1. Documentation
  3. Product Updates
  5. May 29th 2025 Updates

May 29th 2025 Updates

Modified on

Simplified Operations

Guest authorization webhook topic

We have added a new webhook topic named Guest Authorizations to the site level webhook configuration. This topic, listed under the Infrastructure section, is used to alert customers when a guest client is authorized to a WLAN.

For more information, refer to Add a Webhook in the Juniper Mist Portal, Webhook Topics, and Webhook Messages.

Alerts for certificate events

You can now set up Mist to notify you when digital certificates, such as Access Assurance RADIUS Server, CA certificates, and SAML certificates, are expired or about to expire. The alerts configuration page now includes a new section where you can configure alerts for these certificates. Note that you will begin receiving these alerts 30 days before the expiry date. You will receive repeated notifications 15, 7, 3, and 1 day before expiry, unless the certificate is renewed. Once certificate-specific alerts are generated, they appear on the Alerts landing page.

Pause alerts

You can now pause Mist alerts at the site or organization level for a specific period of time. This feature is useful during scenarios such as initial installation or site maintenance—when you want to temporarily suppress alerts. To add and manage rules to pause alerts, go to Monitor > Alerts, click Alerts Configuration, and then click Pause Alerts.

On the Create Rules tab of the Pause Alerts pop-up window, set up rules to pause all alerts for your entire organization or specific sites. In the rule, you can define a period for which alerts should be suppressed. Also, you can choose to apply the rule to organization-level devices or site-assigned devices (available in organization-level rules), and select specific sites or site groups (applicable to site or site group-level rules).

On the Existing Rules tab, view the current rules to see where and when alerts are scheduled to be paused. If you have a long list of rules, you can adjust the display by using the Filter box or the Group By Start/End Time feature. You can also edit or delete any existing rules.

Marvis

Switch Offline and Application Reachability Marvis Actions

We have added the following new Marvis Actions to the Mist cloud:

  • Switch Offline—This action in the Switch category displays the details of the switches that are offline. It also recommends the corrective actions that you can take to bring the affected switches back online. To view and troubleshoot the switches that are offline, click the Switch Offline action under the Switch category.
  • Reachability Failures—Displays a list of application reachability failures identified by Marvis Minis. To view these issues, expand the Datacenter/Application category on the Marvis Actions page (Marvis > Marvis Actions) and then click Reachability Failures. This action displays the information such as the impacted site, VLAN, the date on which the issue was reported, status of the issue, and a recommended action.

Wireless Assurance

Site variables support for configuring WLAN rate limits

Mist WLAN configuration has added support for configuration of the following through site variables:

  • Per-WLAN rate limit
  • Per-client rate limit

You can configure the rate limit values from the WLAN Rate Limit tile on the WLAN creation page at the site level (Site > WLANs) and organization level (Organization > WLAN Templates > Add WLAN).

Site variables help you address use cases that require you to configure a set of unique fields for different sites. Site variables provide a way to use tags to represent real values so that the value can vary according to the context where you use the variable. This means the same variable can configure different values in different sites.

Wired Assurance

Port channelization and chassis speed configuration

Mist Wired Assurance now supports port channelization and chassis speed (port speed) configuration for a select set of switches.

Port channelization enables you to split a high-speed QSFP or QSFP+ port on a switch into multiple low-speed ports. For example, you can channelize a 100-Gbps port into four 25-Gbps ports.

Chassis speed configuration is available for SFP or SFP+ ports. Note that the SFP and SFP28 ports are grouped in quads (groups of four), and you can configure the speed of the ports only in quads; you cannot configure the speed for a single SFP28 port. The speed configured for the first port in a quad gets applied to all the ports in that quad.

The following table lists the devices and their respective ports that support port channelization, along with the supported channel speeds:

Model Port Channel Speed
QFX5120-32C 0-30 4x10g, 4x25g, 2x50g
31 2x50g
QFX5120-48T 48-49, 52-53 2x50g
50, 51 4x10g, 4x25g, 2x50g
QFX5120-48Y 48-55 4x10g, 4x25g
QFX5120-48YM 50, 52 4x10g, 4x25g, 2x50g
QFX5130-32CD 0-31 4x10g, 4x25g, 2x50g,  2x100g, 8x50g, 4x100g, 2x200g
EX4650-48Y 48-55 4x10g, 4x25g

The following table lists the devices and their respective ports that support chassis speed configuration, along with the supported speeds:

Model Port Chassis Speed (per quad starting at ports 0, 4, 8, …, 44)
QFX5120-48T 0-47 1g, 10g
QFX5120-48Y 0-47 1g, 10g, 25g
QFX5120-48YM 0-47 1g, 10g, 25g
EX4650-48Y 0-47 1g, 10g, 25g

The port channelization and speed configuration features are available on the Advanced tab of the Port tile on the switch details page (Switches > Switch Name). Use the Advanced Port Configuration option to select ports and configure channels or speeds. Once you channelize a port, you can assign port profiles to individual channel speeds. Similarly, the campus fabric configuration screen allows you to select the channelized ports while configuring EVPN connections.

You can view the channelization information for a port by hovering over it on the front panel on the switch details page.

Configure server reject and server fail networks

You can now configure the following settings on an 802.1X (dot1x)-enabled switch port, which is used for network access control:

  • Server Reject Network—Select a VLAN to be assigned to a device if the authentication server rejects the device’s authentication attempt for reasons such as incorrect credentials. You can choose a VLAN that provides only limited network access.
  • Server Fail Network—Select a VLAN to be assigned to a device if the authentication server is unreachable or fails to respond. You can choose a VLAN that provides limited or no network access, depending on your requirements.

These features help you handle authentication issues gracefully while maintaining network security. You can configure these settings on the Port Profile tile at the switch-level, site template-level, or organization template-level.

Detection of EVPN loops and duplicate MAC addresses in campus fabric

In campus fabric topologies that are built in Mist cloud after the May 2025 updates, Mist automatically detects and reports any EVPN loops and duplicate MAC addresses. These issues are displayed on the switch Insights page. You will receive the May updates between May 16 and May 29, 2025, depending on your region.

  • EVPN loop detection—EVPN-VXLAN lightweight PE-CE loop detection helps in detecting and breaking LAN Ethernet loops on downstream leaf-to-server or access ports. This feature can detect loops caused by issues such as miswired fabric components or third-party switches incorrectly connected to the fabric.
    For this feature to work, the switch must run the Junos OS version 24.4R1 or later.
    For more information, refer to EVPN-VXLAN Lightweight Leaf to Server Loop Detection.
  • Duplicate MAC address detection—Identifies and mitigates issues arising from MAC address movement (MAC mobility) between different interfaces or devices in EVPN environments. While some MAC mobility is expected (for example, when a device actually moves), rapid changes might indicate issues such as network loops or misconfigurations. For more information, refer to Configuring Loop Detection for Duplicate MAC Addresses.

Anycast gateway IP address configuration for campus fabric

Mist Wired Assurance now supports the configuration of IPv4 and IPv6 anycast gateway addresses for campus fabric configurations. When you configure these fields, Mist uses those gateways as the anycast IP address assignment across all access switches (IP Clos deployments) and distribution switches (ERB deployments) in the campus fabric configuration.

When you select Create New Network from the Networks section of the campus fabric configuration in Mist, the New Network section contains the following new fields:

  • IPv4 Anycast Gateway (Optional)
  • IPv6 Anycast Gateway (Optional)

NOTE: If these fields are left empty, Mist uses the first IP address in the subnet as the anycast address.

Once you select the blue check mark to save the Network configuration, Mist creates the corresponding network-specific IP configuration in the Other IP Configuration section, which serves as the IP configuration for all devices in the campus fabric configuration.

View campus fabric configuration

Network admins and super users will now be able to open a campus fabric configuration in view-only mode. This option can be used to review configurations for troubleshooting purposes. To open configuration in view-only mode, click the View Configuration button on the campus fabric configuration page.

WAN Assurance

WAN edge firmware versions in the inventory view

The WAN edge Inventory page now displays the device firmware versions. With this update, you can instantly view and compare firmware versions deployed on your WAN edge devices across an organization. This feature is useful when managing the lifecycle of a WAN deployment in Mist.

Configuration differences view for WAN edge device configuration and hub profiles

When you modify a WAN edge device configuration or hub profile and click Save, a confirmation window displays the differences between the new (modified) and old configurations. This window provides a quick view of all the configuration changes you made before you submit them. On this view, the newly added configurations appear with a plus sign (+), while the configurations removed appear with a minus sign (–).

Remove private AS numbers

When a router sends route information to a BGP neighbor in a different AS, any private AS numbers in the AS path should be removed. This is because some ISPs automatically reject routes that contain private AS numbers. You can remove these numbers by selecting the Remove Private AS check box in the Add BGP Group window in the WAN edge device configuration.

Network Observability and Business Intelligence

New Premium Analytics dashboard for SRX WAN edge security

This dashboard consolidates data from your Advanced Threat Prevention (ATP) logs to provide a comprehensive view of network security, specifically focusing on Anti-Virus, Advanced Anti-Malware, and Sec-Intel actions. It is applicable to Mist-managed SRX WAN Edge devices that are enrolled in the Juniper ATP Cloud and configured with the relevant security policies.

The dashboard is divided into the following three sections:

  • Security Intelligence Actions (Sec-Intel Insights)—This section displays destination IPs blocked by Sec-Intel policies based on external threat intelligence.
  • Advanced Anti Malware (AAMW) Insights—This section tracks compromised endpoints, malware URLs, and mitigation actions.
  • Anti-Virus Insights— This section highlights the severity and actions taken for compromised endpoints.

For details on SRX configuration with Juniper ATP, refer to Advanced Threat Prevention Features.

Expanded access to Premium Analytics features

The Download and Scheduled Delivery features in the Premium Analytics Dashboard are now available to all user roles within the Mist Dashboard. Previously, these capabilities were restricted to Network Admin and Super User roles. With this update, all users can now conveniently access and share insights.

Upcoming Changes

Enhancements to Network Admin user role

We are excited to share a few upcoming enhancements to the Network Admin roles in Mist. These updates are designed to improve the user experience and streamline operations and will be available in the upcoming feature release. They will not impose any limitations on existing functionality; instead, they optionally grant additional privileges to enhance administrative capabilities.

What is changing?

  • We are introducing a new user role called Org Admin, which will have write access to all components within the Mist dashboard (both GUI and API) except for administrative functions such as:
    • Creating or managing other admin users
    • Modifying login and authentication settings

And the existing Org Scope Network Admins become Org Admins.


Org Admin will have read and write access to following pages on Organization menu:

  • Updates to the Network Admin role (Site, Site Group, or All Sites):

    • The Network Admin role will have an option to enable:

      • Write-access to site configuration pages within their respective scope via the Mist portal.

      • Read-only access to organization-level templates.

    • No change to the existing site or site group Network Admins – a Super User can optionally grant the enhanced privileges.

    • Newly created Network Admin users default to having additional privileges listed above. A Super User can optionally remove the additional privileges if needed.


Network Admins will have read and write permissions to site configuration, and read permissions to the other pages on the Organization menu.

  • The existing Network Admin (All Sites) users will appear as Org Admin in the Mist Portal. They will have access to view and modify organization-level templates as well as organization and site settings. This will bring uniformity in API and UI privileges.

API mappings for Network Admin and Org Admin users

Role Mapping for newly created users (Default: read access to select org level configurations is allowed)  Mapping for existing users or if read access to select org level configurations is unchecked
Network Admin (Site) {scope:site, role:write}

{scope:org, role:read}

 {scope:site, role:write}
Network Admin (Site group) {scope:siteGroup, role:write}

{scope:org, role:read}

 {scope:siteGroup, role:write}
Network Admin (All Sites) {scope:Orgsites, role:write}

{scope:org, role:read}

 {scope:Orgsites, role:write}
Org Admin {scope:org, role:write}
Org Admin (MSP) {scope:msp, role:write}

Feature Deprecation

Unpaginated APIs responses to be deprecated

Currently, the following API requests return an unpaginated, full list of inventory devices.

  • GET /api/v1/orgs/:org_id/inventory
  • GET /api/v1/sites/:site_id/stats/devices

Starting in early 2026, these API requests will fetch paginated responses to limit the size of the response. By default, the API response will fetch the first 100 entries in the list. You can modify the number of entries in the response (range: 1 to 1000) by using the query parameter ‘limit’.

Currently, if you query this API directly when you have more than 100 devices in your organization inventory, we recommend that you update the scripts to handle the paginated responses.

For more information, see Pagination.

Webhook topic asset-raw to be deprecated

We will deprecate the webhook topic asset-raw from 06/16/2025 onwards. It will be replaced with a new topic named asset-raw-rssi. See the Webhooks section in https://api.mist.com/api/v1/docs/Site#webhooks.