黑打不满群组动态黑名单
ADS-50521 【webapi】GEOIP库search无法查询到IP归属地
ADS-50532 新建HTTP防护策略只对URL规则防护的防护群组，查看群组在引擎生效，但是URL规则不防护
ADS-50533 mpbgp等小问题汇总
ADS-50537 【ADS_syslog】syslog在发送日志的时候，概率出现日志不完整的情况
ADS-50538 【ADS_Http】http开启syn_cookie_URL算法，在遇到一个特定五元组的报文会导致cfeapp部分线程死循环
ADS-50539 【手工抓包】gre回注下，抓包条件勾选群组时，抓发送报文问题汇总
ADS-50540 【MTU分片】打异常分片报文到ADS后并开启包转发，导致引擎异常
ADS-50548 【ADS_syslog】syslog在发送攻击事件日志时，格式不统一
ADS-50551 【ADS_白名单】设备启动时，建议修改白名单下发机制为批量下发，优化启动时间
ADS-50552 【webapi】geoip的webapi中的国家地区分别采用了src_country和src_city两个字段
ADS-50555 【手工牵引】设备重启运行正常后启用的手工牵引一段时间后会被停用，可能会导致牵引状态和配置不一致
ADS-50612 【引擎】打源IP随机带vlan头的攻击报文，后台查看cfe_stat文件发现队列收包不均衡
ADS-50618 【硬件告警】当CPU主板或者风扇其中一个出现异常时，操作日志打印硬件异常信息的同时会再记录一条电源故障恢复的日志
ADS-50619 【串口】特定前提下，串口重置admin密码不成功
ADS-50634 【安全设置】在不操作界面情况下达到超时自动退出设置的时间后，web没有退出回到登录界面
ADS-50763 【DNS防护】dns算法选择cname时，构造特定报文放行后，手工抓包抓丢弃能够抓到该报文
ADS-50769 【集群同步】MPLS标签同步至从设备后，从设备对应的注入路由不能自动生效
ADS-50772 【web】上传10W条白名单数据文件提示文件读取失败
ADS-50798 【正则规则CLI】正则规则被群组引用时CLI命令可成功删除该条规则
ADS-50806 【功能优化】关于modcom等下发配置场景的优化
ADS-50879 【https】在防护状态下ipv6 https业务访问失败
ADS-50887 【安全设置】登录安全设置内允许IP访问列表配置16位掩码格式，匹配IP无法登录
ADS-50901【牵引路由】下发或删除牵引路由掩码不同时，牵引路由表与bgp路由不一致
ADS-51000 【关键字检查规则CLI】DNS/HTTP关键字规则被群组引用时CLI命令可删除
ADS-51101 【ADS_注入路由】ads配置注入路由连通性检查，在没有达到切换次数的情况下，会出现偶发切换注入路由的情况
ADS-51112 【防护策略统计】无法查询ADSM下发的群组攻击事件
ADS-51114 【MAC地址表】MAC地址表删除后添加无法更新生效顺序，导致集群一直同步
ADS-51117 【MAC地址表】通过M集群同步MAC地址表时间较长

V4.5R90F03SP01修复问题：
ADS-49809 【CLI】cli命令无法删除被保护地址为0.0.0.0的注入路由
ADS-50432 【WEB】https应用层防护配置web界面在分辨率1024*768下展示重叠
ADS-49813 【WEB】http防护策略，只对URL规则防护下，能够开启SYN Cookie URL
ADS-49814 【WEB】防护策略事件统计,不进行查询，群组只能选择ALL
ADS-49861 【WEB】反射防护规则/DNS关键字,勾选多个规则时，点击某一规则最右侧的删除，删除了所有的防护规则
ADS-50338 【WEB】攻击日志页面，鼠标移动到防护策略为Invalid_DNS_Packet 上时，没有相应说明
ADS-49812 【WEB】bgp路由参数修改界面，双击两次确定后会出现无参数界面
ADS-50341 【WEB】注入路由VPN选择自学习/6pe后，点击编辑会先出现提示信息
ADS-50337 【WEB】防护群组配置，在代理开启的时候，再修改syn_cookie为启用时可以配置下去的，未作互斥校验
ADS-49808 【WEBAPI】调用webapi删除页面添加的邻居后重新刷新页面依然能观察到已被删除的邻居配置
ADS-50429 【SNMP】snmp agent主动获取内存数据失败时，会出现异常值
ADS-49815 【邮件】当邮件服务器解析失败或不存在时，导致sendmail进程一直阻塞在后台
ADS-50455 【牵引注入】ADS在配置大量手工流量牵引后，下发引擎耗时时间过长，需要优化
ADS-50430 【升级回退】从低版本升级失败后重新升级成功，再回退版本，回退后的版本不是升级前的版本
ADS-49810 【URL-ACL】开启url-acl功能后会导致https算法的性能下降

【注意事项】
无

- END -

[Version No.]
V4.5R90F03.sp02

[Source Version]
V4.5R90F03, V4.5R90F03PRE.M01, or V4.5R90F03.sp01

[Target Version]
V4.5R90F03.sp02

[Matching Versions of Collaborative Devices]
NTA: V4.5R90F02, V4.5R90F02.sp01, V4.5R90F02.sp02, V4.5R90F02.sp03, V4.5R90F02.sp04, V4.5R90F02.sp05, V4.5R90F02.sp06, V4.5R90F02.sp07, V4.5R90F03, V4.5R90F03.sp01
ADS M: V4.5R90F03.sp02

[Function Changes]
1. The GeoIP rules can be configured specific to a protection group.
2. A system user now can be authenticated by password + email.
3. The DNS configuration is more user-friendly.
4. A UDP session authentication policy can now be configured for a protection group.
5. The disk usage is now displayed.
6. The attack-triggered automatic packet capture is now supported.

Function changes in V4.5R90F03SP01:
1. TCP is added as a new protocol supported in reflection protection rules.
2. The GeoIP library provides information about the province, municipality, or region if the queried IP address is located in China.
3. TACACS+ and LDAP are added for login authentication.
4. The virtual version of ADS can now be deployed on VMware.
5. Port channels can now be configured to work dynamically using the Link Aggregation Control Protocol (LACP).
6. The End User License Agreement (EULA) is updated.

[Fixed Bugs]
ADS-50517 [Blacklist] For ADS NX5-HD6500/HD8500 models, the blacklist specific to protection groups cannot reach the upper limit after the global blacklist entries are full.
ADS-50521 [Web API] The location of IP addresses cannot be found in the GeoIP library.
ADS-50532 [URL rule] When Only on the rules of URL protection is selected for a new HTTP protection policy, the protection group takes effect, but it is not protected by URL rules.
ADS-50533 Several minor bugs, such as MPBGP, need to be fixed.
ADS-50537 [Syslog] The syslog logs are occasionally incomplete.
ADS-50538 [HTTP] After the SYN Cookie URL protection is enabled for an HTTP protection policy, packets with particular quintuplets lead to endless loops in the cfeapp process.
ADS-50539 [Manual packet capture] Problems of capture of sent packets occurring when a protection group is selected for the manual packet capture rule in the case of GRE reinjection were aggregated.
ADS-50540 [MTU fragmentation] Sending abnormal packet fragments to ADS with packet forwarding mode enabled causes engine exception.
ADS-50548 [Syslog] The syslog attack event logs are inconsistent in format.
ADS-50551 [Whitelist] The whitelist entries should be bulk dispatched to the engine when the device starts, thus shortening the start time.
ADS-50552 [Web API] The src_country and src_city fields respectively refer to country and city in the GeoIP Library.
ADS-50555 [Manual diversion] After the device is restarted and runs normally, the manual diversion is disabled after a period of time, while its status configured is enabled.
ADS-50612 [Engine] After the source IP address sends attack packets with random VLAN headers, the cfe_stat file shows that packets received by queues are different.
ADS-50618 [Hardware alert] When either the CPU motherboard or the fan is faulty, there are two operation logs: hardware exception log and power failure recovery log.
ADS-50619 [Console] The initial password of web administrator fails to be reset on the console if certain conditions exist.
ADS-50634 [Login security settings] When a user is idle for the period specified by Auto Idle Logout, the system does not return to the login page.
ADS-50763 [DNS protection] When a packet passes through DNS responses authenticated by the CNAME protection algorithm, the packet is captured although the manual packet capture rule applies to dropped packets.
ADS-50769 [Cluster synchronization] After the MPLS label is synchronized to a slave device, the injection route of the slave device cannot take effect automatically.
ADS-50772 [Web] When a file containing 100,000 whitelist entries is uploaded, the file fails to be read.
ADS-50798 [Regular expression rule CLI] A regular expression rule referenced in a protection group can be deleted via CLI.
ADS-50806 [Configuration dispatch] The configuration dispatch scenarios, such as modcom, need to be updated.
ADS-50879 [HTTPS] A protected IPv6 address cannot access the HTTPS service.
ADS-50887 [Security setting] An IP address included in the allowed IP list configured with a 16-bit netmask cannot log in.
ADS-50901 [Diversion route] When two traffic diversion rules with the same IP prefix and different netmasks are dispatched or deleted, the routes shown in the diversion routing table and BGP route are inconsistent.
ADS-51000 [Keyword checking rule CLI] A DNS or HTTP keyword checking rule referenced in a protection group can be deleted via CLI.
ADS-51101 [Injection route] When the injection connectivity check is configured on ADS for an injection route, the switchover occurs occasionally before the switch limit is reached.
ADS-51112 [Protection policy statistics] When searching for attack events of a group created by ADS M, the system prompts that the group name is incorrect.
ADS-51114 [MAC address table] Adding a deleted MAC address table does not change the sequence, causing the cluster to always synchronize the same MAC address table.
ADS-51117 [MAC address table] It takes a long time to synchronize the MAC address table through the M cluster.

Fixed bugs in V4.5R90F03SP01:
ADS-49809 [CLI] Injection routes with 0.0.0.0 as the protected address cannot be deleted with CLI commands.
ADS-50432 [Web] The HTTPS application-layer protection page is improperly displayed (text overlapping) when the screen resolution is 1024 x 768 pixels.
ADS-49813 [Web] When Only on the rules of URL protection is selected for HTTP protection, SYN Cookie URL can still be enabled.
ADS-49814 [Web] Under Logs > Protection Logs > Protection Event Statistics, only All is available for Group during the first query.
ADS-49861 [Web] On the Reflection Protection Rules or DNS Keyword Checking Rules page, after multiple rules are selected and Delete is clicked, all listed rules, instead of only the selected ones, are deleted.
ADS-50338 [Web] On the Attack Details page, when the mouse is moved to Invalid_DNS_Packet, no description is displayed as expected.
ADS-49812 [Web] On the BGP route modification page, double-clicking OK will result in the page showing no parameter.
ADS-50341 [Web] On the Injection Routes page, clicking the edit button displays a message, prompting information related to auto-learning or 6PE, which, in fact, has not been selected.
ADS-50337 [Web] In protection group configuration, when the proxy is enabled, if the syn_cookie setting is changed to Enable, configuration can still proceed, indicating that no mutex check is conducted.
ADS-49808 [Web API] After the web API is called to delete new neighbors added on the web-based manager, these neighbors are still there after the page is refreshed.
ADS-50429 [SNMP] An abnormal value will be returned when the SNMP agent fails to obtain memory data.
ADS-49815 [Email] When the email server fails to parse the request or does not exist, the sendmail process will persist, causing congestion in the background.
ADS-50455 [Diversion and injection] After a large number of manual diversion routes are configured, it will take the engine an unreasonably long time to dispatch these routes. This needs to be optimized.
ADS-50430 [Version rollback] If a second upgrade succeeds after the failed first upgrade, version rollback results in a different version than the one before the upgrade.
ADS-49810 [URL-ACL] Enabling URL-ACL leads to a significant drop in the performance of HTTPS algorithms.

[Important Notes]
None.

- END -

【版本号】
V4.5R90F03SP01

【升级基础版本】
V4.5R90F03,V4.5R90F03PRE.M01

【升级版本】
V4.5R90F03SP01

【配套联动】
NTA: V4.5R90F02,V4.5R90F02.sp01,V4.5R90F02.sp02,V4.5R90F02.sp03,V4.5R90F02.sp04,V4.5R90F02.sp05,V4.5R90F02.sp06,V4.5R90F02.sp07,V4.5R90F03
ADSM: V4.5R90F03

【功能变更说明】
1.反射防护规则支持配置TCP协议
2.GEOIP库国内支持按省/直辖市/地区进行过滤
3.登录认证支持TACACS+和LDAP认证
4.虚拟化版本支持vmware部署
5.PortChannel支持LACP动态链路聚合模式
6.更新英文版用户许可协议

【BUG修复说明】
ADS-49809 【CLI】cli命令无法删除被保护地址为0.0.0.0的注入路由
ADS-50432 【WEB】https应用层防护配置web界面在分辨率1024*768下展示重叠
ADS-49813 【WEB】http防护策略，只对URL规则防护下，能够开启SYN Cookie URL
ADS-49814 【WEB】防护策略事件统计,不进行查询，群组只能选择ALL
ADS-49861 【WEB】反射防护规则/DNS关键字,勾选多个规则时，点击某一规则最右侧的删除，删除了所有的防护规则
ADS-50338 【WEB】攻击日志页面，鼠标移动到防护策略为Invalid_DNS_Packet 上时，没有相应说明
ADS-49812 【WEB】bgp路由参数修改界面，双击两次确定后会出现无参数界面
ADS-50341 【WEB】注入路由VPN选择自学习/6pe后，点击编辑会先出现提示信息
ADS-50337 【WEB】防护群组配置，在代理开启的时候，再修改syn_cookie为启用时可以配置下去的，未作互斥校验
ADS-49808 【WEBAPI】调用webapi删除页面添加的邻居后重新刷新页面依然能观察到已被删除的邻居配置
ADS-50429 【SNMP】snmp agent主动获取内存数据失败时，会出现异常值
ADS-49815 【邮件】当邮件服务器解析失败或不存在时，导致sendmail进程一直阻塞在后台
ADS-50455 【牵引注入】ADS在配置大量手工流量牵引后，下发引擎耗时时间过长，需要优化
ADS-50430 【升级回退】从低版本升级失败后重新升级成功，再回退版本，回退后的版本不是升级前的版本
ADS-49810 【URL-ACL】开启url-acl功能后会导致https算法的性能下降

【注意事项】
无

- END -

【SHA256SUM】
77e04a12dad5dd63ffe2f97f6d7f65eccf4156afdf20821454e5811971a9dfe4

【版本号】
V4.5R90F03

【升级基础版本】
V4.5R90F02,V4.5R90F02.sp01,V4.5R90F02.sp01.C236,V4.5R90F02.sp01.C236.HD,V4.5R90F02.sp02,V4.5R90F02.sp03,V4.5R90F02.sp04,V4.5R90F02.sp05,V4.5R90F02.sp06,V4.5R90F02.sp07,V4.5R90F02.sp04.HD8500,V4.5R90F02.sp04.12000,V4.5R90F02.sp04.12000v2

【升级版本】
V4.5R90F03

【配套联动】
NTA: V4.5R90F02,V4.5R90F02.sp01,V4.5R90F02.sp02,V4.5R90F02.sp03,V4.5R90F02.sp04,V4.5R90F02.sp05,V4.5R90F02.sp06,V4.5R90F02.sp07,V4.5R90F03
ADSM: V4.5R90F03

【功能变更说明】
1.新增HTTP2协议防护
2.新增TCP反射攻击防护
3.新增DNS响应防护
4.新增HTTP Malformed报文防护
5.分片报文支持限速
6.SYN重传时序检查算法支持时序可配
7.新增群组黑名单
8.默认群组替代缺省DDos策略
9.支持VLAN牵引优先回注功能
10.BGP支持自定义router-id
11.更新国际联系方式
12.限制型号、版本、运行模式不匹配的配置文件的导入
13.添加刚果GMT+1时区
14.群组自学习的规格扩大到15个
15.大包分片群组化

【BUG修复说明】
ADS-49282 【黑名单】生产后，不使用web，直接使用CLI开启黑名单，web与引擎生效情况不一致
ADS-49264 【系统用户管理】CLI用户在启用状态下，点击保存后重启设备，routerman账户远程登录失败
ADS-49262 【ADS_云端认证】ads在未启用绿盟云的情况下，需提供能够监控A接口进程的功能
ADS-48625 【手工流量牵引】路由daemon条数在50条时，“确定”和“取消”按钮显示不完整
ADS-25715 【BGP】修改BGP配置并点击保存后，正在牵引的IP不会重新下发生效，导致对端路由器没有生成BGP路由
ADS-25697 【防护策略事件统计】当生成上万条事件时，页面访问约10s才能打开
ADS-25696 【icmp防护策略】持续打恒定大小的icmp flood攻击后，在icmp进入防护状态后，存在少量透包
ADS-25682 【配置导入】配置文件导入未检查配置文件版本号，导入配置文件后系统可能会出现异常
ADS-25512 【业务口】设备启起来后，ifconfig下接口没加载出来
ADS-25399 【注入高级功能】注入冗余探测到注入路由不通后，未撤回由NTA下发的路由
ADS-48441 【URL-ACL规则】匹配中url-acl规则的攻击报文源ip无法被加入到黑名单
ADS-49414 【ADS_防护群组】防护群组配置http js算法，收到1514字节的http get报文，设备挂死
ADS-49603 【注入路由】在ADSM集群环境下，主从设备注入路由配置相同的情况下仍周期性同步
ADS-48337 【管理口访问控制】频繁操作增删改，iptables会出现重复规则
ADS-48429 【管理口访问控制】邮件配置等管理口访问控制forbid时需要解析的文件配置中存在域名时，IPV6 forbid all管理口访问控制规则下发失败
ADS-50017 【HTTP防护】JS动态防护算法的验证码自动更新策略有问题

【注意事项】
若升级时出现升级失败，请检查防护群组中是否存在名称为default_protection_group的群组，若存在，请修改该群组名称或删除该群组后再进行升级操作。
- END -


[SHA256SUM]
77e04a12dad5dd63ffe2f97f6d7f65eccf4156afdf20821454e5811971a9dfe4

[Software Package Version No.]
V4.5R90F03

[Source Version]
V4.5R90F02,V4.5R90F02.sp01,V4.5R90F02.sp01.C236,V4.5R90F02.sp01.C236.HD,V4.5R90F02.sp02,V4.5R90F02.sp03,V4.5R90F02.sp04,V4.5R90F02.sp05,V4.5R90F02.sp06,V4.5R90F02.sp07,V4.5R90F02.sp04.HD8500,V4.5R90F02.sp04.12000,V4.5R90F02.sp04.12000v2

[Target Version]
V4.5R90F03

[Matching Versions of Collaborative Devices]
NTA: V4.5R90F02,V4.5R90F02.sp01,V4.5R90F02.sp02,V4.5R90F02.sp03,V4.5R90F02.sp04,V4.5R90F02.sp05,V4.5R90F02.sp06,V4.5R90F02.sp07,V4.5R90F03
ADSM: V4.5R90F03

[Function Changes]
1. HTTP2 protection is added.
2. TCP reflection protection is added.
3. DNS response protection is added.
4. Malformed HTTP packets can be blocked.
5. The transmission rate of fragments can be restricted.
6. The SYN retransmission time sequence algorithms support custom time sequences.
7. Blacklists specific to protection groups can be added.
8. The default protection group module replaces the default anti-DDoS policy module.
9. The VLAN-preferred diversion and injection function is added.
10. BGP routes accept custom router IDs.
11. The contact information is updated.
12. Configuration files cannot be imported to devices across models, versions, or running modes.
13. The Congo GMT+1 time zone is added.
14. The number of protection groups subject to auto-learning is increased to 15.
15. Fragment specific to protection groups can be added.

[Fixed Bugs]
ADS-49282 [blacklist]: For a newly produced device, if the blacklist function is enabled on a command-line interface, the web-based manager shows that both the blacklist and proxy monitoring are enabled. Actually, only the blacklist is enabled and proxy monitoring is still disabled.
ADS-49264 [system user management] After a user enables the CLI user account, routerman, clicks Save, and restarts the device, the user cannot log in to the system remotely via this account.
ADS-49262 [cloud authentication]: The system cannot monitor the A interface process when NSFOCUS cloud is disabled.
ADS-48625 [manual traffic diversion]: When there are 50 route daemons, the Cancel and OK buttons cannot be properly displayed.
ADS-25715 [BGP] When BGP configurations are modified, ADS does not dispatch the peer router the diversion route for the IP address involved in ongoing diversion. As a result, on the peer router, there is no BGP route for the IP address in question.
ADS-25697 [statistics of events triggered by protection policies ] If tens of thousands of events are generated, it takes about 10 seconds to open the Protection Event Statistics page under Logs > Protection Logs.
ADS-25696 [ICMP protection policy]: Once ICMP packets are sent at a constant rate to cause ICMP flood attacks, a few packets are found to pass through the ADS device when ICMP protection is triggered.
ADS-25682 [configuration import]: Importing configuration files may cause the system to fail due to the lack of version check on the files.
ADS-25512 [working interface] When the user runs the ifconfig command after the device is started, the command returns information of some interfaces, instead of all interfaces.
ADS-25399 [advanced functions for injection]: After injection route redundancy is enabled, ADS does not revoke the diversion route dispatched by NTA when detecting that the injection route is unreachable.
ADS-48441 [URL-ACL rules]: For attack packets matching URL-ACL rules with the action of Monitor+blacklist, their source IP addresses cannot be added to the blacklist.
ADS-49414 [protection group]: When the HTTP JavaScript algorithm is configured, the device hangs when receiving 1514-byte HTTP GET packets.
ADS-49603: [injection route] For an ADS cluster, the master device still regularly synchronizes injection route configurations to the standby devices even if no changes are made to such configurations.
ADS-48337 [management interface access control]: Frequent rule additions, changes, or deletions may lead to duplicate rules in iptables.
ADS-48429 [management port access control]: When the default management interface access control rule is configured to block all IP addresses, ADS needs to resolve the domain names (including the domain name of the SNMP server) specified on the UI into IP addresses and adds these addresses to the whitelist. However, the management interface access rule that forbids all IPv6 addresses fails to be dispatched to the system.
ADS-50017 [HTTP protection policy]: Something wrong with auto-updating the Verification code of HTTP JavaScript algorithm.

[Important Notes]
If the update fails, check whether the protection group named default_protection_group exists. If yes, change the protection group name or delete the group before updating the system again.