1. Documentation
  3. Product Updates
  5. US-GovCloud Product Updates
  7. June 5th 2025 Updates (GovCloud)

June 5th 2025 Updates (GovCloud)

Modified on

Juniper Mist Government Cloud (GovCloud) operates within the AWS GovCloud (US) Regions. These regions are designed to host sensitive data and regulated workloads, ensuring compliance with stringent U.S. government security and compliance requirements. By leveraging AWS Government Cloud (US), Juniper Mist provides a secure and compliant environment tailored for U.S. government agencies, contractors, educational institutions, and other organizations handling sensitive workloads in the cloud. Currently, this environment is “Authorized” on FedRAMP and GovRAMP (previously known as StateRAMP) marketplace for Impact level “Moderate”.

This page lists the Juniper Mist updates released on US GovCloud in June 2025.

Wireless Assurance

Contents

Wi-Fi 7 support

You can enable or disable Wi-Fi 7 per WLAN from the WLAN configuration page. This option applies to Access Points that support Wi-Fi 7 and has no impact on APs that do not support Wi-Fi 7.

Wi-Fi 7, or the IEEE 802.11be Extremely High Throughput (EHT) standard, introduces new features and delivers several improvements over Wi-Fi 6 and Wi-Fi 6E. To leverage the benefits of Wi-Fi 7, both the AP and the connected client will need to support 802.11be.

For more information see Wi-Fi 7 (802.11be) Technology.

Automatically disable WLANs in failure scenarios

Introducing options to control WLAN availability based on AP connectivity status and tunnel failovers.

  • Support to disable WLANs when the AP has no IP address or no default gateway, or on tunneled WLANs when the Mist Edge tunnel is down. This is meant to prevent dead-ending of clients when the AP doesn’t have full network connectivity, or has lost connection to Mist Edge.
  • Support to reconnect clients upon Mist Edge failover when the Mist Edge cluster changes. This will be useful to gracefully disconnect the clients if the same IP subnet is not used across Mist Edge clusters.

These are per-WLAN configurations. To disable a WLAN when the AP’s default gateway is unreachable, such as when the AP has no IP address or no default gateway, select the Disable WLAN when AP Gateway is unreachable checkbox in the WLAN Status section on the WLAN configuration page.

To disable the WLAN when the Mist Edge tunnel is down, check that option in the Custom Forwarding section on the WLAN configuration page. Similarly, to force clients to reconnect when the AP’s Mist Edge tunnel fails over to a Mist Edge in a different Mist Edge cluster, select the corresponding checkbox.

These features require the AP firmware version 0.14.29728 or newer.

Enable or disable UNII 4 channels

The AP47 adds support for UNII-4 channels in the United States. Those are 5 GHz channels 169, 173, and 177. Due to mixed levels of client support, we have elected to disable UNII-4 channels by default. At the time of writing, many Windows and Android devices support UNII-4 channels, but the Apple ecosystem does not support these channels. Mist provides a site configuration option to enable UNII-4 per site, similar to the option we used to have with channel 144 until channel 144 client support improved. When UNII-4 channels are enabled, RRM will automatically allow these channels to be used for automatic channel selection on AP models that support UNII-4 channels. As in you don’t have select manual channels in the RF template or device profile.

You can enable or disable the UNII 4 channels from the Access Point Settings section on the site configuration page (Organization > Site Configuration).

If you enable UNII 4 channels, they will be displayed and configurable on the AP configuration page, device profile, RF templates, and RRM site settings in Mist. If you disable UNII 4 channels, they will not be displayed or configurable on Mist.

AP autoplacement is now generally available

We have made the access point autoplacement feature on Mist generally available. With the autoplacement feature, Juniper Mist can place the access point (AP) X,Y coordinates on a floorplan automatically. This feature saves time and makes for an easier deployment.

Note: You should only attempt autoplacement during a maintenance window. The amount of downtime you need to schedule depends on how many APs you have on the floorplan.

Autoplacement is supported on Wi-Fi 6 APs and newer. The minimum required firmware version for autoplacement is 14.28310.

For more information, visit Autoplacement: Position New Access Points.

Auto-provisioning enhancements for APs

We have added the Apply to Model parameter to the following AP auto-provisioning workflows:

  • Site Assignment workflow: You can use AP Model as a parameter in determining the site to which an AP should be assigned. This parameter is available when you select LLDP System Name or DNS Suffix as the source for deriving the site from. This option is already available for the source AP Name.
  • Profile Assignment workflow: You can use AP Model as a parameter in determining the device profile to which an AP should be assigned. This parameter is available when you select AP Name, LLDP System Name, or DNS Suffix as the source for deriving the device profile from.

Update to passphrase generation workflow

In the PSK portal, when you click the Generate New Passphrase button, you will get a confirmation window with a message indicating that generating a new passphrase causes your current passphrase to expire after 24 hours. On the confirmation window, you need to click Yes to proceed. Previously, clicking the Generate New Passphrase button used to generate the passphrase without a confirmatory message.

Marvis

Application Experience Correlation and SLEs

Monitoring the network health is critical to ensuring a positive user experience across an organization. With this release, Juniper Mist provides a cloud-to-cloud integration to analyze, correlate, and classify collaboration user experience based on correlation of network parameters. Mist uses performance indicators from Zoom and Microsoft Teams to assess the network health, as these applications are considered highly sensitive to network performance. The underlying idea is that if Zoom and Teams are performing well, it is a strong indication that all other user applications are also performing well.

You can view the user experience data for these applications on the Application tab of the service levels page (Monitor > Service Levels > Application). The Application tab appears only for those organizations that have Zoom or Teams integrated and have an active ‘Marvis for Wireless’ subscription. For more information on how to integrate these applications with Mist, see Zoom Integration Overview and Microsoft Teams Integration Overview.

The Application tab on the service levels page shows the following information:

  • Experience correlation—The experience correlation view provides visibility into the performance of Teams and Zoom applications at a site or an organization level. The correlation data helps network administrators quickly identify issues causing bad user experiences across a site or an entire organization. This view includes a feature contribution ranking graph that highlights which feature contributed the most to an issue. It also provides insights into the impacted clients and APs that the clients are connected to.
  • Application SLE Classifiers—Mist organizes the factors contributing to positive or negative user experiences into Service-Level Expectations (SLEs). The SLE dashboard provides a high-level view of the low service levels and the types of issues that need to be addressed. The following SLE metrics are available: Wireless Coverage, Wireless Capacity, Client Health, WAN Health, and Partner Link.

For more information, see Application Experience and SLE Classifiers.

New Wireless Marvis Action: ISP Offline

We have added a new Marvis Action, named ISP Offline, to Mist. This action detects access points (APs) that are offline because of ISP-related issues, such as ISP regional outages, routing issues, DNS issues, or issues caused by incorrect network settings. Marvis can determine whether the issue is limited to APs in a specific site or spread across multiple sites. It can also pinpoint the ISPs through which the impacted APs were connected, making the troubleshooting process easier.

If you see an ISP Offline action, here are some of the steps that you can take:

  • Check the ISP’s portal for any outage reported.
  • Check the router or modem configuration for any changes.
  • Contact the ISP support team.

Download Marvis client

You can download Marvis client app from the Mist portal.

Marvis client lets you view your network from clients’ perspective. You can view detailed data and telemetry about how a client experiences the wireless connection, including insight into client roaming behaviors. The Marvis client recognizes connection types (cellular or wireless) and the corresponding signal strength. Marvis Client is available through a per-client subscription model (SKU: S-VNACLIENT).

You can download the Marvis client installer from the Organization > Mobile SDK > Marvis Client page. The download page lists the Windows, macOS, and Android versions of the app.

Wired Assurance

Juniper CloudX is generally available for EX2300, EX3400, EX4650, and QFX5120 switches

Juniper CloudX, a new architecture integrated into Junos OS to provide faster and more secure communication between Juniper switches and the Mist cloud is now generally available for EX2300, EX3400, EX4650 and QFX5120 switches. Previously this feature was generally available only for EX4100 and EX4400 switches.

Benefits of CloudX

  • Real-time data updates—Utilizing the Junos Telemetry Interface (JTI), CloudX ensures that events are transmitted to the cloud every 10 to 15 seconds, with statistics updated every 60 seconds, providing up-to-date network insights.
  • Packet capture—The Mist cloud offers on-demand packet capture for switches, allowing the initiation of packet capture on a single switch port or a range of ports to view transit or control traffic. It also offers dynamic packet capture for wired ports.
  • Proxy server support—CloudX supports both static and dynamic proxy configurations, allowing switches to connect to the Mist cloud via a proxy server. Dynamic proxy information can be provided through DHCP option 43.

Supported platforms and availability

CloudX is generally available on the following platforms with the specified Junos OS releases:

Platforms Supported Junos OS Release
EX2300/EX3400 23.4R2-S4 and above
EX4000/EX4400/EX4100 22.4R2-S1 and above
EX4650/QFX5120 23.4R2-S4 and above

CloudX is installed on the above switches by default when they are upgraded to the Junos versions mentioned.

You must ensure that the firewall port towards jma-terminator.xx.mist.com is open and SSL encryption is disabled on the firewall (for more information, refer to Juniper Mist Firewall Ports and IP Addresses for Firewall Configuration).  If you don’t see CloudX enabled on your switch even after upgrading it to a supported Junos release listed above, contact Juniper support. To check if your switch is communicating with Mist cloud by using CloudX, refer to the steps listed in Troubleshooting Juniper CloudX.

Schedule and automate switch upgrades

You can now easily create and manage Junos OS upgrade schedules for switches that are connected to the Mist cloud. You can also configure settings to automatically upgrade new switches when they are onboarded to Mist.

The option to create and manage upgrade schedules can be accessed from the Firmware Upgrade tile on the organization settings (Organization > Settings) or site configuration (Organization > Site Configuration) page.

The switch upgrade enhancements include the following:

  • Add Upgrade—This setting allows you to schedule upgrades for switches that are already connected to the Mist cloud. You also have an option to execute upgrades immediately. Upgrade schedules can be set up for specific switch models (upgrades all switches of the specified model) or specific switches across sites.
  • Auto Upgrade Settings—If you select the Enable Auto Upgrade check box, you can specify a Junos version per switch model, to automatically upgrade a switch the first time it connects to the Mist cloud. This does not apply to the switches that are already online. This feature is available only at the organization level.
  • Upgrade Status—Lets you view the status of your scheduled upgrades and past upgrades. You can also modify or cancel the upgrade schedules.

For more information, refer to Upgrade Junos OS on Switches.

Virtual Chassis modification made easy

Previously, each Virtual Chassis device in Mist used the physical MAC address of the FPC0 member as the device ID. This meant that removing or replacing the FPC0 member could disrupt the connectivity. With this release, each newly onboarded Virtual Chassis will get a device ID which is not tied to any member device. This device ID is a virtual MAC address that is cloud-assigned. In a virtual MAC-enabled Virtual Chassis, you can replace or renumber all members (including FPC0) in a single step without disrupting the connectivity.

The Existing Virtual Chassis devices connected to the cloud will continue to function with FPC0 as the device ID unless the FPC0 is replaced or renumbered from the cloud. Removing or replacing the FPC0 member from an existing Virtual Chassis will transition that Virtual Chassis to a virtual MAC-enabled device without impacting operations.

To identify a virtual MAC-enabled Virtual Chassis, look for the Device IDs on the switch details page (Virtual Chassis page). A device ID starting with 0200 indicates that the Virtual Chassis is virtual MAC address-enabled.

Connect collapsed core switches in full mesh (EVPN Multihoming)

EVPN Multihoming (collapsed core with ESI-LAG) campus fabric now supports connecting switches in full mesh topology in the collapsed core layer. In a full mesh topology, you can connect each switch to every other switch. This support provides the EVPN Multihoming campus fabric with greater resiliency, which ensures continued network functionality even if one device fails. In the image below, you can see an option to connect the switch to all the other three switches added to the collapsed core layer. Previously, switches in the collapsed core layer were connected in a ring topology where each switch was connected to only two other switches even when there were, for example, four switches in the topology.

For more information, refer to Configure Campus Fabric EVPN Multihoming.

Support for Q-in-Q tunneling

You can configure switch ports with Q-in-Q tunneling using all-in-one bundling. Q-in-Q tunneling enables Layer 2 protocol tunneling (L2PT) on interfaces that are not encapsulation tunnels and utilizes MAC address rewrite operation.

Using Q-in-Q tunneling, providers can segregate or bundle customer traffic into fewer VLANs or different VLANs by adding another layer of 802.1Q tags. Q-in-Q tunneling is useful when customers have overlapping VLAN IDs, because the customer’s 802.1Q VLAN tags are prepended by the service VLAN (S-VLAN) tag.

You can configure Q-in-Q tunneling under Port Configuration at the switch level (Switches > Switch Name), site level (Site > Switch Configuration > Select Switches Configuration), and organization level (Organization > Switch Templates > Select Switches Configuration). The configuration includes selecting Q-in-Q as a configuration profile, choosing a Port Network (S-VLAN), and specifying other port configuration parameters.

For more information, refer to Configure Q-in-Q Tunneling on a Switch Port.

Site variable support for DHCP server and relay configuration

Mist supports the use of site variables in DHCP server and relay configuration. You can configure DHCP server and relay from the switch details page. The site variable support is also available for the DHCP relay configuration in campus fabric (on the Networks Settings tab).

Note: The configuration fields that support site variables show the variable format underneath them.

Site variables help you address use cases that require you to configure a set of unique fields for different sites. Site variables provide a way to use tags to represent real values so that the value can vary according to the context where you use the variable. This means the same variable can configure different values in different sites.

Support for DHCP option 81

You can now enable switches with DHCP option 81 support. When this option is enabled on a switch, the clients connected to that switch can send their fully qualified domain name (FQDN) to the DHCP server while requesting an IP address. This allows the DHCP server to update DNS records accordingly.

You can enable a switch with the DHCP option 81 support at the organization level (Organization > Switch Templates), site level (Site > Switch Configuration) and device level (Switches > Switch Name).

Filter switch events by multiple event types

On the Switch Insights page, you can now filter switch events by multiple event types. This allows you to view events related to the specified event types at the same time. Previously, you could filter the events by only a single event type.

Protection of Routing Engine configuration improvements

We have made the following improvements to the Protection of Routing Engine feature:

  • In the default BGP configuration, we have included two different filter terms for source and destination to accommodate any variations in different EX Series switch models. This change will have no impact on BGP sessions.
  • In the ‘allow_dns’ term in the DNS configuration, we have included a prefix list which can be used to allow traffic only from DNS servers configured on the device. This change ensures that no client with source-port 53 and protocol TCP/UDP is sending rogue traffic to the switches on the network.

Enhancements to PoE status display

To improve the clarity of the Power over Ethernet (PoE) status display, we have made the following enhancements to PoE status display on the switch port status view (displayed when you hover over the port) in the front panel section of a switch details page:

  • Renamed the field ‘PoE’ to ‘PoE Admin Status’. This field indicates the PoE interface’s administrative status, which can be Enabled or Disabled. If the PoE interface is disabled, it can provide network connectivity, but it cannot provide power to connected devices.
  • Added a new field named ‘PoE Operation Status’. This field reflects the PoE Operation Status of the interface. The status can be one of the following:
    • ON—The interface is currently supplying power to a powered device.
    • OFF—PoE is enabled on the interface, but the interface is not currently supplying power to a powered device.

Alert timer for switch offline event

You can now configure a switch offline alert timer which defines how long after a switch goes offline users should be alerted to the issue. As a best practice, set the timer to send alerts to users 5 minutes after the switch goes offline. Delaying the alert generation in a switch offline event ensures that you don’t receive an offline alert for any connectivity flaps. The supported timer range is 0 to 240 minutes. By default, the timer is set to 0 minutes (to alert the user immediately after the switch goes offline). Previously, the only available alert timer was a global setting and was applicable to all the device types (such as switches and APs).

Configure bridge priority at switch level

Mist provides an option to configure bridge priority at the switch level. The bridge priority value along with the device MAC address forms the bridge ID which determines the bridge to be elected as the root bridge in a Spanning Tree Protocol (STP) topology. The priority value is useful when two bridges have the same path cost to the root bridge. If you do not set the bridge priority (or select the value ‘none’), the default value (32,768) is configured. The bridge priority can be set only in increments of 4096 (between 0 and 61,440). You can configure bridge priority from the STP Bridge Priority tile in the Management section of the switch details page.

The priority value set from the Additional CLI section takes precedence over the value set from the STP Bridge Priority section.

STP configuration per VLAN

You can configure a switch with VLAN Spanning Tree Protocol (VSTP) or per-VLAN Spanning Tree. This configuration is available in port profiles in the organization and site templates and on the switch details page. VSTP helps in preventing loops in Layer 2 networks on a per-VLAN basis. One Spanning Tree per VLAN enables fine grain load balancing. We recommend enabling this feature for other vendor’s devices (for example, Cisco) that operate per-VLAN spanning tree by default. When VSTP is enabled on a port, RSTP is automatically disabled on that port.

Historical connection data for wired clients

Mist can now retrieve and display the client properties and connection status data for the wired clients that are disconnected from the switch. This information, displayed in the Client Properties section on the clients Insights page, includes the client MAC address, switch name, and the switch port to which the client was previously connected. This enhancement allows you to access historical connection data, helping in troubleshooting and network management even when clients are not connected to the switch. Previously, the client properties and connection status data were available for clients only when they were connected to the switch.

To view the client properties and connection status data, navigate to the Insights page (Monitor > Service Levels > Insights) and then select the wired client using the scope selector on the Insights page. Alternatively, use Marvis Conversational Assistant to search for the client’s MAC address and then click the result to open the client Insights page.

Access Port Security classifier under Successful Connect SLE

We have added a new classifier, named Access Port Security, to the Successful Connect SLE for switches. This classifier helps you identify client connection failures caused by access port security issues. This classifier groups the reasons for connection failures into the following sub-classifiers:

  • BPDU-Guard: Detects clients that are unable to connect because the port is set as STP Edge port (via port profile), and the clients are sending BPDUs.
  • MAC Limit: Detects connection failures reported when a client exceeds the MAC limit configured on the switch port.
  • Dynamic ARP Inspection: Identifies clients that encounter ARP failure. An ARP failure occurs when a switch drops ARP requests because the clients that are sending these requests are not in the DHCP snooping table.
  • Rogue DHCP Server: Identifies client connection failures caused by a rogue DHCP server event. This could be an event where an untrusted port drops traffic from DHCP servers to block unauthorized servers.

Enhancement to Current Switch Properties in switch Insights

The Current Switch Properties section on the switch Insights page displays the following additional information about the switch: BIOS Version, Recovery Version, Uboot Version, PoE Version, FPGA Version, Power CPLD Version.

Protect-RE configuration optimized for NTP

For switches, we have optimized the Protect-RE configuration for the protocol NTP. Previously, when the Protection of Routing Engine feature was enabled on a switch, the output of the command ‘show ntp status’ used to fail. With this update, we have fixed that issue.

Location Services

Auto Zone (Beta)

You can now use Auto Zone to automatically identify location zones for you based on the boundaries of a given floorplan. To do this, navigate to Location > Live View and select the floorplan. Then, select the Beacons and Zones button, and finally, select the Auto Zone button. Auto Zone is especially useful for customers whose deployments contain a vast number of rooms, as it automatically identifies and names the zones for you, thus allowing for more precise analytics to be gathered.

Auto Zone does the bulk of the work for you. Once Auto Zone identifies the zones for you, you must finalize them. You can physically drag the corners of a suggested zone to adjust it as needed. You can also delete and rename any of the suggested zones as you see fit. If your floorplan has zone names clearly labeled on it, Auto Zone will carry those zone names over for you.

WAN Assurance

Juniper Advanced Threat Prevention features for SRX

We have introduced the following Juniper Advanced Threat Prevention (ATP) features for SRX Series firewalls:

  • Security Intel (SecIntel)—SecIntel profiles, which are included in application policies, enable you to block malicious and unwanted traffic such as Command and Control (C&C) communications, compromised IP addresses or IP subnets, and domains connected to malicious activities (See also: SecIntel Feeds Overview and Benefits). You can create these profiles from the application policy screen (Organization > Application Policy).

    In a SecIntel profile, you can configure the following actions:

    • C&C Default Action—Lets you configure actions against C&C servers that have attempted to contact and compromise hosts on your network.
    • DNS Default Action—Lets you configure actions against the domains that are known to be associated with malicious activities.
    • Infected Host Default Action—Lets you configure actions against infected hosts, which are local devices that are potentially compromised because they appear to be part of a C&C network or exhibit other symptoms.
  • Advanced Anti-Malware (AAMW)—This feature detects and blocks malware and unwanted files on the network before they reach an endpoint. Like SecIntel, anti-malware profiles can be created from the application policy screen (Organization > Application Policy) and included in an application policy.

Mist will automatically enroll devices to Cloud ATP Services as needed. For that, you need to input your credentials through the Secure WAN Edge Integration tile the on the Organization > Settings page.

Note: Only the Global instance of ATP is supported in this release.

Anti-virus configuration for application policies

You can apply an anti-virus configuration to application policies under Advanced Security Services for WAN edge devices. Antivirus is part of our secure AI native WAN edge feature set, which includes, in addition, IDS/IPS (IDP), URL Filtering, and SSL proxy. You can either select an anti-virus configuration from a set of predefined values (Default, HTTP(S) Only, and No FTP), or create a custom anti-virus configuration. To apply an anti-virus configuration to an application policy, click the + button in the Advanced Security Services column on the Application Policy page (Organization > WAN > Application Policy). To create a custom anti-virus configuration, use the Add Anti-Virus Profile button. You can also view the security events against the anti-virus configured from the Site > Security Events > Anti-Virus page.

Note: This feature requires additional device side licenses.

BGP multihop for WAN edges

BGP multihop enables BGP peers to establish a connection even if they are not directly connected. This feature is useful in scenarios where BGP peers need to communicate across multiple non-BGP routers (hops) to reach each other. You can enable BGP multihop support by setting the multihop time to live (TTL) value to greater than 1 from the Edit Neighbor section on the BGP Group configuration window. This allows the BGP packets to traverse multiple hops to reach the peer.

BGP over GRE tunnels

You can now set up BGP sessions over generic routing encapsulation (GRE) tunnels on WAN Edge SSR devices. This feature, already available for SRX Series devices, enables BGP to function across networks that are not directly connected. Generic routing encapsulation (GRE) provides a private path for transporting packets through an otherwise public network by encapsulating (or tunneling) the packets. The configuration includes the following steps:

  1. Create a secure edge connector custom tunnel with GRE protocol.
  2. Use this tunnel in the BGP group associated with the WAN edge.
  3. Use the WAN edge testing tool to verify the BGP sessions.

Alert timer for WAN edge offline event

You can now configure a WAN edge offline alert timer which defines how long after a WAN edge goes offline users should be alerted to the issue. As a best practice, set the timer to send alerts to users 5 minutes after the WAN edge goes offline. Delaying the alert generation in a WAN edge offline event ensures that you don’t receive offline alert for any connectivity flaps. The supported timer range is 0 to 240 minutes. By default, the timer is set to 0 minutes (to alert the user immediately after the WAN edge goes offline). Previously, the only available alert timer was a global setting and was applicable to all the device types (such as switches, WAN edges, and APs).

Table Capacity Insights (FIB Entries, Session Flows)

The WAN Edge Insights page provides the following indicators in the new Table Capacity section:

  • FIB Entries: Displays the current number of FIB entries and the percentage of utilization, essentially showing how much of the available FIB space is currently being used.
  • Session Flows: Displays the current number of active sessions and the percentage of session flow utilization based on the device’s capacity.

You can also click the Search Entries button under each metric to open a shell view in a new window where you can search for entries after specifying filters. In the case of a high availability cluster, Table Capacity indicators are displayed for each node.

OSPF testing tools for WAN edges

The Utilities menu on the WAN edge details page now includes testing tools for verifying Open Shortest Path First (OSPF) configuration and statuses. The following OSPF tools are now available:

  • Show Summary: Displays a summary of OSPF database information (equivalent Junos command: ‘show ospf database summary’).
  • Show Interfaces: Displays the status of OSPF interfaces (equivalent Junos command: ‘show ospf interface’).
  • Show Neighbors: Displays information about OSPF neighbors (equivalent Junos command: ‘show ospf neighbor’). CPU utilization might increase while the device learns its OSPF neighbors. We recommend that you run this test after the device learns and establishes OSPF neighbor adjacencies.
  • Show Database: Displays the entries in the OSPF version 2 (OSPFv2) link-state database, which contains data about link-state advertisement (LSA) packets. You can choose to view the data with the Self Originate flag set as True (equivalent Junos command: ‘show ospf database advertising-router’ self) or False (equivalent Junos command: ‘show ospf database’).
  • Show Routes: Displays the entries in the OSPF routing table (equivalent Junos command: ‘show ospf route’).

Support for firmware downgrade (SSR)

You can now downgrade the firmware version running on an SSR device. You can do this by selecting a lower version of the firmware from the Upgrade Firmware page, accessible from the Utilities menu on the WAN edge details page. This feature is already available for SRX Series devices.

Static routing support in custom VRs (SRX)

You can configure static routes in virtual routers (custom VRs) at the organization level templates, site level templates, or at the device level configurations for SRX series firewalls. Previously, Mist supported only OSPF and BGP routes in custom VRs. Static routing is preferred when the complexity of a dynamic routing protocol is not desired.

To configure static routes, use the Add Extra Routes button on the Add Custom VR window, accessed from the LAN section of the WAN edge configuration page (or template).

Drag and drop to reorder application policies

On the WAN Edge templates, you can easily reorder application policies by using drag and drop. This option is helpful when a template contains a large number of application policies, and you need to change the order in which the policies are listed or applied.

Support for testing your WAN link speed (SRX)

You can test the speed of WAN links on SRX devices to ensure optimal performance. This feature, already available for SSR devices, allows for new link qualifications and on-demand speed tests if a low link speed is suspected.

You can create a scheduled speed test at the site (Organization > Site Configuration) or organization (Organization > Settings) level. To enable a scheduled speed test, select a time and a frequency (either daily or once a week) to run the test. You need to also select a specific WAN interface or group of WAN interfaces.

To run a speed test, navigate to the SRX WAN edge details page (WAN Edges > WAN Edges > WAN Edge Name), select the WAN port from the port panel, and then click the Run Speed Test link in the Networks section.

Before running the test, ensure that the WAN link has connectivity to the Internet, where the speed test infrastructure can be reached. The speed test feature does not require any firmware version update for your SRX.

Protect-RE configuration optimized for NTP (SRX)

For SRX firewalls, we have optimized the Protect-RE configuration for the protocol NTP. Previously, when the Protection of Routing Engine feature was enabled on an SRX firewall, the output of the command show ntp status used to fail. With this update, we have fixed that issue.

Mist Edge

Upgrade strategy for Mist Edge services

When you upgrade the Mist Edge services on multiple Mist Edges in a Mist Edge cluster, you can choose one of the following strategies:

  • Simultaneous: The default option, which upgrades all the selected Mist Edges simultaneously. This is the fastest upgrade option.
  • Serial: This option upgrades the Mist Edges one by one, one after another. The serial upgrade is the lowest impact option. APs are gracefully moved to another Mist Edge before the upgrade.

MSP inventory now lists Mist Edge devices

The Inventory page in the Mist Managed Service Provider (MSP) portal now lists the Mist Edge devices associated with the organizations that the MSP manages. The inventory page displays this information in addition to the already existing hardware and subscription details.

Network Observability and Business Intelligence

Subscription management for Premium Analytics

We have enhanced the Premium Analytics (PMA) subscription management to efficiently apply available subscriptions to dashboard types and associated device types. Admins can now choose any combination of WAN, Wired, Wireless + Location dashboard types, and the PMA subscriptions will be counted only against the associated device types.

Upon selection of dashboard types, only the relevant dashboards will be displayed. If no selection is made, wireless dashboards will be enabled by default, and the PMA subscriptions will be counted against the access points.

For the existing PMA deployments, we recommend that you make the selections to comply with the subscription count.

New Premium Analytics dashboard for WAN: Peer-Path Insights

We have added a new Premium Analytics dashboard, Peer-Path Insights, to Mist to give you a consolidated view of organization-wide peer paths and their path down events, such as the top sites and top peer paths encountering path down events. A peer path in the context of Juniper Mist WAN Assurance refers to the connections between session smart WAN edge devices over a WAN network, chosen for redundancy and optimal performance. In a large-scale deployment, this dashboard helps in identifying the most problematic sites, peer paths, and timeline of fluctuations.

Enhancements to Occupancy Dashboards under Premium Analytics for Wireless

The Occupancy Analytics dashboard, part of Premium Analytics, provides valuable insights into employee visitation, dwell time, and movement within enterprise workspaces. These insights empower operations teams to better understand workspace utilization patterns, optimize space allocation, and improve energy efficiency.

Key Enhancements:

  • Weekday Filters: Analyze occupancy trends for specific weekdays or working days to optimize scheduling and resource allocation.
  • Time-Based Occupancy Insights: Understand peak usage hours by monitoring the occupancy trends by day of the week and hour of the day.
  • Zone Occupancy Drill-Down: Gain deeper insights into specific zones to identify underutilized or overcrowded areas.
  • Frequent Movement Tracking: Monitor transitions between zones and floors to enhance space planning and employee flow management.

Simplified Operations

View webhook delivery status

You can view the delivery status of webhook events data on the Webhooks tile of the Organization > Settings page (for organization-level configuration) or the Organization > Site Configuration page (for site-level configuration).

To view the status, click the View hyperlink in the Deliveries column on the Webhook tile, and you will be taken to the Webhook Deliveries page. This page displays webhook delivery status (Success or Failure) along with status code and other details. For each failed delivery, the page displays an error message containing additional insights into the failure.

Currently, only the following webhook topics support this feature: Alerts, Audits, Device Up/Down and Ping. The status information is available for the webhook deliveries reported during the last 61 days.

Behavior Changes

Change in the inactivity timeout behavior

Mist now tracks the inactivity timeout duration configured at the organization level across your browser tabs. This means that when you have multiple Mist pages open in different tabs, staying active in one tab prevents the other tabs from logging you out once the inactivity timeout is reached. Previously, even if you were active on one of the tabs, the inactive tabs would log you out when the inactivity timeout was reached.

Update to PCI reports

Before you run a Payment Card Security (PCI) report on any site (from the Site > Security page), ensure that all APs that are associated with that site are in connected state and have their firmware versions and IP addresses populated. Otherwise, for the APs that are in disconnected state, the appendix section of the report will display a message indicating that the AP’s firmware could not be determined.

Previously, a PCI report run on a site with disconnected APs used to fail indicating that the APs (which are in disconnected state) do not run the latest firmware versions.

Feature Deprecation

Unpaginated APIs responses to be deprecated

Currently, the following API requests return an unpaginated, full list of inventory devices.

  • GET /api/v1/orgs/:org_id/inventory
  • GET /api/v1/sites/:site_id/stats/devices

Starting in early 2026, these API requests will fetch paginated responses to limit the size of the response. By default, the API response will fetch the first 100 entries in the list. You can modify the number of entries in the response (range: 1 to 1000) by using the query parameter ‘limit’.

Currently, if you query this API directly when you have more than 100 devices in your organization inventory, we recommend that you update the scripts to handle the paginated responses.

For more information, see Pagination.