Assurance Sensor GT GT-S Release Notes 24.11

These release notes cover the requirements, new features, and changes for the Cisco Provider Connectivity Assurance Sensor GT and GT-S (formerly Skylight performance element: GT) firmware version 24.11.

Please see: Accedian Skylight is now Cisco Provider Connectivity Assurance for a table of all the new product names.

We highly recommend you read all release notes prior to installing this firmware version. For more information, see Cisco Provider Connectivity Assurance Sensor GT

Requirements

This firmware version applies to Assurance Sensor GT and GT-S. It is compatible with Skylight orchestrator 23.12 and above.

Firmware Version 24.11.0_26148 (2024-12-02)

New Features and Enhancements

Assurance Sensor GT and GT-S release 24.11 introduces the following new features and enhancements.

Application and Interface Security
This release includes all Cisco application and interface security requirements, including:
• Control debuggers (CT1127: SEC-CSP-NOCDBG-2)
• Use HTTP Strict Transport Security (CT1652: SEC-HTP-HSTS-2)
• Validate all input before processing it (CT1735: SEC-VAL-CLNIN)
• Protect command processors from injection vulnerabilities by preventing the execution of arbitrary commands or code (CT1750: SEC-VAL-INEVAL-2)
• Prevent CSRF Vulnerabilities (CT1742: SEC-WEB-CSRF-3)
• Disable Unused HTTP Methods (CT1553: SEC-WEB-HTTPMETH-2)
• Avoid Open Redirects (CT522: SEC-WEB-NOREDIR)
• Specify type and encoding in HTTP responses; disable type sniffing (CT1665: SEC-WEB-RESP-3)
• Pass sensitive information only in request body or headers (CT1710: SEC-WEB-URLPARM-2)
• Prevent cross-site scripting vulnerabilities (CT2120: SEC-WEB-XSS-4)
• Prevent Click-Jacking (CT1711: SEC-WEB-CLCKJACK-2)
• Use secure Session Tokens (session IDs/state tokens) (CT1935: SEC-WEB-ID-4)
• Do not permit undocumented ways of gaining access to the offering (CT1901: SEC-CRE-NOBACK-2 (Disable backdoors/debug shell)

TCP Dump Feature Enhancement
This release includes new CLI commands to extract PCAP files.

Corrected Issues

CLI Not Prompting Password Change in Factory Default State
Implementation of the CLI Prompt when device is factory reset has been added.

About Page Removed
The about page, when accessed via the WEB UI, was showing outdated versions for openssl and dropbear. The page has now been removed.

Out of Date OpenSSl and Dropbear Versioning in UI About Page
The version for openssl and dropbear needs to be updated to the correct version on the About page in UI. The About page has now been removed.

IPv6 Static Configuration Not Showing After Checkbox for IPv6 Enabled
When you click on the checkbox for "IPv6 enable" and “Static Address” from the user interface, the IPv6 static configuration fields should be displayed, but actual result is that nothing is displayed.

Security Vulnerabilities
Security enhancements to ensure that system would not be vulnerable, including:
• Local privilege escalation
• Insufficient input sanitization
• Read permissions for sensitive data
• Session cookie
• Missing SSH fingerprint verification
• Credentials for server services
• Session cookie

Operational Considerations

Important Notes

This section documents the operational considerations related to Assurance Sensor GT-S 24.11.

• IMPORTANT: Prior to upgrading the firmware on a unit where the History Buckets feature is enabled, certain precautions may need to be taken to prevent a loss of history data during the upgrade.
• In a G.8032 ring configuration, the Assurance Sensor GT-S supports a maximum of 62 policies on the LAG port (i.e. policies that govern how traffic is dropped from the ring to UNI ports). This limitation does not apply to the UNI ports (i.e. policies that govern how traffic is added to the ring) unless the VLAN-tagged customer traffic is passed transparently from the UNI port to the ring through one-to-one mapping.

One way to avoid this limitation and maximize the number of usable UNI policies is to encapsulate multiple customer VLANs (coming from the UNI) under a single service provider VLAN on the ring. Doing so reduces the number of policies required by the LAG port.