1. Documentation
  3. Product Updates
  5. US-GovCloud Product Updates
  7. September 20th 2024 Updates (GovCloud)

September 20th 2024 Updates (GovCloud)

Modified on

Juniper Mist on US GovCloud addresses specific regulatory and compliance requirements of US government agencies at the federal, state, and local level; contractors; educational institutions; and other US customers that run sensitive workloads in the cloud. Currently, this environment is “In-process” on the FedRAMP marketplace for Impact level “Moderate”.

This page lists the Juniper Mist updates released on US GovCloud on September 20th, 2024.

Marvis

New columns on the MQL switch list

We have added the following two columns to the switch list invoked by Marvis query:

  • Role: Displays the switch role.
  • Managed: Indicates whether the switch is managed by Mist or not.

To view these columns, run a Marvis query to list the switches by using the Ask a Question feature on the Marvis > Marvis Actions page, as shown below.

Simplified Operations

OAuth 2.0 based webhooks

We have introduced OAuth 2.0 support for webhook authentication.

If you enable OAuth 2.0, the Mist cloud will act as the OAuth 2.0 client and will authenticate against an authorization server to get a token. The token will then be added to the Webhook Authorization Headers.

Mist supports the following two ways (Grant Types) of requesting access tokens from the customer system:

  • Password-based: If you select this method, you need to provide the username and password of the resource owner.
  • Client Credentials-based: If you select this method, you need to specify the Client ID and Client Secret provided by the OAuth IDP.

You can configure webhooks at the organization level (from the Organization > Settings page) or site level (from the Organization > Site Configuration page).

Client Latency Webhook

You can now subscribe to the client latency webhook to receive DHCP, DNS, and authentication latency information for the client devices at the site level. If you subscribe to this webhook, you will receive the site average, minimum, and maximum latency data in milliseconds for a 10-minute window at 10-minute intervals. To be able to use the Client Latency webhook, you need an active Marvis subscription. To configure the client latency webhook, select the Latency webhook topic on the Add Webhook window on the site configuration page (Organization > Site Configuration).

Here is a sample of the client-latency message. Values are in milliseconds.

{

  "topic": "client-latency",

  "events": [

    {

      "avg_auth": 337.46013,

      "avg_dhcp": 34.611873,

      "avg_dns": 37.067875,

      "max_auth": 1049.9762,

      "max_dhcp": 34.611873,

      "max_dns": 49.85943,

      "min_auth": 99.93066,

      "min_dhcp": 34.611873,

      "min_dns": 23.643397,

      "org_id": "9777c1a0-6ef6-11e6-8bbf-02e208b2d34f",

      "site_id": "978c48e6-6ef6-11e6-8bbf-02e208b2d34f",

      "timestamp": 1722517800

    }

  ]

}

Generate user API tokens from Mist UI

You can now generate user API tokens from the Mist UI, in addition to the org API tokens which have been in the UI for several years. User API tokens contain authentication information and are bound to the specific user. It inherits the permission set of the user account. API tokens are used for API based access to the Mist platform. You can generate and manage API tokens tied to your account from the My Account page accessed from the user profile icon. User API tokens are not supported for SSO users. Instead, you will need to use a service account or org API tokens.

To create an API token from Mist portal:

  1. On the My Account page, click Create Token in the API token section.
  2. Give a name to the token and click Generate. The token is generated.
  3. Copy the token key and store it in a safe location. And then click Done.

Wireless Assurance

Channel assignment logic update for 6 GHz bands

Radio Resource Management (RRM) now assigns 6GHz radio bands with preferred scanning channels (PSCs) and non-PSC. Previously, RRM would assign the 6 GHz bands PSC only, unless the customer manually enables all channels. The channel assignment logic in 6 GHz bands for different channel widths is as follows:

  • For 20 MHz and 40 MHz width, all allowed channels (PSC and non-PSC) are used as the primary channel.
  • For 80 MHz and 160 MHz width, PSC channels are used as primary channels.

Through lab testing and extensive deployment verification, we have determined clients generally discover non-PSCs effectively via out of band mechanisms such as reduced neighbor reports or 11k neighbor reports. For this reason, we are happy to amend our guidance around the use of 6 GHz non-PSCs. This should come as welcome news to Europe and areas with 500 MHz of 6 GHz spectrum.

Override the default URL for PSK generation

Mist sends a reauthentication URL to users when the pre-shared key (PSK) to access their wireless network is about to expire. This URL helps users re-authenticate themselves and generate a new passphrase. You can now override this default URL with a custom URL, typically an SSO URL. You can enter the custom URL in the ‘Key Expiration Renew URL’ field on the PSK Parameters Tab on Add/Edit PSK Portal page (Organization > Client Onboarding > Add/Edit PSK Portal). If you configure a custom URL, Mist will include it in the notification email to let the end user know where to renew their PSK. The Key Expiration Renew URL field is displayed only if you select the Send Reminders option.

Here is a sample notification email:

Access point label enhancements

We have improved the access point (AP) label creation workflow by adding an option to multi-select APs to be included in the label. This option is available on the AP label creation page at the organization level (Organization > Labels > Add Label) and site level (Site > Labels > Add Label). To select APs to be included in the label, click the + icon. The AP selection list at the site and organization levels includes a search filter which allows you to filter APs by MAC address or AP name. At the organization level, the AP selection list additionally includes an option to search for APs by specific sites or across the entire organization.
The multi-select option is also available on the New WLAN (Site > WLANs > Add WLAN) and AP details (Access Points > Access Point Name) pages where you select specific APs.

 

Mist Edge

IPv6 support for Mist Edges

Mist Edges now support configuration of IPv6 addresses. On the Mist Edge configuration page, you can configure IPv6 addresses in the following sections:

  • OOBM IP Address: This section provides an additional tab to configure IPv6 addresses. The IPv6 support is available for IP Address, Subnet Mask, Default Gateway, and DNS. We have also added the options to disable IPv4 or IPv6 dynamic addressing.
  • Tunnel IP: This section provides an additional tab to configure IPv6 addresses. The IPv6 support is available for IP Address, Subnet Mask, and Default Gateway.

On the Mist Edge Clusters Page, you can configure IPv6 addresses in the existing fields for:

  • Radius Authentication Servers
  • Radius Accounting Servers
  • COA/DM Server
  • Tunnel Termination Services
  • AP Subnets
  • Upstream Resource Monitoring

The IPv6 support is also available for Mist Tunnels on the site configuration page (Organization > Site Configuration).

You can also view the IPv6 addresses on the Insights, Alerts, Marvis Query pages for:

  • OOBM interface
  • Mist Tunnels
  • Radius server
  • APs

The following image shows the Mist Edge configuration page with options to configure IPv6 addresses:

Mist Edge notes

Mist Edges now provide an option to enter device-specific notes. You can use the notes to capture any additional information about the device.

Firmware upgrade recommendation for Mist Edges

The Mist Edge Inventory page now displays a firmware upgrade recommendation message for the Mist Edges that are running outdated firmware versions. The message that reads ‘Firmware Upgrade Recommended’ is displayed in the Status column of the Mist Edge Inventory page if a new Tunterm service version is available for upgrade. You can see the same status message on the Mist Edge details page as well.

Wired Assurance

IPv6 support for campus fabric

The Mist campus fabric architecture supports configuration of IPv6 addresses for the following switch configuration elements:

  • Networks
  • Other IP Configuration
  • VRF
  • DHCP relay or server
  • Static Route. The IPv6 support is available for destination and next hop addresses.
  • IP and Additional IP Configuration. The IPv6 support is available for IP address and subnet mask.
  • L3 interface and L3 subinterface in Port Configuration. The IPv6 support is available for IP address and subnet mask.

Configuration elements like Networks have dedicated fields for IPv6 address configuration, as shown below.

Configuration elements like VRF support IPv6 addresses and IPv4 addresses in the existing IP address field. If you want to configure both IPv4 and IPv6 for such elements, you can save them one after the other.

Delete system-defined port profiles

You can now delete the following system-defined port profiles for switches: ap, iot, and uplink.

The delete function is available at the switch template level. You cannot delete the following system-defined port profiles: default and disabled. If you delete the ap, iot, or uplink profile that is used in an existing configuration, that profile will be replaced by the default profile.

To delete a system-defined port profile, open it from the Port Profiles tile in the Switch Template and then click the delete icon.

Locate standalone switches and VC members

Juniper Mist provides an option to physically locate a standalone switch or a Virtual Chassis (VC) member switch. To locate a switch, click the Locate option on the switch dashboard. As a result, the LED on the selected switch blinks for a specified duration. In a Virtual Chassis, you can locate the primary, backup, or linecard members. Only one member can be located at a time. The following image shows the Locate option on a Virtual Chassis dashboard.

Reauthentication interval for switch port profile

In a switch port profile that uses dot1x authentication, you can configure a timer that controls how often a client reauthenticates itself with the RADIUS server. The recommended value is 6 to 12 hours (21600 to 43200 seconds). The default value is 65000 seconds.

Disable remote shell access to switches and gateway devices

Mist provides an option to turn off remote shell access to the switches and gateway devices in an organization. This setting is available at the organization level. To turn off remote shell access, navigate to the Switch Management tile on the Organization > Settings page and then select Disable Remote Shell Access.

RSTP Edge ports

From a switch port profile, you can enable Rapid Spanning Tree Protocol (RSTP) edge on ports where clients that do not participate in RSTP are connected. An example of such clients could be a PC or a VoIP phone which is not supposed to send BPDUs. These ports are blocked by RSTP if they receive a BPDU from the end client. You should not enable RSTP Edge on the Uplink port. The RSTP edge replaces the base Spanning Tree Protocol (STP) edge in Mist. Mist supports the following RSTP link types at the organization and site template levels:

  • RSTP Point-to-Point: This configuration changes the interface mode to point-to-point. Point-to-point links are dedicated links between two network nodes, or switches, that connect one port to another.
  • RSTP No Root Port: This configuration prevents the interface from becoming a root port.

Transceiver information on the port list

The port list on the switch dashboard displays the following additional columns to show information about the transceivers connected to the ports.

  • Transceiver: Shows the transceiver manufacturer.
  • Serial Number: Shows the serial number of the transceiver.
  • Transceiver Model: Shows the transceiver model.

Download switch logs via remote shell

For troubleshooting purposes, you can download configuration logs from a switch via remote shell. To do this, use the download button provided at the upper right of the remote shell screen.

WAN Assurance

Support for SRX4300 devices

You can onboard, configure, and manage the SRX4300 firewall as a WAN Edge on the Juniper Mist portal. To onboard this device to Mist, use the Adopt WAN Edges workflow on the Inventory page (Organization > Inventory > WAN Edges). Once onboarded, the SRX Series device will be listed on the WAN Edges Inventory page and on the WAN Edges page (WAN Edges > WAN Edges).

Note that SRX4300, SRX1600, and SRX2300 devices must run Junos OS version 24.2R1.17 for Mist support.

In the image below, you can find the SRX4300 device listed on the WAN Edges inventory page.

Gateway Bandwidth SLE (SRX)

Gateway Bandwidth SLE tracks the user minutes during which the gateway device bandwidth met or failed to meet a derived threshold. When the Gateway Bandwidth threshold is not met, Juniper Mist sorts the issues into the following classifiers:

  • Congestion Uplink: Shows the time (in percentage) during which the Gateway Bandwidth SLE was not met because of congestion on the uplink.
  • Bandwidth Headroom: Shows the time (in percentage) during which the Gateway Bandwidth SLE was not met because the bandwidth headroom threshold was breached. Bandwidth Headroom is a learnt estimate of available WAN bandwidth. This is a baseline that represents the highest point of bandwidth usage over the last 14 days. The Bandwidth Headroom classifier is triggered when the current usage exceeds the baseline. The SLE shows the highest utilized queue on the Distribution tab.

Enhancements to Application Path Insights

We have added several enhancements to Application Path Insights to improve the user experience and provide additional path failover details. The key enhancement is a path state bar that shows path state information over a timeline. On the bar, path state events are indicated by segments highlighted in different colors (for example, path up events are shown in green and path down events in red). You can hover over the highlighted portions on the path to view a summary of path state events. If you click the bar, you get an events view which provides additional insight into the path state. The Application Path Insights enhancements also include a summary view of the recent path state events on the left of the screen. Also, the Policies drop-down list now includes active policies (which have seen traffic) and inactive policies (which have not seen traffic) for the selected time range.

Health check for custom applications (SSR)

You can now choose to view the health SLE data only for your custom applications. For example, if you have designated your Point of Sale (POS) devices as custom applications, you might want to view Application Health for only those devices. To do so, go to Monitor > Service Levels, and click the WAN tab. Above the SLE blocks, turn on Show Custom Apps to view the bad user minute data only for your custom applications. Turn off this feature to view data for all applications.

Enhancements to the Session testing tool (SSR)

To help troubleshoot WAN Edge devices, we have enhanced the Session testing tool with options to view the session details and to delete the sessions if required.

Application Policy hit count

In the Application Policy section on the WAN Edge device page, you can now view the hit count, which indicates the number of Application Policy events for each policy rule. This feature is available for SRX Series devices in this release. For SSR devices, you will see this feature in a future release.

Bounce port testing tool for SSR

Mist now provides an option to run a soft bounce port test on SSR ports. A bounce port test provisionally takes the port down and then brings it back up, causing a port state change within the device. Bounce port does not cause the external physical link to change. The connected devices will not see a link state change.

RTT values for slow applications under Application Health SLE metric (SSR)

For WAN Edge devices, Application Health Service Level Expectation (SLE) metric provides RTT values associated with slow applications that caused bad user minutes. The SLE also provides the number of application disconnect events. You can view the RTT values, or the application disconnect data from the WAN Assurance SLE page (Monitor > Service Levels > WAN). To view the data, follow the steps below:

  1. Navigate to the WAN Assurance SLE page (Monitor > Service Levels > WAN).
  2. To view the application disconnect values, select Application Health > Application Services > Application Disconnects.
    To view the RTT value associated with a slow application, select Application Health > Application Services > Slow Application.
  3. On the Affected Items tab, select an application graph and hover over the affected user minute.

In the following picture, the Application Disconnects field indicates the bad user minute caused by application disconnect events; and the Disconnects field indicates the number of disconnect events observed during the time range displayed.

In the following image, the Slow Application value indicates the number of bad user minutes caused by slow application; and the RTT field shows RTT associated with the slow applications in seconds.

Time series data charts for Cellular Edge devices

Mist now provides the following LTE graphs for Cellular Edge (Cradlepoint) devices:

  • RSRP: Reference Signal Received Power (RSRP) represents a measure of the received power level in an LTE network. Supported range: -200 through 10 dBm.
  • SINR: Signal-to-Interference-plus-Noise Ratio (SINR) graph compares the level of the received signal to the level of background noise and interference.
  • RSSI: Received signal strength indicator (RSSI) is a measurement of the AP radio signal and is typically measured by the client. The scale runs from -100 dBm (weakest) to 0 dBm (strongest).

You can view these graphs on the WAN Edge Insights page.

New testing tools for WAN Edges (SSR)

Mist now provides the following testing tools for the purpose of WAN Edge troubleshooting:

  • FIB Lookup: Enables you to look up the forwarding information base (FIB) data associated with the WAN Edge device selected. You can look for FIB data by Network, Destination IP, Destination Port, and Protocol.
  • FIB by Application: Enables you to look up the FIB data by application, VRF, and prefixes.
  • Routes: Enables you to debug the BGP routing table. It shows how the sent or received prefixes from various neighbors are being handled and processed in the BGP table.

Static DHCP IP address reservation

For a WAN Edge LAN interface, you can reserve a static DHCP address, if the interface has a DHCP server configured. Static DHCP IP address reservation involves binding a client MAC address to a static IP address from the DHCP address pool. You can also specify a maximum lease time for the DHCP addresses. Supported DHCP lease duration ranges from 3600 seconds (1 hour) to 604800 seconds (1 week).

You can create static reservations for LAN using the Add Reservation option in the Add DHCP Config window in the LAN configuration section of the WAN Edge template or the WAN Edge details page. The configuration includes a name, MAC address, and an IP address.

View and revoke DHCP lease on WAN Edges

You can now view and revoke the DHCP lease on WAN Edge devices. The revoke option lets you release client devices from their current lease. To view the DHCP lease information, go to the Leased IPs window by clicking the hyperlinked values in the Leased IPs column in the DHCP Statistics section on the WAN Edge details page. The Leased IPs window displays the client devices (MAC Addresses or hostnames) along with the leased IP addresses and the lease expiry dates. On the Leased IP window, select a DHCP lease record and click the Revoke button to revoke the DHCP lease.

Max Bandwidth graph for WAN Edges

We have added a new WAN Edge port graph named Max Bandwidth. This graph provides insight into the highest point of link utilization recorded for RX and TX packets on each port during the day. The max bandwidth data is shown in bps. You can view the MAX Bandwidth graph in the WAN Edge Ports section on the WAN Edge Insights page.