An organization usually represents a customer - which has inventories, licenses. An Organization can contain multiple sites. A site usually represents a deployment at the same location (a campus, an office).
POST /api/v1/orgs/:org_id/sites
{
"name": "Mist Office",
"timezone": "America/Los_Angeles",
"country_code": "US",
"rftemplate_id": "bb8a9017-1e36-5d6c-6f2b-551abe8a76a2",
"secpolicy_id": "3bcd0beb-5d0a-4cbd-92c1-14aea91e98ef",
"alarmtemplate_id": "684dfc5c-fe77-2290-eb1d-ef3d677fe168",
"networktemplate_id": "12ae9bd2-e0ab-107b-72e8-a7a005565ec2",
"gatewaytemplate_id": "6f9b2e75-9b2f-b5ae-81e3-e14c76f1a90f",
"aptemplate_id": "16bdf952-ade2-4491-80b0-85ce506c760b",
"sitetemplate_id": "155fb365-05c6-4d54-925f-1ac14244a95e",
"latlng": { "lat": 37.295833, "lng": -122.032946 },
"sitegroup_ids": [ "581328b6-e382-f54e-c9dc-999983183a34", "f57096b9-0c2f-4df6-c77b-ae6ae87a3d43" ],
"address": "1601 S. Deanza Blvd., Cupertino, CA, 95014"
}
| Name | Type | Description |
|---|---|---|
name |
string |
Required. The name of the site |
notes |
string |
optional, any notes about the site |
timezone |
string |
Timezone the site is at |
country_code |
string |
country code for the site (for AP config generation), in two-character |
latlng |
latlng |
site location |
address |
string |
full address of the site |
lat |
float |
latitude |
lng |
float |
longitude |
sitegroup_ids |
list |
sitegroups this site belongs to |
rftemplate_id |
string |
RF Template ID, this takes precedence over Site Settings |
apporttemplate_id |
string |
APPort Template ID |
secpolicy_id |
string |
SecPolicy ID |
alarmtemplate_id |
string |
Alarm Template ID, this takes precedence over the Org-level alarmtemplate_id |
networktemplate_id |
string |
Network Template ID where site can use as its base Site Setting |
gatewaytemplate_id |
string |
Gateway Template ID, used by gateways |
aptemplate_id |
string |
AP Template ID, used by APs |
sitetemplate_id |
string |
Site Template ID |
{
"id": "4ac1dcf4-9d8b-7211-65c4-057819f0862b",
"name": "Mist Office",
"timezone": "America/Los_Angeles",
"country_code": "US",
"latlng": { "lat": 37.295833, "lng": -122.032946 },
"sitegroup_ids": [ "581328b6-e382-f54e-c9dc-999983183a34", "f57096b9-0c2f-4df6-c77b-ae6ae87a3d43" ],
"address": "1601 S. Deanza Blvd., Cupertino, CA, 95014"
}
Get a list of country codes that we support
GET /api/v1/const/countries
| Name | Type | Description |
|---|---|---|
extend |
boolean |
default is false, will include more country codes if true |
[
{
"alpha2": "US",
"numeric": 840,
"name": "United States",
"certified": true
},
{
"alpha2": "JP",
"name": "Japan",
"numeric": 392,
"certified": true
},
{
"alpha2": "BY",
"name": "Belarus",
"numeric": 112,
"certified": true,
"disabled": true
},
...
]
Get ISO states based on country code
GET /api/v1/const/states?country_code=US
| Name | Type | Description |
|---|---|---|
country_code |
string |
country code, in two-character |
[
{
"iso_code": "AK",
"name": Alaska"
},
{
"iso_code": "AL",
"name": "Alabama"
},
"iso_code": "AS",
"name": "American Samoa"
},
{
"iso_code": "AZ",
"name": "Arizona"
},
{
"iso_code": "CA",
"name": "California"
},
...
]
Get a list of country codes that we support
GET /api/v1/const/ap_channels?country_code=US
| Name | Type | Description |
|---|---|---|
country_code |
string |
country code, in two-character |
{
"key": "US",
"name": "United States"
"code": 840,
"band24_enabled": true,
"band24_channels": {
"20": [
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11
],
"40": [
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11
]
},
"band5_enabled": true,
"dfs_ok": true,
"band5_channels": {
"20": [
36, 40, 44, 48, 52, 56, 60, 64, 100, 104, 108, 112, 116, 132, 136, 140, 149, 153, 157, 161, 165
],
"40": [
36, 40, 44, 48, 52, 56, 60, 64, 100, 104, 108, 112, 132, 136, 149, 153, 157, 161
],
"80": [
36, 40, 44, 48, 52, 56, 60, 64, 100, 104, 108, 112, 132, 136, 149, 153, 157, 161
],
"dfs": [
52, 56, 60, 64, 100, 104, 108, 112, 116, 132, 136, 140
]
}
}
GET /api/v1/orgs/:org_id/sites
GET /api/v1/sites/:site_id
GET /api/v1/sites/:site_id/stats
{
...
"msp_id": "9520c63a-f7b3-670c-0944-727774d5a722",
"num_clients": 50,
"num_devices": 8,
}
| Name | Type | Description |
|---|---|---|
msp_id |
string |
msp id |
num_clients |
int |
Number of clients associated currently |
num_devices |
int |
Number of devices in connected and managed state |
PUT /api/v1/sites/:site_id
DELETE /api/v1/sites/:site_id
Site groups are a group of sites under the same Org. It’s many-to-many mapping to sites
/api/v1/orgs/:org_id/sitegroups
{
"name": "Group1"
}
To improve performance and reduce response size, please use paginated requests. We strongly recommend specifying pagination parameters when calling these endpoints. Even though a call without pagination parameters will return the full list of device stats, this behavior is temporary. In the future, paginated responses (with default values of limit=100 and page=1) will be enforced.
Query Parameters for Pagination:
limit: The maximum number of items to return per page (default is 100).page: The page number to return (default is 1).When you include these parameters in your request, the response will also contain the following HTTP headers:
- X-Page-Page: The current page number.
- X-Page-Limit: The limit per page.
- X-Page-Total: The total number of items in the result set.
GET /api/v1/orgs/:org_id/inventory?modified_after=1733522845&limit=100&page=1
[
{
"mac": "d420b080516d",
"serial": "A0052190206A2",
"model": "AP41",
"sku": "AP41-US",
"hw_rev": "F11",
"type": "ap",
"magic": "XXXXXXXXXXXXXXX",
"name": "SaltLakeHQ-AP6d",
"jsi": false,
"org_id": "9777c1a0-6ef6-11e6-8bbf-02e208b2d34f",
"site_id": "1505f5d6-5366-4ca2-a9e2-2c6b805e5a47",
"created_time": 1585754725,
"modified_time": 1649358858,
"id": "00000000-0000-0000-1000-d420b080516d",
"deviceprofile_id": null,
"connected": true
}
]
[
{
"mac": "8403280bc0a0",
"serial": "HV3620270051",
"model": "EX2300-C-12P",
"sku": "EX2300-C-12P",
"hw_rev": "C",
"type": "switch",
"magic": "XXXXXXXXXXXXXXX",
"name": "SaltLake-EX2300-C", // configured
"hostname": "SaltLake-EX2300-C", // reported
"jsi": false,
"org_id": "9777c1a0-6ef6-11e6-8bbf-02e208b2d34f",
"site_id": "1505f5d6-5366-4ca2-a9e2-2c6b805e5a47",
"created_time": 1623086870,
"modified_time": 1656353525,
"id": "00000000-0000-0000-1000-8403280bc0a0",
"deviceprofile_id": null,
"connected": true
}
]
[
{
"mac": "fc334262af00",
"serial": "CW1419AN0651",
"model": "SRX320",
"sku": "SRX320-SYS-JB",
"hw_rev": "C",
"type": "gateway",
"magic": "XXXXXXXXXXXXXXX",
"name": "LD_SRX", // configured
"hostname": "LD_SRX", // reported
"jsi": false,
"org_id": "9777c1a0-6ef6-11e6-8bbf-02e208b2d34f",
"site_id": "978c48e6-6ef6-11e6-8bbf-02e208b2d34f",
"created_time": 1616108044,
"modified_time": 1616108293,
"id": "00000000-0000-0000-1000-fc334262af00",
"adopted": true,
"deviceprofile_id": null,
"connected": true
}
]
| Name | Type | Description |
|---|---|---|
serial |
string |
device serial |
model |
string |
device model |
type |
string |
device type, ap / switch / gateway |
mac |
string |
MAC address |
sku |
string |
device stock keeping unit |
hw_rev |
string |
device hardware revision number |
magic |
string |
device claim code |
name |
string |
device name if configured |
hostname |
string |
hostname reported by the device |
id |
string |
device id |
site_id |
string |
site id if assigned, null if not assigned |
org_id |
string |
org id |
deviceprofile_id |
string |
deviceprofile id if assigned, null if not assigned |
connected |
boolean |
whether the device is connected |
adopted |
boolean |
whether the switch/gateway is adopted |
created_time |
long |
inventory created time, in epoch |
modified_time |
long |
inventory last modified time, in epoch |
GET /api/v1/orgs/:org_id/inventory?model=AP41
Supported filters: model, serial, magic, site_id, type, mac, vc_mac, vc, unassigned
GET /api/v1/orgs/:org_id/inventory/search?mac=f01c2df166e0
The following fields are available for searching.
| Name | Type | Description |
|---|---|---|
type |
string |
device type, ap/switch/gateway |
mac |
string |
device mac |
vc_mac |
string |
vc_mac |
master_mac |
string |
master device mac for virtual mac cluster |
model |
string |
device model |
site_id |
string |
site id |
serial |
string |
device serial number |
master |
boolean |
true/false |
sku |
string |
device sku |
version |
string |
device version |
status |
string |
device status |
text |
string |
wildcards for name, mac, serial |
{
"results": [
{
"type": "switch",
"name": "mist-wa-ex4300-VC",
"mac": "f01c2df166e0",
"vc_mac": "f01c2df166e0",
"model": "EX4300-48P",
"master": true
"site_id": "01dc141d-b6af-4baa-b00f-0e31ef954c4f",
"org_id": "9b853544-51e4-45fb-81ac-a442e4a111d0",
"serial": "PD3714460200",
"members": [
{
"mac": "f01c2df166e0",
"model": "EX4300-48P",
"serial": "PD3714460200"
}
],
"sku": "EX4300-48P",
"version": "21.4R3.5",
"status": "disconnected"
}
]
"limit": 1000,
"total": 1
}
GET /api/v1/orgs/:org_id/inventory/count?type=switch&distinct=model
| Name | Type | Description |
|---|---|---|
type |
string |
device type, ap/switch/gateway |
distinct |
string |
model / status / site_id / sku / version, default is model |
{
"limit": 10,
"distinct": "model",
"total": 2,
"results": [
{
"model": "EX4300-48P",
"count": 12
},
{
"model": "EX4400-24P",
"count": 4
}
]
}
Ideally VC should be managed as a single device - where
In our implementation, we strive to achieve that without manual user configurations by
The perceivable result is
module_stat contains the VC membersvc_mac pointing to the FPC0POST /api/v1/orgs/:org_id/inventory
[
"6JG8E-PTFV2-A9Z2N",
"DVH4V-SNMSZ-PDXBR"
]
a list of claim codes
Status: 200 OK
{
"added": [ "6JG8E-PTFV2-A9Z2N" ],
"duplicated": [ "DVH4V-SNMSZ-PDXBR" ],
"error": [ "PO1025335ohoh" ],
"inventory_added": [
{
"serial": "FXLH2015150025",
"model": "AP41",
"type": "ap",
"magic": "6JG8EPTFV2A9Z2N",
"mac": "5c5b35000018"
}
],
"inventory_duplicated": [
{
"serial": "FXLH2015150027",
"model": "AP41",
"type": "ap",
"magic": "DVH4VSNMSZPDXBR",
"mac": "5c5b35000012"
}
]
}
Status: 400 Bad Request
POST /api/v1/orgs/:org_id/inventory/switch
[
"6JG8E-PTFV2-A9Z2N",
"DVH4V-SNMSZ-PDXBR"
]
This removes the inventory from the org. If the inventory is already assigned to a site, it will be unassigned.
PUT /api/v1/orgs/:org_id/inventory
{
"op": "delete",
"serials": [
"FXLH2015150025",
"FXLH2015150026"
],
"macs": [
"5c5b350e0001"
]
}
| Name | Type | Description |
|---|---|---|
op |
string |
Required. delete |
serials |
list |
list of serial numbers, e.g. FXLH2015150025 |
macs |
list |
list of MAC, e.g. 5c5b350e0001 |
{
"op": "delete",
"success": [ "FXLH2015150025", "5c5b350e0001" ],
"error": [ "FXLH2015150026" ]
}
PUT /api/v1/orgs/:org_id/inventory
{
"op": "assign",
"site_id": "4ac1dcf4-9d8b-7211-65c4-057819f0862b",
"macs": [
"5c5b350e0001"
],
"no_reassign": false,
// for cloud-ready switches/gateways
"disable_auto_config": false
// for adopted switches
"managed": false
}
| Name | Type | Description |
|---|---|---|
op |
string |
Required. assign |
site_id |
string |
Required. target site id |
macs |
list |
list of MAC, e.g. 5c5b350e0001 |
no_reassign |
boolean |
if true, treat site assignment against an already assigned AP as error |
disable_auto_config |
boolean |
a cloud-ready switch/gateway will be managed/configured by Mist by default, this disabled the behavior |
managed |
boolean |
an adopted switch/gateway will _not_ be managed/configured by Mist by default, this enables the behavior |
{
"op": "assign",
"success": [ "5c5b350e0001" ]
"error": [ ]
}
PUT /api/v1/orgs/:org_id/inventory
{
"op": "unassign",
"macs": [
"5c5b350e0001"
]
}
| Name | Type | Description |
|---|---|---|
op |
string |
Required. unassign |
macs |
list |
list of MAC, e.g. 5c5b350e0001 |
{
"op": "unassign",
"success": [ "5c5b350e0001" ]
"error": [ ]
}
POST /api/v1/orgs/:org_id/inventory/create_ha_cluster
{
"nodes": [
{
"mac": "aff827549235" // node0 mac, should be unassigned
},
{
"mac": "8396cd006c8c" // node1 mac, should be unassigned
}
],
// optional
"site_id": "4ac1dcf4-9d8b-7211-65c4-057819f0862b",
"managed": false, // if the device is adopted
"disable_auto_config": true // if the device is manufed
}
POST /api/v1/orgs/:org_id/inventory/delete_ha_cluster
{
"mac": "aff827549235" // node0 mac
}
After HA cluster deleted, both of the nodes will be unassigned.
GET /api/v1/orgs/:org_id/devices/summary
{
"num_aps": 630,
"num_switches": 30,
"num_gateways": 6,
"num_unassigned_aps": 5,
"num_unassigned_switches": 0,
"num_unassigned_gateways": 0,
"num_mxedges": 1
}
This API renders some high-level device stats, pagination is assumed and returned in response header (as the response is an array)
GET /api/v1/orgs/:org_id/stats/devices?limit=100
| Name | Type | Description |
|---|---|---|
site_id |
string |
site_id |
type |
string |
device tyoe: ap / switch / gateway / all |
mac |
string |
5c5b350e0001 |
evpntopo_id |
string |
EVPN Topology ID |
evpn_unused |
bool |
if evpn_unused=true, find EVPN eligible switches which don’t belong to any EVPN Topology yet |
X-Page-Limit: 100
X-Page-Page: 1
X-Page-Total: 31
[
{
"mac": "5c5b35000010",
"model": "AP200",
"type": "ap",
"serial": "FXLH2015170017",
"last_seen": 1470417522,
"name": "conference room",
"status": "connected",
"version": "1.0.0",
"ip": "10.2.9.159", // first IP
"uptime": 13500
},
...
]
Custom roles restrict Org users to specific UI views. This is useful for limiting UI access of Org users.
You can invite a new user or update existing users in your Org to this custom role. For this, specify view along
with role when assigning privileges.
Below are the list of supported UI views. Note that this is UI only feature
| UI View | Description |
|---|---|
reporting |
full access to all analytics tools |
marketing |
can view analytics and location maps |
location |
can view and manage location maps |
security |
can view and manage WLAN, rogues and authentication |
switch_admin |
can view and manage Switch ports |
mxedge_admin |
can view and manage Mist edges and Mist tunnels |
lobby_admin |
full access to Org and Site Pre-shared keys |
Get a list of people who can manage the Site/Org under the Org
GET /api/v1/orgs/:org_id/admins
[
{
"admin_id": "456b7016-a916-a4b1-78dd-72b947c152b7",
"first_name": "Joe",
"last_name": "Smith",
"two_factor_verified": false,
"privileges": [
{ "scope":"org", "role": "admin" },
{ "scope":"site", "site_id": "d96e3952-53e8-4266-959a-45acd55f5114", "role": "admin" },
{ "scope":"sitegroup", "sitegroup_id": "581328b6-e382-f54e-c9dc-999983183a34", "role": "admin" }
]
},
{
"admin_id": "72bfa2bd-e58a-4670-9d20-a1468f7a6f58",
"first_name": "John",
"last_name": "Doe",
"two_factor_verified": true,
"privileges": [
{ "scope":"site", "site_id": "d96e3952-53e8-4266-959a-45acd55f5114", "role": "write", "view": "location" },
{ "scope":"site", "site_id": "4ac1dcf4-9d8b-7211-65c4-057819f0862b", "role": "write", "view": "location" }
]
},
{
"invite_id": "456b7016-a916-a4b1-78dd-72b947c152b7",
"email": "joe@abc.com",
"first_name": "Joe",
"last_name": "Smith",
"privileges": [
{ "scope":"org", "role": "admin" },
{ "scope":"site", "site_id": "d96e3952-53e8-4266-959a-45acd55f5114", "role": "admin" }
],
"expire_time": 1445966955
},
{
"invite_id": "15899c53-92da-4119-bdcf-65203bc84663",
"email": "jsnow@abc.com",
"first_name": "John",
"last_name": "Snow",
"privileges": [
{ "scope":"org", "role": "read", "view": "reporting" }
],
"expire_time": 1445966955
}
]
| Name | Type | Description |
|---|---|---|
admin_id |
string |
admin id |
first_name |
string |
first name |
last_name |
string |
last name |
two_factor_verified |
boolean |
two factor status |
privileges |
list |
list of privileges the admin has on the orgs/sites |
scope |
string |
site / org / sitegroup |
role |
string |
admin / write / read / helpdesk / installer |
view |
string |
see supported UI views |
site_id |
string |
site id |
first_name |
string |
for an invite, this is the original first name used |
last_name |
string |
for an invite, this is the original last name used |
Update admin privileges under the Org
PUT /api/v1/orgs/:org_id/admins/:admin_id
{
"privileges": [
{ "scope":"org", "role": "write", "view": "reporting" },
{ "scope":"site", "site_id": "d96e3952-53e8-4266-959a-45acd55f5114", "role": "write", "view": "reporting" },
{ "scope":"sitegroup", "sitegroup_id": "581328b6-e382-f54e-c9dc-999983183a34", "role": "write", "view": "reporting" }
]
}
| Name | Type | Description |
|---|---|---|
admin_id |
string |
admin id |
privileges |
list |
list of privileges the admin has on the orgs/sites |
scope |
string |
site / org / sitegroup |
role |
string |
admin / write / read / helpdesk / installer / none |
view |
string |
optional, see supported UI views |
site_id |
string |
site id |
Status: 200 OK
This removes all privileges this admin has against the org
DELETE /api/v1/orgs/:org_id/admins/:admin_id
Status: 200 OK
An Org admin can invite other admin to manage (admin or read) the Org and/or Site(s) under the Org.
POST /api/v1/orgs/:org_id/invites
{
"email": "joe@abc.com",
"first_name": "Joe",
"last_name": "Smith",
"hours": 24,
"privileges": [
{ "scope":"org", "role": "admin", "view": "location" },
{ "scope":"site", "site_id": "d96e3952-53e8-4266-959a-45acd55f5114", "role": "admin", "view": "location" }
]
}
| Name | Type | Description |
|---|---|---|
email |
string |
email (admin_id is not exposed) |
first_name |
string |
first name, used in the invitation text |
last_name |
string |
last name |
privileges |
list |
list of privileges the admin has on the orgs/sites |
scope |
string |
site / org / sitegroup |
role |
string |
admin / write / read / helpdesk / installer |
view |
string |
optional, see supported UI views |
site_id |
string |
site id |
hours |
int |
optional, how long the invite should be valid, default is 1 day, maximum is 1 week. |
Status: 200 OK
An email will also be sent to the user with a link to https://manage.mist.com/verify/invite?token=:token&expire=1459632743&org=OrgName
POST /api/v1/invite/verify/:token
Status: 200 OK
NOTE: another call to GET /api/v1/self is required to see the new set of privileges
Status: 404 Not Found
{
"detail": "invalid secret"
}
Status: 404 Not Found
{
"detail": "invite created by self"
}
DELETE /api/v1/orgs/:org_id/invites/:invite_id
PUT /api/v1/orgs/:org_id/invites/:invite_id
{
"hours": 24,
"privileges": {
{ "scope":"site", "site_id": "d96e3952-53e8-4266-959a-45acd55f5114", "role": "write", "view": "reporting" },
{ "scope":"sitegroup", "sitegroup_id": "581328b6-e382-f54e-c9dc-999983183a34", "role": "write", "view": "reporting" }
}
}
API tokens can be generated for a specific Org/Site with the required privileges
Note that the token key is only available during creation time.
POST /api/v1/orgs/:org_id/apitokens
{
"name": "org_token_xyz",
"privileges": [
{ "scope":"org", "role": "read" },
{ "scope":"site", "site_id": "d96e3952-53e8-4266-959a-45acd55f5114", "role": "admin" },
{ "scope":"sitegroup", "sitegroup_id": "581328b6-e382-f54e-c9dc-999983183a34", "role": "write" }
],
"src_ips": ["63.3.56.0/24", "63.3.55.4"]
}
| Name | Type | Description |
|---|---|---|
name |
string |
name of the token |
privileges |
list |
list of privileges the token has on the orgs/sites |
scope |
string |
site / org / sitegroup |
role |
string |
admin / write / read |
src_ips |
list |
optional, list of allowed IP addresses from where the token can be used from. At most 10 IP addresses can be specified |
{
"name": "org_token_xyz",
"id": "7cc917df-630a-1508-1889-e18028052dde",
"key": "MEaTAllON7hM0GUquvka2czM0xE9RIh2bpkZK2UqefoHoT1bDzET7FcXB9POI8o9zkkMy52doYpz3gG4aiDpStZOv4zQ3quf",
"org_id": "bc411cd9-0d1b-4713-94df-eee8617758ed",
"src_ips": ["63.3.56.0/24", "63.3.55.4"]
}
To use API token, add a Authorization header when making an API request like the following:
Authorization: Token <key>
GET /api/v1/self
GET /api/v1/orgs/:org_id/apitokens
[
{
"name": "org_token_xyz",
"id": "7cc917df-630a-1508-1889-e18028052dde",
"key": "MEaT...3quf",
"org_id": "bc411cd9-0d1b-4713-94df-eee8617758ed",
"created_by": "joe@abc.com",
"privileges": [
{
"scope": "org",
"org_id": "bc411cd9-0d1b-4713-94df-eee8617758ed",
"role": "write"
}
],
"src_ips": ["63.3.56.0/24", "63.3.55.4"]
},
{
"name": "?",
"id": "864f351a-1377-4ad9-83f8-72f3fe6199ba",
"key": "1qkb...QQCL",
"org_id": "bc411cd9-0d1b-4713-94df-eee8617758ed",
"created_by": null,
"privileges": [
{
"scope": "site",
"site_id": "d96e3952-53e8-4266-959a-45acd55f5114",
"role": "admin"
}
]
}
]
| Name | Type | Description |
|---|---|---|
name |
string |
name of the token |
id |
string |
token id |
org_id |
string |
org id |
created_by |
string |
email of the token creator / null if creator is deleted |
privileges |
list |
list of privileges the token has on the orgs/sites |
PUT /api/v1/orgs/:org_id/apitokens/:apitoken_id
{
"name": "org_token_pqr",
"privileges": [
{ "scope":"org", "role": "write" },
{ "scope":"site", "site_id": "d96e3952-53e8-4266-959a-45acd55f5114", "role": "admin" }
],
"src_ips": ["63.3.56.0/24", "63.3.55.6"]
}
| Name | Type | Description |
|---|---|---|
name |
string |
name of the token |
privileges |
list |
list of privileges the token has on the orgs/sites |
scope |
string |
site / org / sitegroup |
role |
string |
admin / write / read |
src_ips |
list |
list of allowed IP addresses from where the token can be used from. At most 10 IP addresses can be specified |
Status: 200 OK
GET /api/v1/orgs/:org_id/apitokens/:apitoken_id
[
{
"name": "org_token_pqr",
"id": "7cc917df-630a-1508-1889-e18028052dde",
"key": "MEaT...3quf",
"org_id": "bc411cd9-0d1b-4713-94df-eee8617758ed",
"created_by": "joe@abc.com"
"privileges": [
{
"scope": "org",
"org_id": "bc411cd9-0d1b-4713-94df-eee8617758ed",
"role": "write"
},
{
"scope": "site",
"site_id": "d96e3952-53e8-4266-959a-45acd55f5114",
"role": "admin"
}
],
"src_ips": ["63.3.56.0/24", "63.3.55.6"]
}
]
DELETE /api/v1/orgs/:org_id/apitokens/:apitoken_id
Status: 200 OK
SDK Invites can be generated for (and belongs to) an Org. They can be generated by an Admin of an Org and can be revoked at anytime.
POST /api/v1/orgs/:org_id/sdkinvites
{
"name": "Macy's"
}
| Name | Type | Description |
|---|---|---|
name |
string |
name, will show up in mobile |
quota_limited |
boolean |
whether quota limiting is enabled , default is False |
quota |
int |
number of time this invite can be used |
enabled |
boolean |
default is true |
{
"id": "5034b980-b49e-501c-66e0-9de4c38f18a2",
"name": "Macy's",
"enabled": true,
"quota": -1,
"created_time": 1428954000
"expire_time": 1428954000
}
DELETE /api/v1/orgs/:org_id/sdkinvites/:sdkinvite_id
GET /api/v1/orgs/:org_id/sdkinvites/:sdkinvite_id/qrcode
POST /api/v1/orgs/:org_id/sdkinvites/:sdkinvite_id/email
POST /api/v1/orgs/:org_id/sdkinvites/:sdkinvite_id/sms
// when sending email
{
"email": "test@abc.com"
}
// when sending sms
{
"number": "14081234567"
}
POST /api/v1/mobile/verify/:secret
{
"device_id": "b069b358-4c97-5319-1f8c-7c5ca64d6ab1"
}
{
"name": "Macy's",
"org_id": "2818e386-8dec-2562-9ede-5b8a0fbbdc71",
"secret": "device-specific-secret"
}
PUT /api/v1/orgs/:org_id/sdkclients/:sdkclient_id
{
"name": "John Smith"
}
SDK Template stores the customization (e.g. background image, text…)
POST /api/v1/orgs/:org_id/sdktemplates
{
"name": "default"
"welcome_msg": "Welcome to Mist",
"bg_image" :"http://p.imgci.com/db/PICTURES/CMS/227700/227791.4.jpg",
"btn_flr_bgcolor" : "#282828",
"search_txtcolor" : "#282828",
"header_txt":"Mist",
"default": true
}
| Name | Type | Description |
|---|---|---|
name |
string |
name for identification purpose |
default |
boolean |
whether this is the default template when there are multiple templates |
PUT /api/v1/orgs/:org_id/sdktemplates/:sdktemplate_id
DELETE /api/v1/orgs/:org_id/sdktemplates/:sdktemplate_id
GET /api/v1/orgs/:org_id/licenses
{
"licenses": [
{
"order_id": "00000464",
"subscription_id": "SUB-0000144",
"type": "SUB-MAN",
"start_time": 1504828800,
"end_time": 1520380800,
"quantity": 180
},
{
"order_id": "00000464",
"subscription_id": "SUB-0000145",
"type": "SUB-MAN",
"start_time": 1504828800,
"end_time": 1520380800,
"quantity": 30
}
{
"order_id": "00000464",
"subscription_id": "SUB-0000146",
"type": "SUB-LOC",
"start_time": 1504828800,
"end_time": 1520380800,
"quantity": 120
}
],
"amendments": [
{
"id": "2b9116ab-cd1e-e897-6e08-31fccd88e792",
"subscription_id": "SUB-0000144",
"type": "SUB-MAN",
"start_time": 1504828800,
"end_time": 1520380800,
"quantity": -30
},
{
"id": "4e974f27-fcbc-03cb-caa4-688e20aa539f",
"subscription_id": "SUB-0000146",
"type": "SUB-LOC",
"start_time": 1504828800,
"end_time": 1520380800,
"quantity": 75
},
],
// current usage summary (across sites)
"summary": {
"SUB-MAN": 150,
"SUB-LOC": 120
},
"entitled": {
"SUB-MAN": 180,
"SUB-LOC": 195
}
}
| Name | Type | Description |
|---|---|---|
licenses |
list |
list of licenses |
type |
string |
subscription type, SUB-MAN / SUB-LOC / SUB-AST / SUB-VNA / SUB-DATA |
start |
long |
start date of the license term |
end |
long |
end date of the license term |
quantity |
int |
number of devices entitled for this license |
usage |
object |
usages of each license type |
entitled |
object |
currently entitled for each license type |
This shows license usage (i.e. needed) based on the features enabled for the site.
GET /api/v1/orgs/:org_id/licenses/usages
[
{
"site_id": "4ac1dcf4-9d8b-7211-65c4-057819f0862b",
"num_devices": 80,
"usages": {
"SUB-MAN": 60
"SUB-LOC": 30
},
"fully_loaded": {
"SUB-MAN": 80
"SUB-LOC": 30
}
}
]
| Name | Type | Description |
|---|---|---|
usages |
object |
subscriptions and their quantities |
POST /api/v1/orgs/:org_id/claim
{
"code": "ZHT3K-H36DT-MG85D-M61AC",
"type": "all"
}
| Name | Type | Description |
|---|---|---|
code |
string |
activation code |
type |
string |
what to claim, all (default) / license / inventory |
device_type |
string |
if only intended to claim certain device type |
async |
bool |
whether to do a async claim process |
{
"license_added": [
{
"type": "SUB-MAN",
"start": 1504828800,
"end": 1520380800,
"quantity": 180
},
{
"type": "SUB-LOC",
"start": 1504828800,
"end": 1520380800,
"quantity": 120
}
],
"license_duplicated": [
{
"type": "SUB-MAN",
"start": 1504828800,
"end": 1520380800,
"quantity": 180
}
],
"license_error": [
{
"order": "00000464",
"reason": ""
}
],
"inventory_added": [
{
"serial": "FXLH2015150025",
"model": "AP41",
"type": "ap",
"magic": "6JG8EPTFV2A9Z2N",
"mac": "5c5b35000018"
}
],
"inventory_duplicated": [
{
"serial": "FXLH2015150027",
"model": "AP41",
"type": "ap",
"magic": "DVH4VSNMSZPDXBR",
"mac": "5c5b35000012"
}
],
"inventory_pending": [
{
"mac": "5c5b35000012" // for async claim
}
]
}
Status: 400 Bad Request
GET /api/v1/orgs/:org_id/claim/status?detail=False
{
'status': 'done', //prepared, ongoing, done
'total': 2,
'scheduled_at': 1709598052,
'processed': 2,
'failed': 0,
'succeed': 2,
'timestamp': 1709598053,
'incompleted': [],
'completed': ['000000000022', '000000000011'],
'details': [{
'mac': '000000000022',
'status': 'added',
'timestamp': 1709598053,
}
]
}
| Name | Type | Description |
|---|---|---|
status |
string |
processing status of async; prepared/ongoing/done |
total |
int |
total number of device included in claim |
failed |
int |
current failed number of device |
succeed |
int |
current succeed number of device |
scheduled_at |
int |
epoch time of aysnc claim scheduled |
timestamp |
int |
epoch time of last reporting time |
processed |
int |
current proceseed number of device |
incompleted |
list |
current incompleted lists (macs) |
completed |
list |
current completed lists (macs) |
detail |
list |
detail claim status per device |
If the admin has admin privilege against the org_id and dst_org_id, he can move some of the licenses to another Org.
Given that:
subscription_id)there will still be enough entitled licenses for the type of license after the amendment
PUT /api/v1/orgs/:org_id/licenses
{
"op": "amend",
"subscription_id": "SUB-0000144",
"dst_org_id": "3eff35f7-c218-894e-bca2-24e5325601cc",
"quantity": 10
}
| Name | Type | Description |
|---|---|---|
op |
string |
operation (amend/unamend/delete/annotate) |
subscription_id |
string |
license id |
dst_org_id |
string |
destination org id |
quantity |
int |
quantity |
PUT /api/v1/orgs/:org_id/licenses
{
"op": "unamend",
"amendment_id": "2b9116ab-cd1e-e897-6e08-31fccd88e792",
}
PUT /api/v1/orgs/:org_id/licenses
{
"op": "delete",
"subscription_id": "SUB-0000144"
}
PUT /api/v1/orgs/:org_id/licenses
{
"op": "annotate",
"subscription_id": "SUB-000144",
"notes": "customer notes"
}
Audit logs records all administrative activities in an Org
GET /api/v1/orgs/:org_id/logs?start=1431384000&end=1431298000&limit=100
| Name | Type | Description |
|---|---|---|
site_id |
string |
site id |
admin_name |
string |
admin name or email |
message |
string |
message |
The logs are always sorted by time in descending order
{
"start": 1428939600,
"end": 1428954000,
"limit": 100,
"total": 135,
"results": [
{
"timestamp": 1431382121,
"site_id": "4ac1dcf4-9d8b-7211-65c4-057819f0862b",
"org_id": "2818e386-8dec-2562-9ede-5b8a0fbbdc71",
"admin_id": "72bfa2bd-e58a-4670-9d20-a1468f7a6f58",
"admin_name": "test@mistsys.com",
"message": "TEST AUDIT",
"id": "c6f9347b-b0a4-4a23-b927-fa9249f2ffb2"
}
]
}
| Name | Type | Description |
|---|---|---|
timestamp |
long |
start time, in epoch |
site_id |
string |
site id |
org_id |
string |
org id |
admin_id |
string |
admin id |
admin_name |
string |
name of the admin that performs the action |
message |
string |
log message |
before |
object |
field values prior to the change |
after |
object |
field values after the change |
GET /api/v1/orgs/:org_id/logs/count?distinct=admin_name
| Name | Type | Description |
|---|---|---|
distinct |
string |
admin_id / admin_name / message / site_id, default is admin_name |
{
"start": 1511967600,
"end": 1513177200,
"limit": 10,
"distinct": "admin_name",
"total": 2,
"results": [
{
"admin_name": "John Smith john.smith@corp.com",
"count": 61
},
{
"admin_name": "Eric Sky eric@corp.com",
"count": 44
}
]
}
Org admin can invite people to manage the org. Furthermore, he can dictate the level of security those accounts are. The check is enforced when the invited admin tries to “accept” the invitation and every time the admin tries to login
POST /api/v1/orgs
{
"name": "ABC Company",
"session_expiry": 1440,
"alarmtemplate_id": "684dfc5c-fe77-2290-eb1d-ef3d677fe168",
"orggroup_ids": [ "507f1bab-13ba-73e2-f291-2bcb8d1362b0" ]
"allow_mist": true
}
| Name | Type | Description |
|---|---|---|
name |
string |
org name |
session_expiry |
int |
how long the login session should last, in minutes, default is 1440 (24 hours), between 10 (min) and 20160 (2 weeks) |
alarmtemplate_id |
string |
Alarm Template ID, the default Alarm Template to use for the Org, can be override by Site |
orggroup_ids |
list |
list of OrgGroup ids |
allow_mist |
boolean |
whether to allow Mist to look at this org, default is True |
GET /api/v1/orgs/:org_id
{
'name': 'Org',
'id': '2818e386-8dec-2562-9ede-5b8a0fbbdc71',
'msp_id': 'b9d42c2e-88ee-41f8-b798-f009ce7fe909',
'created_time': 1652905706,
'modified_time': 1652905706,
'allow_mist': True,
'session_expiry': 1440,
'alarmtemplate_id': None,
'msp_name': 'MSP',
'msp_logo_url': 'https://.../logo/b9d42c2e-88ee-41f8-b798-f009ce7fe909.jpeg'
}
| Name | Type | Description |
|---|---|---|
msp_name |
string |
name of the msp the org belongs to |
msp_logo_url |
string |
logo uploaded by the MSP with advanced tier, only present if provided |
PUT /api/v1/orgs/:org_id
DELETE /api/v1/orgs/:org_id
Create an Org by cloning from another one. Org Settings, Templates, Device Profiles, Alarm Templates, RFTemplates, Security Policies, Wxlan Tags, Wxlan Tunnels, Wxlan Rules, Org Wlans will be copied. Sites and Site Groups will not be copied, and therefore, the copied template will not be applied to any site/sitegroups.
POST /api/v1/orgs/:org_id/clone
{
"name": "New Org"
}
GET /api/v1/orgs/:org_id/stats
{
"num_inventory": 12,
"num_devices": 10,
"name": "Sam MSP Customer 5",
"orggroup_ids": [],
"allow_mist": false,
"num_devices_connected": 8,
"num_devices_disconnected": 2,
"num_sites": 1,
"id": "448a3934-df89-11e5-8898-1258369c38a9"
}
| Name | Type | Description |
|---|---|---|
num_inventory |
int |
number of devices claimed |
num_devices |
int |
number of devices in use |
num_devices_connected |
int |
number of devices in use that are connected |
num_devices_disconnected |
int |
number of devices in use that are not connected |
GET /api/v1/orgs/:org_id/setting
{
"password_policy": {
"enabled": true
"expiry_in_days": 60,
"min_length": 8,
"requires_special_char": false,
"requires_two_factor_auth": true
},
"ui_idle_timeout": 10,
"ui_no_tracking": false, // default is false
"switch_mgmt": {
"ap_affinity_threshold": 10
},
"mgmt": {
"use_wxtunnel": false,
"use_mxtunnel": true,
"mxtunnel_ids": ["08cd7499-5841-51c8-e663-fb16b6f3b45e"]
},
"disable_remote_shell": false,
"disable_pcap": false,
"pcap": {
"bucket": "myorg-pcap"
"max_pkt_len": 128
},
"pcap_bucket_verified": true,
"security": {
"disable_local_ssh": false,
"limit_ssh_access": false,
"fips_zeroize_password": "NUKETHESITE"
},
// controls api behavior
"api_policy": {
// by default, API hides password/secrets when the user doesn't have write access
"no_reveal": true, // false (default, may change) / true (API will not return any secrets)
},
"installer": {
"grace_period": 14,
"extra_site_ids": [
"4ac1dcf4-9d8b-7211-65c4-057819f0862b",
"52f4347e-3e4b-186c-21ca-ad5b70eb23d6"
],
"allow_all_sites": false,
"allow_all_devices": false
},
"wan_pma": {
"enabled": false // default is false
},
"wired_pma": {
"enabled": false // default is false
},
"wireless_pma": {
"enabled": true // default is true
},
"auto_site_assignment": {
"enable": true,
"rules": [
// use device name (via Installer APIs)
{
"src": "name",
"expression": "[0:3]", // "abcdef" -> "abc"
"split(.)[1]", // "a.b.c" -> "b"
"split(-)[1][0:3], // "a1234-b5678-c90" -> "b56"
"prefix": "XX-",
"suffix": "-YY"
},
// use ext_ip
{
"src": "ext_ip",
"subnet": "34.82.100.0/24",
"value": "site1"
},
// use subnet
{
"src": "subnet",
"subnet": "10.1.2.0/18",
"value": "s1351"
},
// use LLDP System Name
{
"src": "lldp_system_name",
"expression": "..." // same as above
},
// use DNS Suffix
{
"src": "dns_suffix",
"expression": "..." // same as above
},
{
"src": "model",
"model": "AP41",
"value": "s1351"
},
{
// optional filters
"match_device_type": "ap", // ap / switch / gateway / other, default is `ap`
"match_model": "AP41",
...
},
{
// DRAFT
"match_device_type": "gateway",
"src": "geoip",
"match_country": ...
// site name for the device to be assigned to
"value": "city", // "city" / "city+country" / ...
// by default, a claimed device only gets assigned if the site exists
// to auto-create the site, enable this
"create_new_site_if_needed": true,
// and if a gateway template is desired for this newly created site
"gatewaytemplate_id": "6f9b2e75-9b2f-b5ae-81e3-e14c76f1a90f"
},
]
},
"auto_device_naming": {
"enable": true,
"rules": [
{
// use LLDP Port Description
"src": "lldp_port_desc",
"prefix": "MIST-",
"suffix": ""
"expression": "..." // same as above
},
{
// use mac directly
"src": "mac",
"prefix": "MIST-",
"suffix": "",
"match_device_type": "ap", // ap / switch / gateway, default is `ap`
}
]
},
"cloudshark": {
"apitoken": "accbd6f10c6d05c3"
// if using CS Enteprise
"url": "https://cloudshark.hosted.domain"
}
"cradlepoint": {
"ecm_api_id": "73446d61-2206-4ea5-855a-0043f980be62",
"ecm_api_key": "68b329da9893e34099c7d8ad5cb9c9405",
"cp_api_id": "84446d61-2206-4ea5-855a-0043f980be54",
"cp_api_key": "79c329da9893e34099c7d8ad5cb9c941",
},
"celona": {
"api_prefix": "cc3273fcb016470e",
"api_key": "$2a$04$OkaLCoJn6rDjR8ha.oduQVDST3.kJNIrte"
},
"auto_deviceprofile_assignment": {
"enable": true,
"rules": [
// same rules definition that can be used for auto_site_assignment
]
},
// RADSec certs for AP
"cacerts": [
"-----BEGIN CERTIFICATE-----\nMIIFZjCCA06gAwIBAgIIP61/1qm/uDowDQYJKoZIhvcNAQELBQE\n-----END CERTIFICATE-----",
"-----BEGIN CERTIFICATE-----\nBhMCRVMxFDASBgNVBAoMC1N0YXJ0Q29tIENBMSwwKgYDVn-----END CERTIFICATE-----"
],
"device_cert": {
"cert": "-----BEGIN CERTIFICATE-----\nMIIFZjCCA06gAwIBAgIIP61/1qm/uDowDQYJKoZIhvcNAQELBQE\n-----END CERTIFICATE-----",
"key": "-----BEGIN PRI..."
},
"tags": [ "beta" ],
"device_updown_threshold": 0,
// by default, device_updown_thresold, if set, will apply to all devices types
// if different values for specific device type is desired, use the following
"ap_updown_threshold": null,
"gateway_updown_threshold": 10,
"switch_updown_threshold": 0,
"mxedge_mgmt": {
"mist_password": "MIST_PASSWORD",
"root_password": "ROOT_PASSWORD",
"fips_enabled": true, // default is false
"oob_ip_type": "disabled", // dhcp (default) / disabled
"oob_ip_type6": "disabled", // autoconf (default) / dhcp / disabled
"config_auto_revert": true, // default is false
},
"blacklist_url": "https://papi.s3.amazonaws.com/blacklist/xxx...",
"mist_nac": {
// default is false. By default NAC POD failover considers all NAC pods available around the globe,
// i.e. EU, US, or APAC based, failover happens based on geo IP of the originating site.
// For strict GDPR compliancy NAC POD failover would only happen between the PODs located within the EU environment,
// and no authentication would take place outside of EU. This is an org setting that is applicable
// to WLANs, switch templates, mxedge clusters that have mist_nac enabled
"eu_only": false,
// by default NAS devices(switches/aps) and proxies(mxedge) are configured to use port 2083(radsec) to reach mist-nac
// to override that port with 443(ssl), use the following knob
// this is a org level setting that is applicable to wlans, switch-templates, and mxedge-clusters that have
// mist-nac enabled
"use_ssl_port": true,
// by default NAS devices(switches/aps) and proxies(mxedge) are configured to reach mist-nac via IPv4
"use_ip_version": "v4", // v4 (default) / v6 / v4+v6
// use this IDP when no explicit realm present in the incoming
// username/CN OR when no IDP is explicitly mapped to the incoming realm.
"default_idp_id": "4c441a74-d0de-32c4-78a7-a05e00d080ae",
"idps": [
{
"id": "4c441a74-d0de-32c4-78a7-a05e00d080ae",
// which realm should trigger this IDP
"user_realms": [ "abc" ],
// we extract user realm from
// 1. Username-AVP (`mist.com` from john@mist.com)
// 2. Cert CN
}.
{
// mxedge-proxy (eduroam) type IDP
"id": "5c441a74-d0de-32c4-78a7-a05e00d080af",
// which realm should trigger this IDP
"user_realms": [ "*.edu" ],
// we extract user realm from
// 1. Username-AVP (`stanford.com` from anonymous@stanford.edu)
// when the IDP of mxedge-proxy type, exclude the following realms from proxying
// in addition to other valid home realms in this org
"exclude_realms": [
"stanford.edu"
],
}.
...
],
// the CA certs we use to verify client certs
"cacerts": [
""-----BEGIN CERTIFICATE-----\nMIIFZjCCA06gAwIBAgIIP61/1qm/uDowDQYJKoZIhvcNAQELBQE\n-----END CERTIFICATE-----",
...
],
// radius server cert to be presented in EAP TLS
"server_cert": {
"cert": "-----BEGIN CERTIFICATE-----\nMIIFZjCCA06gAwIBAgIIP61/1qm/uDowDQYJKoZIhvcNAQELBQE\n-----END CERTIFICATE-----",
"key": "-----BEGIN PRI...",
// private key password (optional)
"password": "****"
},
// eap ssl security level
// see https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html#DEFAULT-CALLBACK-BEHAVIOUR
"eap_ssl_security_level": 2, // 2 (default), 1 - 4
// disable RSAE encryption algorithms forcefully
// see https://www.openssl.org/docs/man3.0/man1/openssl-ciphers.html
"disable_rsae_algorithms": false, // true - to disable RSAE_PSS_SHA256, RSAE_PSS_SHA384, RSAE_PSS_SHA512 from server side
// allow customer to choose the EAP-TLS client certificate's field to use for IDP User Groups lookup
“idp_user_cert_lookup_field”: automatic (default) // email, upn, cn
// allow customer to choose the EAP-TLS client certificate's field to use for IDP Machine Groups lookup
“idp_machine_cert_lookup_field”: automatic (default) // cn, dns
},
"gateway_mgmt": {
"app_usage": true,
"app_probing": {
"apps": [
"facebook" // app-keys from /const/applications
]
},
"overlay_ip": {
// when it's going overlay, a routable IP to overlay will be required
"ip": "172.16.10.5",
// for SSR HA cluster, another IP for node1 will be required, too
"node1_ip": "172.16.10.6"
},
// optional, for some of the host-out traffic, the path preference can be specified
// by default, ECMP will be used from all available route/path
// available services: dns/mist/ntp
"host_out_policies": {
"dns": {
"path_preference": "dc_only"
},
"ntp":
"path_preference": "broadband_wans"
},
"syslog":
"path_preference": "broadband_wans",
// if different path_preference is desired for each syslog server
// see `remote_syslog`
"servers": [
{
"server_name": "dc_syslog_server",
"path_preference": "dc_only"
}
]
}
},
"host_in_policies": {
"icmp": {
"tenants": [
"datacenter",
"wan-net-1"
]
},
"snmp": {
"tenants": [
"wan-net-2"
]
}
}
"fips_enabled": true // default is false
},
// junos_shell_access: Manages role-based web-shell access.
// when junos_shell access is not defined (Default) - No additional users are configured and web-shell uses default `mist` user to login.
// when junos_shell_access is defined - Additional users mist-web-admin (admin permission), mist-web-viewer(viewer permission) are configured on the device and web-shell logs in with the mist-web-admin/mist-web-viewer user depending upon the shell access level. Setting the shell access level to "none", disables web-shell access for that specific role.
"junos_shell_access": {
"admin": "admin", // admin (default) / viewer / none
"write": "admin", // admin (default) / viewer / none
"read": "none" // viewer / none (default)
"helpdesk": "none" // viewer / none (default)
},
"synthetic_test": {
"disabled": true, // default is false (i.e. enabled)
"aggressiveness": "auto", // auto (default) / high / low
// allow user to test custom
"custom_probes": {
"connectivity-to-dc2": {
"type" : "icmp”; // icmp / curl / tcp
// if type = icmp / tcp
"host": "internal.host",
// if type = tcp
"port": 443,
// if type=curl
"url": "https://10.3.5.1:8080/about”, // can be url or IP
"aggressiveness": "auto", // auto (default) / high / low / med
"threshold": 100 // milliseconds
}
},
"tests": [
{
"probes": ["app1", "app2"],
"vlan_ids": [1, 2, 3],
"lan_networks": ["nw-1", "nw-2"]
},
{
"probes": ["app3"],
"lan_networks": ["nw-1", "nw-4"]
},
{
"probes": ["app4"],
"vlan_ids": [1, 2, 10, 15],
}
],
"wan_speedtest": {
"enabled": false, // default is false (i.e. disabled)
// optional
// by default, we'll look at the tarffic pattern and determine when to run automatically
"time_of_day": "02:00"
}
},
// marvis
"marvis": {
"auto_operations": {
// default are all false
"bounce_port_for_abnormal_poe_client": false,
"disable_port_when_rogue_dhcp_server_detected": false,
"disable_port_when_ddos_protocol_violation": false
}
},
"vpn_options": {
"as_base": 65000, // 1-4294967295, default is 65000,
"enable_ipv6": true, // default is false
"st_subnet": "10.224.0.0/12" // default is 10.224.0.0/12, requiring /12 or bigger to support 16 private IPs for 65535 gateways
},
"juniper": {
"linked": true,
"customer_name": "Corp NMO"
},
// t128 ssr
"ssr": {
"conductor_hosts": [ "1.1.1.1", 2.2.2.2" ],
"conductor_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwc2siOiIxMj",
"disable_stats": false,
// auto_upgrade device first time it is onboarded
"auto_upgrade": {
"enabled": true,
"channel": "stable",
"custom_versions": {
"SSR120": "5.3.0-93",
"SSR130": "6.3.0-107.r1",
}
}
"proxy": {
"url": "http://proxy.internal:8080/"
}
},
"jcloud": {
"org_id": "<jcloud_org_id>",
"org_apitoken", "<jcloud_token>",
"org_apitoken_name", "<jcloud_token_name>"
},
"jcloud_ra": {
"org_id": "<jcloud_org_id>",
"org_apitoken", "<jcloud_token>",
"org_apitoken_name", "<jcloud_token_name>"
},
"switch": {
// auto_upgrade device first time it is onboarded
"auto_upgrade": {
"enabled": true,
"snapshot": true, // default is false
"custom_versions": {
"QFX5130-32CD": "23.4R2-S2.3",
"QFX5120-32C": "23.4R2-S2.1",
}
}
},
"juniper_srx": {
// auto_upgrade device first time it is onboarded
"auto_upgrade": {
"enabled": true,
"snapshot": true, // default is false
"custom_versions": {
"SRX4700": "23.4R2-S2.3",
"SRX4600": "23.4R2-S2.1",
}
}
},
}
| Name | Type | Description |
|---|---|---|
name |
string |
org name |
password_policy |
object |
password policy |
enabled |
boolean |
whether the policy is enabled, default is false |
expiry_in_days |
int |
password expiry in days, optional |
min_length |
int |
required password length, default is 8 |
requires_special_char |
boolean |
whether to require special character, default is false |
requires_two_factor_auth |
boolean |
whether to require two-factor auth, default is false |
ui_idle_timeout |
int |
automatically logout the user when UI session is inactive, 0-480 in minutes, default is 0 (disabled) |
mgmt |
object |
management-related properties |
use_wxtunnel |
boolean |
whether to use wxtunnel for mgmt connectivity, default is false |
use_mxtunnel |
boolean |
whether to use Mist Tunnel for mgmt connectivity, default is false, this takes precedence over use_wxtunnel |
mxtunnel_ids |
list |
list of Mist Tunnels |
disable_pcap |
boolean |
whether to disallow Mist to analyze pcap files (this is required for marvis pcap), default is false |
max_pkt_len |
int |
max_len of non-management packets to capture, default is 128, maximum is 128 |
disable_local_ssh |
boolean |
whether to disable local SSH (by default, local SSH is enabled with allow_mist in Org is enabled |
limit_ssh_access |
boolean |
whether to allow certain SSH keys to SSH into the AP (see Site:Setting), default is false |
fips_zeroize_password |
string |
password required to zeroize devices (FIPS) on site level |
cacerts |
list |
list of PEM-encoded ca certs |
device_cert |
object |
common device cert, optional |
tags |
list |
list of tags |
remote_syslog |
object |
syslog parameters |
device_updown_threshold |
int |
enable threshold-based device down delivery via 1) device-updowns webhooks topic, 2) Mist Alert Framework; e.g. send AP/SW/GW down event only if AP/SW/GW Up is not seen within the threshold in minutes; 0 - 240, default is 0 (trigger immediate) |
ap_updown_threshold |
int |
enable threshold-based device down delivery for AP devices only. When configured it takes effect for AP devices and device_updown_threshold is ignored. |
gateway_updown_threshold |
int |
enable threshold-based device down delivery for Gateway devices only. When configured it takes effect for GW devices and device_updown_threshold is ignored. |
switch_updown_threshold |
int |
enable threshold-based device down delivery for Switch devices only. When configured it takes effect for SW devices and device_updown_threshold is ignored. |
bgp_neighbor_updown_threshold |
int |
enable threshold-based bgp neighbor down delivery. |
vpn_peer_updown_threshold |
int |
enable threshold-based vpn peer down delivery. |
vpn_path_updown_threshold |
int |
enable threshold-based vpn path down delivery. |
simple_alert |
object |
threshold setting for dhcp, dns, arp failure alerts. Alert generates if there are x (int) failures or y (int) clients failing within z (int) minutes per server, where 5<=z<=60. Defaults: dhcp_failure: {client_count: 10, incident_count: 20, duration: 10}, dns_failure: {client_count: 20 , incident_count: 30 , duration: 10}, arp_failure: {client_count: 10 , incident_count: 10 , duration: 20} |
ap_affinity_threshold |
int |
ap_affinity_threshold can be added as a field under org/setting. By default this value is set to 12. If the field is set in both site/setting and org/setting, the value from site/setting will be used. |
host |
string |
ip / hostname of TACACS server |
port |
int |
port of TACACS server, default is 49 |
secret |
string |
secret of TACACS server |
timeout |
int |
TACACS timeout, default is 10, from 1 to 90 |
disable_remote_shell |
boolean |
whether to disable remote shell access for an entire org |
| ### Automatic Site Assignment |
Auto Site Assignment can be enabled to automatically assign APs to sites. Once enabled, when an AP in the Org inventory is seen online (e.g. freshly installed), we will try to use the criteria defined to identify the Site Name. Only when a non-empty Site Name is identified and the Site exists, the AP will be assigned to the site.
Automatic Device Naming works along with Automatic Site Assignment. When an AP that’s already assigned to a site that has no name, we will try to use the criteria defined to name the device. Only when a non-empty Name is identified and no AP with the same name exists in the same Site, the AP will be assigned the name.
PUT /api/v1/orgs/:org_id/setting
POST /api/v1/orgs/:org_id/inventory/reevaluate_auto_assignment
Status: 200 OK
Setting up Custom PCAP Bucket Involves the following:
MIST_TOKENPOST /api/v1/orgs/:org_id/setting/pcap_bucket/setup
{
"bucket": "company-private-pcap"
}
{
"bucket": "company-private-pcap",
"detail": "failed to write bucket - 403 AccessDenied"
}
POST /api/v1/orgs/:org_id/setting/pcap_bucket/verify
{
"bucket": "company-private-pcap",
"verify_token": "eyJhbGciOiJIUzI1J9.eyJzdWIiOiIxMjM0joiMjgxOG5MDIyfQ.2rzcRvMA3Eg09NnjCAC-1EWMRtxAnFDM"
}
Status: 200 OK
NOTE: a “VERIFIED” file will be created in the bucket
GET /api/v1/orgs/:org_id/cert
{
"cert": "-----BEGIN CERTIFICATE-----\nMIIowDQYJKoZIhvcNAQELBQE\n-----END CERTIFICATE-----"
// If the current Org CA certificate is set to expire within 30 days, \
// a pending certificate will be returned along with the expected auto-renewal timestamp.
"pending_cert": "-----BEGIN CERTIFICATE-----\nMIIowDQYJKoZIhvcNAQELBQE\n-----END CERTIFICATE-----",
"pending_cert_expiry": 2044471109,
}
POST /api/v1/orgs/:org_id/cert/regenerate
Replace the current org cert with the pending cert generated previously
POST /api/v1/orgs/:org_id/cert/apply_pending
GET /api/v1/orgs/:org_id/crl
By default, all certs used by recently unclaimed devices within 9 month will be included in CRL. If the list grows too big, you can truncate it
POST /api/v1/orgs/:org_id/crl/truncate
{
"days": 30 // default is 30
}
GET /api/v1/orgs/:org_id/ssl_proxy_cert
{
"cert": "-----BEGIN CERTIFICATE-----\nMIIowDQYJKoZIhvcNAQELBQE\n-----END CERTIFICATE-----"
}
GET /api/v1/orgs/:org_id/setting/:app_name/link?forward=:forward_url // This is kept for backward compatibility
GET /api/v1/orgs/:org_id/setting/:app_name/link_accounts?forward=:forward_url
| Name | Type | Description |
|---|---|---|
org_id |
string |
Required, org id |
app_name |
string |
Required, OAuth application name (Example : zoom, teams, intune) |
forward_url |
string |
Required, Mist portal url to which backend needs to redirect after successful OAuth authorization |
{
"linked": true,
"accounts": [
{
"account_id": "KkEM7orQSIWHZNFzwMLuRA",
"last_sync": 1665465339,
"last_status": "success",
"linked_by": "Testname1",
"company": "Test Compay1 Ltd",
"max_daily_api_requests": 1500 // This field is specific to Zoom app
},
{
"account_id": "kojzWgIJQ0ujR73VvydOdg",
"last_sync": 1665465346,
"last_status": "failed",
"linked_by": "Testname2",
"company": "Test Compay2 Ltd",
"error": "OAuth token refresh failed, please re-link your account",
"errors": ["OAuth token refresh failed, please re-link your account", "API daily rate limit reached for your account"],
"max_daily_api_requests": null, // This field is specific to Zoom app
},
{
"account_id": "iojzXIJWEuiD73ZvydOfg",
"last_sync": "failed",
"last_status": 1665465538,
"linked_by": "Testname3",
"company": "Test Compay3 Ltd",
"max_daily_api_requests": 3500 // This field is specific to Zoom app
}
],
"authorization_url": "https://zoom.us/oauth/authorize?response_type=code&client_id=YDyajBmJREjwkyb3TPAbA&redirect_uri=https%3A%2F%2Fapi.local%2Fapi%2Fv1%2Forg%2Fb4e16c72-d50e-4c03-a952-a3217e231e2c%2Foauth2%2Fapp%2Fzoom%2Fcallback&state=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2NDk3NjE0MDQsImZvcndhcmQiOiJodHRwczovL2NsaWVudGZvcndhcmR1cmwuY29tIn0.RIE4XTU5kpF4nKIy7_enJ0PpOCyTTp6DLm9PZsdncpI"
}
| Name | Type | Description |
|---|---|---|
linked |
boolean |
OAuth application linked status, is mist portal authorized with the OAuth appliation |
authorization_url |
string |
OAuth application authorization url |
accounts |
list |
List of linked apps(zoom/teams/intune) account details |
DELETE /api/v1/orgs/:org_id/setting/:app_name/link // This is kept for backward compatibility
| Name | Type | Description |
|---|---|---|
org_id |
string |
Required, org id |
app_name |
string |
Required, OAuth application name (Example : zoom, teams) |
Status: 200 Successful
Status: > 400 Unsuccessful
DELETE /api/v1/orgs/:org_id/setting/:app_name/link_accounts // kept for backward compatibility
{
"account_id": "iojzXIJWEuiD73ZvydOfg"
}
| Name | Type | Description |
|---|---|---|
org_id |
string |
Required, org id |
app_name |
string |
Required, OAuth application name (Example : zoom, teams, intune) |
account_id |
string |
Required, Linked app(zoom/teams/intune) account id |
Status: 200 Successful
Status: > 400 Unsuccessful
DELETE /api/v1/orgs/:org_id/setting/:app_name/link_accounts/:account_id
| Name | Type | Description |
|---|---|---|
org_id |
string |
Required, org id |
app_name |
string |
Required, OAuth application name (Example : zoom, teams, intune) |
account_id |
string |
Required, Linked app(zoom/teams/intune) account id |
Status: 200 Successful
Status: > 400 Unsuccessful
PUT /api/v1/orgs/:org_id/setting/:app_name/link_accounts
{
"account_id": "iojzXIJWEuiD73ZvydOfg",
"max_daily_api_requests": 5000
}
| Name | Type | Description |
|---|---|---|
org_id |
string |
Required, org id |
app_name |
string |
Required, OAuth application name (Example : zoom, teams, intune) |
account_id |
string |
Required, Linked app(zoom/teams/intune) account id |
max_daily_api_requests |
integer |
Optional, Zoom daily api request quota, https://developers.zoom.us/docs/api/rest/rate-limits/ |
discard_guest_info |
boolean |
Optional, Whether to redact identifying information for call participants that are not part of the Zoom/Teams account identified by account_id. |
Status: 200 Successful
Status: > 400 Unsuccessful
GET /api/v1/orgs/:org_id/setting
{
...
"juniper": {
"accounts": [
{
"name": "ABC Corp",
"linked_by": "John Smith (john@abccorp.com)"
}
]
}
}
POST /api/v1/orgs/:org_id/setting/juniper/link_accounts
{
"username": "john@nmo.com",
"password": "password"
}
Status 200 OK
{
"account": {
"name": "ABC Corp",
"linked_by": "John Smith (john@abccorp.com)"
}
}
Status 400 BadRequest
{
"detail": "Account[ABC Corp] already linked",
}
DELETE /api/v1/orgs/:org_id/setting/juniper/linked_account
{
"account_name": "ABC Corp"
// required only if there are duplicate account_names
"linked_by": "John Smith (john@abccorp.com)"
}
This sets up Cradlepoint webhooks to send events to Mist
POST /api/v1/orgs/:org_id/setting/cradlepoint/setup
{
"ecm_api_id": "73446d61-2206-4ea5-855a-0043f980be62",
"ecm_api_key": "68b329da9893e34099c7d8ad5cb9c9405",
"cp_api_id": "84446d61-2206-4ea5-855a-0043f980be54",
"cp_api_key": "79c329da9893e34099c7d8ad5cb9c941",
}
This updates the Cradlepoint integration settings in Mist
PUT /api/v1/orgs/:org_id/setting/cradlepoint/setup
{
"ecm_api_id": "73446d61-2206-4ea5-855a-0043f980be62",
"ecm_api_key": "68b329da9893e34099c7d8ad5cb9c9405",
"cp_api_id": "84446d61-2206-4ea5-855a-0043f980be54",
"cp_api_key": "79c329da9893e34099c7d8ad5cb9c941",
}
This deletes the Cradlepoint integration in Mist
DELETE /api/v1/orgs/:org_id/setting/cradlepoint/setup
This tests the Cradlepoint integration in Mist
GET /api/v1/orgs/:org_id/setting/cradlepoint/setup
{
"last_status": "inactive",
"error": "Cradlepoint API keys are no longer valid, please verify and update the keys under organization settings."
}
| Name | Type | Description |
|---|---|---|
last_status |
string |
status of integration active/inactive detected during last sync. |
error |
string |
if status is inactive this field returns the reason for it being inactive. |
This syncs cradlepoint devices with Mist. We’ll also attempt to use the LLDP data from cradlepoint to identify the linkage against Mist Site / Device
POST /api/v1/orgs/:org_id/setting/cradlepoint/sync
If the Site / Device cannot be identified, a manual association can be made
PUT /api/v1/orgs/:org_id/otherdevices/:mac
{
"site_id": "4ac1dcf4-9d8b-7211-65c4-057819f0862b",
"device_mac": "0adfea67e65b"
}
Assign or unassign OtherDevices to and from a site.
PUT /api/v1/orgs/:org_id/otherdevices
| Name | Type | Description |
|---|---|---|
op |
string |
The operation being performed. Either ‘assign’ or ‘unassign’. |
site_id |
string |
The site identifier. |
macs |
list |
List of otherdevice mac addresses. |
{
"op": "assign",
"site_id": "4ac1dcf4-9d8b-7211-65c4-057819f0862b",
"macs": [
"5c5b350e0001",
"5c5b350e0003"
]
}
GET /api/v1/orgs/:org_id/otherdevices?vendor=:vendor
[
{
"id": "ae9dee49-69e7-4710-a114-5b827a777738",
"org_id": "2818e386-8dec-2562-9ede-5b8a0fbbdc71",
"created_time": 1676983730,
"modified_time": 1676983730,
"vendor": "cradlepoint",
"mac": "5c5b35000018",
"serial": "FXLH2015150025",
"model": "AP41",
"name": "hallway",
"site_id": "4ac1dcf4-9d8b-7211-65c4-057819f0862b",
"device_mac": "001122334455"
}
]
GET /api/v1/orgs/:org_id/otherdevice/:mac
{
"id": "ae9dee49-69e7-4710-a114-5b827a777738",
"org_id": "2818e386-8dec-2562-9ede-5b8a0fbbdc71",
"vendor": "cradlepoint",
"mac": "5c5b35000018",
"serial": "WB23015E025468",
"model": "W2005",
"name": "W2005-268",
"vendor_api_id": "4658714",
"site_id": "4ac1dcf4-9d8b-7211-65c4-057819f0862b",
"device_mac": "001122334455",
"state": "online"
}
DELETE /api/v1/orgs/:org_id/otherdevices/:mac
GET /api/v1/orgs/:org_id/stats/otherdevices/:mac
{
"vendor": "cradlepoint",
"mac": "0030448f1f44",
"uptime": 25065,
"last_seen": 1736499062,
"version": "7.24.50",
"vendor_specific": {
"interfaces": {
"ethernet-lan": {
"ip": "192.168.0.1",
"mode": "lan",
"link": false,
"service_mode": "Ethernet",
"type": "ethernet",
"uptime": 0,
"bytes_in": 331068567,
"bytes_out": 6763536255,
"display_name": "Primary LAN",
"port_parent": "Primary LAN"
},
"mdm-81ade837": {
"ip": "12.68.86.17",
"mode": "wan",
"link": true,
"carrier": "AT&T",
"state": "READY",
"service_mode": "5G NSA",
"type": "mdm",
"uptime": 2464657,
"bytes_in": 287174553,
"bytes_out": 306774804,
"rssi": -79,
"rsrp": -109.0,
"rsrq": -15.0,
"sinr": 3.4,
"imei": "650994581483248",
"imsi": "410410436288436",
"mtu": 1400,
"display_name": "Internal 5GB (SIM1)"
},..
}
},
"cached_stats": true,
"lldp_enabled": true,
"connected_devices": {}
}
POST /api/v1/orgs/:org_id/otherdevices/:mac/reboot
{}
WS /api-ws/v1/stream
{
"subscribe": "/orgs/:org_id/otherdevices/sync"
}
{
"event": "data"
"channel": "/orgs/67970e46-4e12-11e6-9188-0242ac110007/otherdevices/sync"
"data": {
"vendor": "cradlepoint"
"status": "failed",
"text": "Cannot sync devices, please verify API keys under organization setting."
}
}
| Name | Type | Description |
|---|---|---|
event |
string |
what type of event is received. |
channel |
string |
from which channel the data is received. |
vendor |
string |
vendor of otherdevices sync event. |
status |
string |
status of event e.g done or failed. |
text |
string |
provides more information on the event. |
GET /api/v1/orgs/:org_id/setting/jamf/link_accounts
| Name | Type | Description |
|---|---|---|
org_id |
string |
Required, org id |
{
"linked": true,
"accounts": [
{
"account_id": "ae9dee49-69e7-4710-a114-5b827a777738",
"instance_url": "junipertest.jamfcloud.com",
"smartgroup_name": "CompliantGroup1",
"last_sync": 1665465339000,
"last_status": "success",
"linked_by": "Testname1",
"name": "Test Compay1 Ltd"
},
{
"account_id": "845a23bf-bed9-e43c-4c86-6fa474be7ae5",
"instance_url": "junipernfr.jamfcloud.com", // Linked Jamf Instance URL
"smartgroup_name": "CompliantGroup", // smartgroup name to determine compliance status
"last_sync": 1234567890123, // Last data pull timestamp, background jobs that pull Jamf account data
"last_status": "failed", // Is the last data pull for Jamf account is successful or not
"linked_by": "Testname2", // First name of the user who linked the Jamf account
"name": "Test Compay2 Ltd", // Name of the company whose Jamf account mist has subscribed to
"error": "Get token failed, please re-link jamf" // This error is provided when the Jamf account fails to fetch token/data
}
]
}
| Name | Type | Description |
|---|---|---|
linked |
boolean |
OAuth application linked status, is mist portal enabled for Jamf |
accounts |
list |
List of linked Jamf account details |
POST /api/v1/orgs/:org_id/setting/jamf/link_accounts
{
"instance_url": "customer account Jamf instance URL"
"client_id": "customer account api client id",
"client_secret": "customer account api client secret",
"smartgroup_name": "smart group membership for determining compliance status"
}
| Name | Type | Description |
|---|---|---|
org_id |
string |
Required, org id |
instance_url |
string |
Required, customer account Jamf instance URL |
client_id |
string |
Required, customer account api client ID |
client_secret |
string |
Required, customer account api client Secret |
smartgroup_name |
string |
Required, smart group membership for determining compliance status |
{
"linked": true,
"accounts": [
{
"account_id": "ae9dee49-69e7-4710-a114-5b827a777738",
"instance_url": "junipertest.jamfcloud.com",
"smartgroup_name": "CompliantGroup1",
"last_sync": 1665465339000,
"last_status": "success",
"linked_by": "Testname1",
"name": "Test Compay1 Ltd"
},
{
"account_id": "845a23bf-bed9-e43c-4c86-6fa474be7ae5", // generated account id (uuid)
"instance_url": "junipernfr.jamfcloud.com", // Linked Jamf Instance URL
"smartgroup_name": "CompliantGroup", // smartgroup name to determine compliance status
"last_sync": 1234567890123, // Last data pull timestamp, background jobs that pull Jamf account data
"last_status": "failed", // Is the last data pull for Jamf account is successful or not
"linked_by": "Testname2", // First name of the user who linked the Jamf account
"name": "Test Compay2 Ltd", // Name of the company whose Jamf account mist has subscribed to
"error": "Get token failed, please re-link jamf" // This error is provided when the Jamf account fails to fetch token/data
}
]
}
| Name | Type | Description |
|---|---|---|
linked |
boolean |
application linked status, is mist portal enabled for Jamf |
accounts |
list |
List of linked Jamf account details |
Status: 200 Successful
Status: > 400 Unsuccessful
DELETE /api/v1/orgs/:org_id/setting/jamf/link_accounts // kept for backward compatibility
{
"account_id": "ae9dee49-69e7-4710-a114-5b827a777738"
}
| Name | Type | Description |
|---|---|---|
org_id |
string |
Required, org id |
account_id |
string |
Required, Linked Jamf account ID |
Status: 200 Successful
Status: > 400 Unsuccessful
DELETE /api/v1/orgs/:org_id/setting/jamf/link_accounts/:account_id
| Name | Type | Description |
|---|---|---|
org_id |
string |
Required, org id |
account_id |
string |
Required, Linked Jamf account ID (UUID) |
Status: 200 Successful
Status: > 400 Unsuccessful
GET /api/v1/orgs/:org_id/setting/vmware/link_accounts
| Name | Type | Description |
|---|---|---|
org_id |
string |
Required, org id |
{
"linked": true,
"accounts": [
{
"account_id": "f43ea4c4-8a97-4159-9214-112a8c7b8f22",
"instance_url": "as800.airwatchportals.com",
"webhook_enabled": true,
"webhook_url": "https://websync.nac-staging.mistsys.com/v1/S_41b2525af1d8dcbe9005/f43ea4c48f22/vmware/mdm",
"webhook_auth_type": "Basic",
"webhook_username": "username_1234",
"webhook_password": "password_1234",
"last_sync": 1665465339000,
"last_status": "success",
"linked_by": "Testname1",
"name": "Test Compay1 Ltd",
"linked_timestamp": 1702284364
},
{
"account_id": "m56ea4c4-8a10-4189-9214-113a8c7b8m82",
"instance_url": "as561.airwatchportals.com", // Linked VMware Instance URL
"webhook_enabled": true,
"webhook_url": "https://websync.nac-staging.mistsys.com/v1/S_41b2525af1d8dcbe9005/f43ea4c48f22/vmware/mdm",
"webhook_auth_type": "Basic",
"webhook_username": "username_1234",
"webhook_password": "password_1234",
"last_sync": 1234567890123, // Last data pull timestamp, background jobs that pull VMware account data
"last_status": "failed", // Is the last data pull for VMware account is successful or not
"linked_by": "Testname2", // First name of the user who linked the VMware account
"name": "Test Compay2 Ltd", // Name of the company whose VMware account mist has subscribed to
"linked_timestamp": 1702284364
"error": "Get token failed, please re-link VMware" // This error is provided when the VMware account fails to fetch token/data
}
]
}
| Name | Type | Description |
|---|---|---|
linked |
boolean |
Basic Auth application linked status in mist portal enabled for VMware |
accounts |
list |
List of linked VMware account details |
POST /api/v1/orgs/:org_id/setting/vmware/link_accounts
{
"instance_url": "customer account VMware instance URL"
"client_id": "customer account api client id",
"client_secret": "customer account api client secret",
"webhook_enabled": true
}
| Name | Type | Description |
|---|---|---|
org_id |
string |
Required, org id |
instance_url |
string |
Required, customer account VMware instance URL |
client_id |
string |
Required, customer account Client ID |
client_secret |
string |
Required, customer account Client Secret |
webhook_enabled |
boolean |
Required, enables or disables the webhook integration |
{
"linked": true,
"accounts": [
{
"account_id": "f43ea4c4-8a97-4159-9214-112a8c7b8f22",
"instance_url": "as800.airwatchportals.com",
"webhook_enabled": true,
"webhook_url": "https://websync.nac-staging.mistsys.com/v1/S_41b2525af1d8dcbe9005/f43ea4c48f22/vmware/mdm",
"webhook_auth_type": "Basic",
"webhook_username": "username_1234",
"webhook_password": "password_1234",
"last_sync": 1665465339000,
"last_status": "success",
"linked_by": "Testname1",
"name": "Test Compay1 Ltd",
"linked_timestamp": 1702284364
},
{
"account_id": "m56ea4c4-8a10-4189-9214-113a8c7b8m82",
"instance_url": "as561.airwatchportals.com", // Linked VMware Instance URL
"webhook_enabled": true,
"webhook_url": "https://websync.nac-staging.mistsys.com/v1/S_41b2525af1d8dcbe9005/f43ea4c48f22/vmware/mdm",
"webhook_auth_type": "Basic",
"webhook_username": "username_1234",
"webhook_password": "password_1234",
"last_sync": 1234567890123, // Last data pull timestamp, background jobs that pull VMware account data
"last_status": "failed", // Is the last data pull for VMware account is successful or not
"linked_by": "Testname2", // First name of the user who linked the VMware account
"name": "Test Compay2 Ltd", // Name of the company whose VMware account mist has subscribed to
"linked_timestamp": 1702284364
"error": "Get token failed, please re-link VMware" // This error is provided when the VMware account fails to fetch token/data
}
]
}
| Name | Type | Description |
|---|---|---|
linked |
boolean |
application linked status, is mist portal enabled for VMware |
accounts |
list |
List of linked VMware account details |
Status: 200 Successful
Status: > 400 Unsuccessful
PUT /api/v1/orgs/:org_id/setting/vmware/link_accounts/:account_id
{
"webhook_enabled": False
}
| Name | Type | Description |
|---|---|---|
org_id |
string |
Required, org id |
account_id |
string |
Required, Linked VMware account ID |
Status: 200 Successful
Status: > 400 Unsuccessful
DELETE /api/v1/orgs/:org_id/setting/vmware/link_accounts // kept for backward compatibility
{
"account_id": "f43ea4c4-8a97-4159-9214-112a8c7b8f22"
}
| Name | Type | Description |
|---|---|---|
org_id |
string |
Required, org id |
account_id |
string |
Required, Linked VMware account ID |
Status: 200 Successful
Status: > 400 Unsuccessful
DELETE /api/v1/orgs/:org_id/setting/vmware/link_accounts/:account_id
| Name | Type | Description |
|---|---|---|
org_id |
string |
Required, org id |
account_id |
string |
Required, Linked VMware account ID (UUID) |
Status: 200 Successful
Status: > 400 Unsuccessful
GET /api/v1/orgs/:org_id/setting/mobicontrol/link_accounts
| Name | Type | Description |
|---|---|---|
org_id |
string |
Required, Organization id |
{
"linked": True,
"accounts": [
{
"account_id": "7f80cd00-40b1-49e5-b2cb-9386d89af0d6",
"instance_url": "https://a0020372.mobicontrol.cloud",
"client_id": "3e408b13255844149f2830e8609fe8f3"
"last_sync": 1665465339000,
"last_status": "success",
"linked_by": "User1",
"linked_timestamp": 1702284364,
"name": "Company1 Ltd.",
},
{
"account_id": "80364a28-7ccc-4746-b110-ecf3dfd3a359",
"instance_url": "https://a0032314.mobicontrol.cloud", // Linked MobiControl Instance URL
"client_id": "e81cfb1980454b4bb6109c74136ca528" //Linked MobiControl Client Id
"last_sync": 1234567890123, // Last data pull timestamp, background jobs that pull MobiControl account data
"last_status": "failed", // Is the last data pull for MobiControl account is successful or not
"linked_by": "User2", // First name of the user who linked the MobiControl account
"linked_timestamp": 1702284364,
"name": "Company2 Ltd.", // Name of the company whose MobiControl account mist has subscribed to
"error" : "Get token failed, please re-link MobiControl account" // This error is provided when the MobiControl account fails to fetch token/data
}
]
}
| Name | Type | Description |
|---|---|---|
linked |
boolean |
Application linked status, is mist portal enabled for MobiControl |
accounts |
list |
List of linked MobiControl account details |
POST /api/v1/orgs/:org_id/setting/mobicontrol/link_accounts
{
"instance_url" : "Customer account MobiControl instance URL",
"client_id" : "Customer account API client ID",
"client_secret" : "Customer account API client Secret",
"username" : "Customer account username",
"password" : "Customer account password"
}
| Name | Type | Description |
|---|---|---|
org_id |
string |
Required, Organization ID |
instance_url |
string |
Required, Customer account MobiControl instance URL |
client_id |
string |
Required, Customer account API client ID |
client_secret |
string |
Required, Customer account API client Secret |
username |
string |
Required, Customer account username |
password |
string |
Required, Customer account password |
{
"linked": True,
"accounts": [
{
"account_id": "7f80cd00-40b1-49e5-b2cb-9386d89af0d6",
"instance_url": "https://a0020372.mobicontrol.cloud",
"client_id": "3e408b13255844149f2830e8609fe8f3"
"last_sync": 1665465339000,
"last_status": "success",
"linked_by": "User1",
"linked_timestamp": 1702284364,
"name": "Company1 Ltd.",
},
{
"account_id": "80364a28-7ccc-4746-b110-ecf3dfd3a359", // Generated account id (uuid)
"instance_url": "https://a0032314.mobicontrol.cloud", // Linked MobiControl Instance URL
"client_id': 'e81cfb1980454b4bb6109c74136ca528' //Linked MobiControl Client Id
'last_sync': 1234567890123, // Last data pull timestamp, background jobs that pull MobiControl account data
'last_status': 'failed', // Is the last data pull for MobiControl account is successful or not
'linked_by': 'User2', // First name of the user who linked the MobiControl account
'linked_timestamp': 1702284364,
'name': 'Company2 Ltd.', // Name of the company whose MobiControl account mist has subscribed to
'error' : 'Get token failed, please re-link MobiControl account' // This error is provided when the MobiControl account fails to fetch token/data
}
]
}
| Name | Type | Description |
|---|---|---|
linked |
boolean |
application linked status, is mist portal enabled for MobiControl |
accounts |
list |
List of linked MobiControl account details |
Status: 200 Successful
Status: > 400 Unsuccessful
DELETE /api/v1/orgs/:org_id/setting/mobicontrol/link_accounts/:account_id
| Name | Type | Description |
|---|---|---|
org_id |
string |
Required, Organization ID |
account_id |
string |
Required, Linked MobiControl account ID(UUID) |
Status: 200 Successful
Status: > 400 Unsuccessful
GET /api/v1/orgs/:org_id/setting/zdx/link_accounts
| Name | Type | Description |
|---|---|---|
org_id |
string |
Required, Organization id |
{
"linked": true,
"accounts": [
{
"account_id": "80364a28-7ccc-4746-b110-ecf3dfd3a359", // Generated account id (uuid)
"key_id": "L72frZcK3JvrZc",
"webhook_url": "https://webhook.url/xxx", // Webhook url to notify Mist about a ZDX alert
"zdx_org_id": "123456",
"cloud_name": "zdxcloud.net"
},
{
"account_id": "80364a28-7ccc-4746-b110-ecf3dfd3a359",
"key_id": "K35vrZcK3JvrZc",
"webhook_url": "https://webhook.url/yyy",
"zdx_org_id": "4601412",
"cloud_name": "zdxcloud.net"
}
]
}
POST /api/v1/orgs/:org_id/setting/zdx/link_accounts
| Name | Type | Description |
|---|---|---|
org_id |
string |
Required, Organization ID |
key_id |
string |
Required, Customer account API key ID |
key_secret |
string |
Required, Customer account API key Secret |
zdx_org_id |
string |
Required, ZDX organization id |
cloud_name |
string |
ZDX cloud name default: zdxcloud.net Refer https://help.zscaler.com/zdx/getting-started-zdx-api for ZDX cloud name |
DELETE /api/v1/orgs/:org_id/setting/zdx/link_accounts/:account_id
| Name | Type | Description |
|---|---|---|
org_id |
string |
Required, Organization ID |
account_id |
string |
Required, Linked ZDX account ID |
Status: 200 Successful
Status: > 400 Unsuccessful
POST /api/v1/orgs/:org_id/setting/prisma/link_accounts
{
"client_id": "mist-integration@18995xxxx.iam.panserviceaccount.com",
"client_secret": "07519xxx-fb64-xxxx-xxxx-xxxx4af3384",
"tsg_id": "189953456",
"enable_probe": true,
"auto_probe_subnet": "11.0.0.0/8"
}
| Name | Type | Description |
|---|---|---|
org_id |
string |
Required, Organization ID |
client_id |
string |
Required, Customer account API Client ID |
client_secret |
string |
Required, Customer account API Client Secret |
tsg_id |
string |
Required, Prisma Tenant Service Group id |
enable_probe |
boolean |
To enable/disable tunnel probe, default is false (disabled) |
auto_probe_subnet |
string |
Required if enable_probe=true, This field will accept an IPv4 cidr and an IP address will be picked from this range to be used as tunnel probe source ip address and as well as BGP neighbour IP address. The subnet should be big enough for num_devices * num_tunnel * 2 |
{
"linked": true,
"accounts": [
{
"account_id": "80364a28-7ccc-4746-b110-ecf3dfd3a359", // Generated account id (uuid)
"tsg_id": "189953456",
"service_account_name": "Corp SA",
"cloud_name": "api.sase.paloaltonetworks.com",
"region": "americas",
"enable_probe": true,
"auto_probe_subnet": "11.0.0.0/8",
"service_connections": {},
"regions": {}
}
]
}
PUT /api/v1/orgs/:org_id/setting/prisma/link_accounts/:account_id
{
"enable_probe": true,
"auto_probe_subnet": "11.0.0.0/8"
}
| Name | Type | Description |
|---|---|---|
enable_probe |
boolean |
To enable/disable tunnel probe, default is false (disabled) |
auto_probe_subnet |
string |
Required, if enable_probe=true, This field will accept an IPv4 cidr and an IP address will be picked from this range to be used as tunnel probe source ip address and as well as BGP neighbour IP address. The subnet should be big enough for num_devices * num_tunnel * 2 |
{
"linked": true,
"accounts": [
{
"account_id": "80364a28-7ccc-4746-b110-ecf3dfd3a359",
"tsg_id": "189953456",
"service_account_name": "Corp SA",
"cloud_name": "api.sase.paloaltonetworks.com",
"region": "americas",
"enable_probe": true,
"auto_probe_subnet": "11.0.0.0/8"
}
]
}
GET /api/v1/orgs/:org_id/setting/prisma/link_accounts
| Name | Type | Description |
|---|---|---|
org_id |
string |
Required, Organization id |
{
"linked": true,
"accounts": [
{
"account_id": "80364a28-7ccc-4746-b110-ecf3dfd3a359", // Generated account id (uuid)
"tsg_id": "189953456",
"service_account_name": "Demo SA",
"cloud_name": "api.sase.paloaltonetworks.com",
"region": "americas",
"enable_probe": true,
"auto_probe_subnet": "11.0.0.0/8",
"service_connections": {
"MCD_LAB_SC_1": {
"region": "us-west-1"
}
},
// regions configured under this account
"regions": {
"us-west-1": {
"allocated_bandwidth": 50 // Mbps
"aggregate_region": "us-southwest" // Bandwidth Aggregate region for this region
"name": "US West" // Display name for this region
}
}
},
{
"account_id": "80364a28-7ccc-4746-b110-5678aafd65cc",
"tsg_id": "189954023",
"service_account_name": "Corp SA",
"cloud_name": "api.sase.paloaltonetworks.com",
"enable_probe": false,
"auto_probe_subnet": null,
"service_connections": {
"MCD_LAB_SC_2": {
"region": "us-east"
}
},
// regions configured under this account
"regions": {
"us-east": {
"allocated_bandwidth": 100 // Mbps
"aggregate_region": "us-northeast" // Bandwidth Aggregate region for this region
"name": "US Northeast" // Display name for this region
}
}
}
]
}
DELETE /api/v1/orgs/:org_id/setting/prisma/link_accounts/:account_id
| Name | Type | Description |
|---|---|---|
org_id |
string |
Required, Organization ID |
account_id |
string |
Required, Linked Prisma account ID |
Status: 200 Successful
Status: > 400 Unsuccessful
GET /api/v1/orgs/:org_id/setting/crowdstrike/link_accounts
| Name | Type | Description |
|---|---|---|
org_id |
string |
Required, org id |
{
"linked": true,
"accounts": [
{
"last_status": "success",
"last_sync": 1665465339000,
"account_id": "ae9dee49-69e7-4710-a114-5b827a777738",
"linked_by": "Testname1",
"name": "Test Company1 Ltd"
"linked_timestamp":1728275689.284758,
},
{
"last_status": "failed", // Is the last data pull for crowdstrike account is successful or not
"last_sync": 1234567890123, // Last data pull timestamp, background jobs that that pull CrowdStrike account data
"account_id": "845a23bf-bed9-e43c-4c86-6fa474be7ae5", //uuid generated
"linked_by": "Testname2", // First name of the user who linked the crowdstrike account
"name": "Test Company2 Ltd", // Name of the company whose crowdstrike account mist has subscribed to
"linked_timestamp":1728275689.284758, // Timestamp when the account is linked
"error": "Get token failed, please re-link crowdstrike" // This error is provided when the crowdstrike account fails to fetch token/data
}
}
| Name | Type | Description |
|---|---|---|
linked |
boolean |
OAuth application linked status, is mist portal enabled for CrowdStrike |
accounts |
list |
List of linked CrowdStrike account details |
POST /api/v1/orgs/:org_id/setting/crowdstrike/link_accounts
{
"customer_id": "customer id of an admin"
"client_id": "customer account api client id",
"client_secret": "customer account api client secret",
}
| Name | Type | Description |
|---|---|---|
org_id |
string |
Required, org id |
customer_id |
string |
Required, customer id of an admin |
client_id |
string |
Required, customer account api client ID |
client_secret |
string |
Required, customer account api client Secret |
{
"linked": true,
"accounts": [
{
"last_status": "success",
"last_sync": 1665465339000,
"account_id": "ae9dee49-69e7-4710-a114-5b827a777738",
"linked_by": "Testname1",
"name": "Test Company1 Ltd"
"linked_timestamp":1728275689.284758,
},
{
"last_status": "failed", // Is the last data pull for crowdstrike account is successful or not
"last_sync": 1234567890123, // Last data pull timestamp, background jobs that that that pull CrowdStrike account data
"account_id": "845a23bf-bed9-e43c-4c86-6fa474be7ae5", //uuid generated
"linked_by": "Testname2", // First name of the user who linked the crowdstrike account
"name": "Test Company2 Ltd", // Name of the company whose crowdstrike account mist has subscribed to
"linked_timestamp":1728275689.284758, // Timestamp when the account is linked
"error": "Get token failed, please re-link crowdstrike" // This error is provided when the crowdstrike account fails to fetch token/data
}
]
}
| Name | Type | Description |
|---|---|---|
linked |
boolean |
application linked status, is mist portal enabled for CrowdStrike |
accounts |
list |
List of linked CrowdStrike account details |
DELETE /api/v1/orgs/:org_id/setting/crowdstrike/link_accounts/:account_id
| Name | Type | Description |
|---|---|---|
org_id |
string |
Required, org id |
account_id |
string |
Required, Linked CrowdStrike account ID (UUID) |
{Status: 200 Successful}
Status: > 400 Unsuccessful
POST /api/v1/orgs/:org_id/setting/sentinelone/link_accounts
{
"instance_url": "customer account SentinelOne instance URL"
"api_token": "customer account api token",
}
| Name | Type | Description |
|---|---|---|
org_id |
string |
Required, org id |
instance_url |
string |
Required, customer account SentinelOne instance URL |
api_token |
string |
Required, customer account api_token |
{
"linked": True,
"accounts": [
{
"account_id": "00fd8b39-cf92-4b43-a2ff-a461b48e7059",
"instance_url": "usea1-015.sentinelone.net"
"linked_by": "user1@test.com",
"last_status": "success",
"last_sync": 1234567891,
"name": "company1",
"linked_timestamp": 1234567891,
},
{
"account_id": "00fd8b39-cf92-4b43-a2ff-a461b48e7060",
"instance_url": "usea1-017.sentinelone.net"//Linked SentinelOne instance URL
"linked_by": "user2@test.com",//user who linked the SentinelOne account
"last_status": "failed", //Is the last data bull for SentinelOne account is successful or not
"last_sync": 1234567800, //Lastpull timestamp , background jobs that pull SentinelOne account data
"name": "company2", //Name of the company whose SentinelOne account mist has subscribed to
"linked_timestamp": 1234567891,
"error" : "Get token failed, please re-link SentinelOne account" // This error is provided when the SentinelOne account fails to fetch token/data
}
]
}
| Name | Type | Description |
|---|---|---|
linked |
boolean |
Application linked status, is mist portal enabled for SentinelOne |
accounts |
list |
List of linked SentinelOne account details |
Status: 200 Successful
Status: > 400 Unsuccessful
DELETE /api/v1/orgs/:org_id/setting/sentinelone/link_accounts/:account_id
| Name | Type | Description |
|---|---|---|
org_id |
string |
Required, org id |
account_id |
string |
Required, Linked SentinelOne account ID (UUID) |
Status: 200 Successful
Status: > 400 Unsuccessful
in Zscaler UI 1. add Partner Integration at https://admin.zscalerbeta.net/#administration/partner-integration 2. Add Partner Administrator Role at https://admin.zscalerbeta.net/#administration/role-management - Name: Mist - Access: Full 3. add Partner Admin at https://admin.zscalerbeta.net/#administration/admin-management with - Login ID: john - email: john@abc.com 4. Find the cloud name for ZIA https://help.zscaler.com/zia/what-my-cloud-name-zia
POST /api/v1/orgs/:org_id/setting/zscaler/setup
{
"partner_key": "K35vrZcK3JvrZc",
"username": "john@abc.com",
"password": "foryoureyesonly",
"cloud_name": "zscalerbeta.net"
}
GET /api/v1/orgs/:org_id/setting/zscaler/setup
{
"partner_key": "abcd12cK3JvrZc",
"username": "john@abc.com",
"cloud_name": "zscalerbeta.net"
}
DELETE /api/v1/orgs/:org_id/setting/zscaler/setup
in JSE UI 1. Create custom role with Read access to service-location and RW access to site and IPSec profile APIs. 2. Create a user with the above custom role. - email: john@abc.com 3. Activate the user in the JSE account. 4. Create the service locations on the JSE account.
POST /api/v1/orgs/:org_id/setting/jse/setup
{
"username": "john@abc.com",
"password": "foryoureyesonly",
"cloud_name": "devcentral.juniperclouds.net"
}
GET /api/v1/orgs/:org_id/setting/jse/setup
{
"username": "john@abc.com",
"cloud_name": "devcentral.juniperclouds.net"
}
DELETE /api/v1/orgs/:org_id/setting/jse/setup
Retrieves the list of JSE orgs associated with the account.
GET /api/v1/orgs/:org_id/setting/jse/info
{
"cloud_name": "devcentral.juniperclouds.net"
"org_names": ["Mist-Sys", "Mist-Eng"]
}
POST /api/v1/orgs/:org_id/setting/skyatp/setup
{
"realm": "mist-team",
"username": "john@abc.com",
"password": "skyatp"
}
DELETE /api/v1/orgs/:org_id/setting/skyatp/setup
GET /api/v1/orgs/:org_id/setting/skyatp/setup
{
"realm": "mist-team",
"username": "john@abc.com",
// optional - third party threat feeds/allowlist/blocklist
"secintel": {
// juniper secintel_feeds are enabled depending on your license tier: infected_host, geo_ip, attacker_ip, command_and_control
// third party:
// - ip-based: block_list, threatfox_ip, feodo_tracker, dshield, tor
// - url-based: threatfox_url, urlhaus, open_phish
// - domain-based: threatfox_domains
"third_party_threat_feeds": [ "block_list" ]
},
"secintel_allowlist_url": "https://papi.s3.amazonaws.com/secintel_allowlist/xxx...",
"secintel_blocklist_url": "https://papi.s3.amazonaws.com/secintel_blocklist/xxx..."
}
PUT /api/v1/orgs/:org_id/setting/skyatp/setup
{
"secintel": {
// juniper secintel_feeds are enabled depending on your license tier: infected_host, geo_ip, attacker_ip, command_and_control
// third party:
// - ip-based: block_list, threatfox_ip, feodo_tracker, dshield, tor
// - url-based: threatfox_url, urlhaus, open_phish
// - domain-based: threatfox_domains
"third_party_threat_feeds": [ "block_list" ]
}
}
PUT /api/v1/orgs/:org_id/setting/skyatp/secintel_allowlist
PUT /api/v1/orgs/:org_id/setting/skyatp/secintel_blocklist
{
"ip": [
{
"value": "10.1.3.5",
// optional
"comment": "nas"
}
],
"domain": [
{
"value": "unsafe.xxx",
// optional
"comment": "restricted"
}
]
}
/api/v1/orgs/:org_id/webhooks
/api/v1/orgs/:org_id/webhooks/:webhook_id/ping
/api/v1/orgs/:org_id/webhooks/:webhook_id/events/search
/api/v1/orgs/:org_id/webhooks/:webhook_id/events/count
see Site:Webhooks for schema
N.B. For org webhooks, only alarms/audits/client-info/client-join/client-sessions/device-events/device-updowns/mxedge-events Infrastructure topics are supported.
In a typical enterprise, a separate group of people, Installers, are responsible for install new devices. May it be a new installation (e.g. new stores), a replacement installation (e.g. replacing Cisco APs with Mist APs), or addition ( e.g. adding new APs for better coverage). Instead of granting them Admin/Write privilege, it’s more desirable to grant them minimum privileges to do the initial provisioning so they cannot read sensible information (e.g. PSK of a WLAN), or change configs of running APs.
At a high level, Installer APs try to achieve the following:
Grace period provides a dynamic way to limit what devices / sites installer can work on. Generally installers work on recent deployments - bringing up new sites, add newly claimed devices to new / existing sites. They make mistakes, too, and may need to further tweak some of the parameters. Default grace period is 7 days and can be set from 1 day to 365 days.
GET /api/v1/installer/orgs/:org_id/devices?limit=100
| Name | Type | Description |
|---|---|---|
model |
string |
device model |
site_name |
string |
site name |
site_id |
string |
site_id |
X-Page-Limit: 100
X-Page-Page: 1
X-Page-Total: 31
[
{
//
"mac": "5c5b35000018",
"model": "AP41",
"serial": "FXLH2015150025",
"vc_mac": null,
// from site / profile assignment
"name": "hallway",
"site_name": "SJ1",
"deviceprofile_name": "SJ1",
// if assigned to a site
"map_id": "845a23bf-bed9-e43c-4c86-6fa474be7ae5",
"x": 150,
"y": 300,
"height": 2.7,
"orientation": 90,
// from stats
"connected": true,
"last_seen": 1687887907.5919843,
"uptime": 12345,
"version": "0.10.24362",
"ip": "192.168.1.111",
"ext_ip": "12.34.56.78"
},
...
]
PUT /api/v1/installer/orgs/:org_id/devices/:mac
{
"name": "SJ1-AP1",
// optional
"deviceprofile_name": "SJ1",
// optional
"site_id": "4ac1dcf4-9d8b-7211-65c4-057819f0862b",
"site_name": "SJ1",
// optional
"map_id": "845a23bf-bed9-e43c-4c86-6fa474be7ae5", // has to be in the same site
"x": 150,
"y": 300,
"height": 2.7,
"orientation": 90,
// optional role for switch / gateway
"role": "switch_role",
// if this is to replace an existing device
"replacing_mac": "5c5b3500003"
}
If replacing_mac is in the request payload, other attributes are ignored, we attempt to replace existing device (with mac replacing_mac) with the inventory device being configured.
The replacement device must be in the inventory but not assigned, and the replacing_mac device must be assigned to a site, and satisfy grace period requirements.
The Device replaced will become unassigned.
Status: 400 Bad Request
{
"detail": "outside of grace period"
}
invalid mac given for replacing_mac:
Status: 400 Bad Request
{
"detail": "invalid replacing_mac"
}
replacing_mac device is not in org inventory:
Status: 404 Not Found
{
"detail": "replacing_mac inventory not found"
}
replacing_mac device not found:
Status: 404 Not Found
{
"detail": "replacing_mac device not found"
}
replacing_mac device last modified outside of grace period:
Status: 400 Bad Request
{
"detail": "replacing_mac device outside of grace period"
}
replacing_mac device is not assigned to a site:
Status: 400 Bad Request
{
"detail": "replacing_mac device is unassigned"
}
inventory device is already assigned:
Status: 400 Bad Request
{
"detail": "device already assigned"
}
DELETE /api/v1/installer/orgs/:org_id/devices/:mac
This mirrorsPOST /api/v1/orgs/:org_id/inventory (see Inventory API)
POST /api/v1/installer/orgs/:org_id/devices
[
"6JG8E-PTFV2-A9Z2N",
"DVH4V-SNMSZ-PDXBR"
]
Get the sites Installer can see / modify. This includes all sites (last modified within the grace period) and the
extra_site_ids defined in Org Setting
GET /api/v1/installer/orgs/:org_id/sites
[
{
"id": "4ac1dcf4-9d8b-7211-65c4-057819f0862b",
"name": "Mist Office",
"timezone": "America/Los_Angeles",
"country_code": "US",
"latlng": { "lat": 37.295833, "lng": -122.032946 },
"address": "1601 S. Deanza Blvd., Cupertino, CA, 95014"
}
]
Often the Installers are asked to assign Devices to Sites. The Sites can either be pre-created or created/modified by the Installer. If this is an update, the same grace period also applies.
PUT /api/v1/installer/orgs/:org_id/sites/:site_name
{
"timezone": "America/Los_Angeles",
"country_code": "US",
"latlng": { "lat": 37.295833, "lng": -122.032946 },
"address": "1601 S. Deanza Blvd., Cupertino, CA, 95014"
"rftemplate_name": "rftemplate1",
"sitegroup_names": ["sg1", "sg2"]
}
CRUD APIs for Maps works exactly the same way as those in Sites
GET /api/v1/installer/orgs/:org_id/sites/:site_name/maps
POST /api/v1/installer/orgs/:org_id/sites/:site_name/maps/:id
PUT /api/v1/installer/orgs/:org_id/sites/:site_name/maps/:id
DELETE /api/v1/installer/orgs/:org_id/sites/:site_name/maps/:id
Import data from files is a multipart POST which has an file, an optional json, and an optional csv, to create floorplan, assign & place ap if name or mac matches
POST /api/v1/installer/orgs/:org_id/sites/:site_name/maps/import
A multi-part POST
"json": a JSON string, vendor option: ekahau, ibwave, import_all_floorplans: optional, false by default,
import_height: optional, default: true, import_orientation: optional, default: true
"file": a binary file, option: .esx
"csv": a csv file for ap name mapping, optional
// for the JSON payload
{
"vendor_name": "ekahau",
"import_all_floorplans": true // optional
"import_height": true, // optional
"import_orientation": false // optional
}
Vendor AP name,Mist AP Mac
US Office AP-2 - 5c:5b:35:00:00:02,5c5b35000002
{
"site_id": "4ac1dcf4-9d8b-7211-65c4-057819f0862b",
"aps": [
{
"mac": "5c5b35000001",
// placed
"action": "placed"
"map_id": "845a23bf-bed9-e43c-4c86-6fa474be7ae5"
// assigned to a site and placed
"action": "assigned-placed",
// named and placed
"action": "named-placed"
// assigned, named and placed
"action": "assigned-named-placed"
// if we ignore it (did nothing with it)
"action": "ignored",
// floorplan id, height, orientation for ignored ap
"floorplan_id": "cbdb7f0b-3be0-4872-88f9-58790b509c23-j68kows8"
"orientation": 45,
"height": 3
"reason": "not found on site" // "not found in inventory"
}
],
"floorplans": [
{
// whatever ID vendor has
"id": "cbdb7f0b-3be0-4872-88f9-58790b509c23-j68kows8",
"name": "map1",
// we only import the floorplan if at least one of the AP is being placed by default
"action": "imported",
"map_id": "845a23bf-bed9-e43c-4c86-6fa474be7ae5",
"action": "ignored",
"reason": "no aps placed"
}
],
"summary": {
"num_ap_assigned": 1,
"num_map_assigned": 1,
"num_inv_assigned": 1
}
}
Locate a Device by blinking it’s LED, it’s a persisted state that has to be stopped by calling Stop Locating API
POST /api/v1/installer/orgs/:org_id/devices/:mac/locate
POST /api/v1/installer/orgs/:org_id/devices/:mac/unlocate
After installation is considered complete (APs are placed on maps, all powered up), you can trigger an optimize operation where RRM will kick in (and maybe other things in the future) before it’s automatically scheduled.
GET /api/v1/installer/sites/:site_name/optimize
This mirrors GET /api/v1/sites/:site_id/devices/:device_id/vc (see Virtual Chassis API)
where site_id and device_id are replaced with fpc0_mac
GET /api/v1/installer/orgs/:org_id/devices/:fpc0_mac/vc
This mirrors POST /api/v1/sites/:site_id/devices/:device_id/vc (see Virtual Chassis API) where site_id and device_id are replaced with fpc0_mac
POST /api/v1/installer/orgs/:org_id/devices/:fpc0_mac/vc
{
"preprovisioned": true,
"members": [
{
"mac": "aff827549235", // fpc0, same as fpc0_mac
"vc_role": "master",
"member_id": 0,
"vc_ports": ["xe-0/1/0", "xe-0/1/1"]
},
{
"mac": "8396cd006c8c",
"vc_role": "linecard",
"member_id": 1,
"vc_ports": ["xe-0/1/0"],
},
{
"mac": "8396cd00888c",
"vc_role": "backup",
"member_id": 2,
"vc_ports": ["xe-0/1/0"]
}
]
}
This mirrors PUT /api/v1/sites/:site_id/devices/:device_id/vc (see Virtual Chassis API)
where site_id and device_id are replaced with fpc0_mac
PUT /api/v1/installer/orgs/:org_id/devices/:fpc0_mac/vc
{
"op": "preprovision",
"members": [
{
"mac": "aff827549235", // fpc0, same as fpc0_mac of current VC
"vc_role": "master",
"member_id": 0,
"vc_ports": ["xe-0/1/1"] // enabling vc port xe-0/1/1 on member 0
},
{
"mac": "8396cd006c8c",
"vc_role": "linecard",
"member_id": 1
},
{
"mac": "8396cd00888c",
"vc_role": "backup",
"member_id": 2,
"vc_ports": ["xe-0/1/0"] // enabling vc port xe-0/1/1 on member 2
}
]
}
GET /api/v1/installer/orgs/:org_id/deviceprofiles?type=ap
| Name | Type | Description |
|---|---|---|
type |
string |
device type, ap (default) / switch / gateway |
[
{
"id": "6f4bf402-45f9-2a56-6c8b-7f83d3bc98e9",
"name: "DeviceProfile 1",
"type": "ap" // device type, ap (default) / switch / gateway
}
]
Attach up to 3 images to a device
POST /api/v1/installer/orgs/:org_id/devices/:mac/image1
POST /api/v1/installer/orgs/:org_id/devices/:mac/image2
POST /api/v1/installer/orgs/:org_id/devices/:mac/image3
A multi-part POST
"file": a binary file
Delete background image for Portal
DELETE /api/v1/installer/orgs/:org_id/devices/:mac/image1
DELETE /api/v1/installer/orgs/:org_id/devices/:mac/image2
DELETE /api/v1/installer/orgs/:org_id/devices/:mac/image3
GET /api/v1/installer/orgs/:org_id/rftemplates
[
{
"id": "bb8a9017-1e36-5d6c-6f2b-551abe8a76a2",
"name: "RFTemplate 1"
}
]
GET /api/v1/installer/orgs/:org_id/sitegroups
[
{
"id": "581328b6-e382-f54e-c9dc-999983183a34",
"name: "SiteGroup 1"
}
]
GET /api/v1/installer/orgs/:org_id/alarmtemplates
[
{
"id": "684dfc5c-fe77-2290-eb1d-ef3d677fe168",
"name: "AlarmTemplate 1"
}
]
RF Templates are designed to make Radio Configs more consistent across Sites - by creating a RF Templates with desired settings and apply it to Sites. AP/Device-level overwrite can still be done.
NOTE: country_code, if specified, will take precedence over one defined in the Site
GET /api/v1/orgs/:org_id/rftemplates
POST /api/v1/orgs/:org_id/rftemplates
GET /api/v1/orgs/:org_id/rftemplates/:rftemplate_id
PUT /api/v1/orgs/:org_id/rftemplates/:rftemplate_id
DELETE /api/v1/orgs/:org_id/rftemplates/:rftemplate_id
{
"name": "5G-Restricted",
"country_code": "US",
"band_24": {
"disabled": false,
"channels": [ 1, 6, 11 ],
"bandwidth": 20,
"power": 16
},
"band_5": {
"disabled": false,
"channels": null,
"bandwidth": 40,
"power": 0,
"preamble": "short",
"power_min": 10,
"power_max": 18
},
"band_6": {
"disabled": false,
"channels": null,
"bandwidth": 40,
"power": 0,
"preamble": "short",
"power_min": 10,
"power_max": 18
},
"model_specific": {
"AP61": {
"band_5": {
"disabled": false,
"channels": [ 100, 104 ],
"bandwidth": 40,
"power": 0
}
}
}
}
| Name | Type | Description |
|---|---|---|
name |
string |
The name of the RF template |
country_code |
string |
optional, country code to use. If specified, this gets applied to all sites using the RF Template |
model_specific |
object |
overwrites for a specific model. If a band is specified, it will shadow the default. |
channels |
list |
list of channels, null or empty array means auto |
bandwidth |
int |
channel width for the band, 20 / 40 / 80 / 160, 80 is only applicable for band_5 and 160 is only for band_6 |
power |
int |
tx power of the radio, 0 mean auto |
power_min |
int |
when power=0, min tx power to use, HW-specific values will be used if not set |
power_max |
int |
when power=0, max tx power to use, HW-specific values will be used if not set |
preamble |
string |
short / long / auto, default is short |
Network template is intended to be applied to a Site. It works like a blueprint of the network of the site.
All Site Settings can go into Network Templates. See Site:Site Setting for schema
Moreover, this can further be overwritten by individual Site Setting
POST /api/v1/orgs/:org_id/networktemplates
GET /api/v1/orgs/:org_id/networktemplates/:networktemplate_id
PUT /api/v1/orgs/:org_id/networktemplates/:networktemplate_id
DELETE /api/v1/orgs/:org_id/networktemplates/:networktemplate_id
{
"name": "xxx",
"networks": {
// default is assumed, cannot be changed
"default": {
"vlan_id": 1
},
// create more
"corp": {
"vlan_id": 600
},
"guest": {
"vlan_id": 700
},
"mgmt": {
"vlan_id": 500
}
},
// optional, the Org Networks that we'd like to import
"import_org_networks": ["ap", "iot"],
// mist_nac: enable mist_nac to use racsec
"mist_nac": {
"enabled": true,
"network": "default"
}
"radius_config": {
"auth_servers_timeout": 5,
"auth_servers_retries": 3,
"auth_servers": [
{
"host": "1.2.3.4",
"port": 1812,
"secret": "testing123"
},
{
"host": "radius.internal",
"port": 1812,
"secret": "testing123"
}
],
"acct_servers": [
{
"host": "1.2.3.4",
"port": 1812,
"secret": "testing123"
}
],
"acct_interim_interval": 0,
// Enable COA. Default is false. When coa_port is not specified, 3799 is the default value.
“coa_enabled”: true,
“coa_port”: 3799,
// which network the RADIUS server resides, if there's static IP for this network,
// we'd use it as source-ip
"network": "default"
// or specifiy "source_ip" directly
"source_ip": "192.168.3.5"
},
"dns_servers": [ "8.8.8.8", "4.4.4.4" ],
"dns_suffix": [ ".mist.local", ".mist.com" ],
"port_usages": {
"ap": {
// the following parameter is assumed by default
"mode": "trunk",
"all_networks": true,
"stp_edge": true,
"port_network": "default",
"mtu": 9192,
// to limit networks it trunks
"all_networks": false,
"networks": [ "guest", "corp" ],
// to change the native network
"port_network": "mgmt"
// to make the port disabled
"disabled": true,
// if alternative name is desired
"description": "WAP"
},
"uplink": {
// the following parameter is assumed by default
"mode": "trunk",
"all_networks": true,
"stp_edge": false,
"port_network": null,
"enable_qos": false,
},
"iot": {
// the following parameter is assumed by default
"mode": "access",
"stp_edge": true,
"port_network": "default",
// if DHCP snooping is enabled, DHCP server is allowed
"allow_dhcpd": true,
},
"default": {
// the following parameter is assumed by default and cannot be changed
"mode": "access",
"stp_edge": false, // we don't know how it will be connected at default state, not doing anything
"port_network": "default"
},
"disabled": {
// mode to disable port
// the following parameter is assumed by default
"disabled": true,
}
"dynamic": {
// this is a special mode where the actually usage is determined
// by a set of rules
// the port will start with `access` mode and isolated
// depending on the rules, if resolved, the port will have
// the resolved usage applied.
//
// if the port/link goes down, it goes back to the initial state
"mode": "dynamic",
// Control when the DPC port should be changed to the default port usage
// Configuring to none will let the DPC port keep at the current port usage.
// The default value is link_down
"reset_default_when": "none", // none or link_down.
"rules": [
// use LLDP attributes
{
"src": "lldp_system_name", // or lldp_chassis_id
"expression": "[0:3]", // "abcdef" -> "abc"
"split(.)[1]", // "a.b.c" -> "b"
"split(-)[1][0:3], // "a1234-b5678-c90" -> "b56"
"equals": "SENSOR",
"usage": "iot"
},
// use equals_any to match any item in a list
{
"src": "lldp_chassis_id",
"expression": "[0:17]",
“equals_any”: [“00:11:22:33:44:55", “00:11:22:33:44:66”, “00:11:22:33:44:77"],
"usage": "iot"
},
// use RADIUS (WIP)
{
"src": "radius_username", // or radius_group
"expression": "[0:3]", // "abcdef" -> "abc"
"split(.)[1]", // "a.b.c" -> "b"
"split(-)[1][0:3], // "a1234-b5678-c90" -> "b56"
"equals": "SENSOR"
"usage": "iot"
},
]
},
// additional usages can be defined
"user": {
"mode": "access",
"stp_edge": true,
// 802.1x
"port_auth": "dot1x",
"enable_mac_auth": false,
"mac_auth_protocol": "eap-md5", // eap-md5 (default) / pap / eap-peap. This type is ignored if mist_nac is enabled.
"guest_network": null,
"bypass_auth_when_server_down": false,
},
},
"group_tags": {
},
"switch_matching": {
"enable": true,
"rules": [
{
"name": "match by name",
"match_name[0:3]": "abc",
"match_model": "EX4300",
"port_config": {
"ge-0/0/0": {
"usage": "uplink"
},
"ge-0/0/8-16,ge-1/0/0-47": {
"usage": "ap"
},
// this is assumed
"*": {
"usage": "default"
}
},
// additional CLI commands to append if this rule matches
// NOTE: no check is done
"additional_config_cmds": [
"set snmp community public"
],
"port_mirroring": {
"port_mirror": {
"input_port_ids_ingress": ["ge-0/0/4"],
"input_networks_ingress": ["test"],
"input_port_ids_egress": ["ge-0/0/5", "ge-0/0/6"],
"output_port_id": "ge-0/0/3",
},
"port_mirror_test": {
"input_port_ids_ingress": ["ge-0/0/3"],
"input_networks_ingress": ["iot"],
"input_port_ids_egress": ["ge-0/0/22", "ge-0/0/21"],
"output_port_id": "ge-0/0/4",
},
"port_mirror_test_2": {
"ingress_port_ids": ["ge-0/0/11"],
"egress_port_ids": ["ge-0/0/12"],
"output_ip_address": "1.2.3.4",
}
},
"stp_config": {
"bridge_priority": "8k"
},
"switch_mgmt": {
"config_revert_timer": 5,
// Enable to provide the FQDN with DHCP option 81. Default is false
"dhcp_option_fqdn": false
// use mxedge as proxy
"use_mxedge_proxy": true,
"mxedge_proxy_host": "1.1.1.1",
"mxedge_proxy_port": 2222, // optional, default is 2222
"ap_affinity_threshold": 10,
"cli_idle_timeout": 20,
"cli_banner": "\t\tW A R N I N G !!!!!!!",
"local_accounts": {
"user1": {
"role": "admin", // none (default) / admin / read / helpdesk
"password": "Juniper123" // optional
},
},
"fips_enabled": true // default is false
}
},
{
"name": "match by role",
"match_role": "access",
"port_config": {
"ge-0/0/0": {
"usage": "uplink"
}
},
// additional CLI commands to append if this rule matches
// NOTE: no check is done
"additional_config_cmds": [
"set snmp community public2"
]
},
{
"name": "access-no-out-of-band",
"match_role": "access",
"match_model[0:6]": "EX2300"
"switch_mgmt": {
"disable_oob_down_alarm": true
}
}
]
},
"optic_port_config": {
"et-0/0/0": {
"speed": "25g",
"channelized": True // enable channelization
}
"et-0/0/1": {
"speed": "25g" // do chassis speed by default
}
}
"snmp_config":{
"enabled": true, // enable or disable
"name": "TGH-1K-QFX10K",
"location": "Las Vegas, NV",
"description": "Juniper QFX Series Switch - 1K_5LA",
"contact": "cns@juniper.net",
"network": "default",
"client_list": [
{
"client_list_name": "clist-1",
"clients": [
"151.140.101.218/32",
"151.140.2.179/32"
]
}
],
"views":[
{
"view_name":"all",
"oid": "1.3.6.1",
"include": true //oid 1.3.6.1 include"
}
],
"engine_id_type": "local", // local (default) / use_mac_address
"engine_id": "engine-id-suffix", // if engine_id_type is local, this is the suffix to use
"trap_groups": [
{
"group_name": "profiler",
// Categories list can refer to https://www.juniper.net/documentation/software/topics/task/configuration/snmp-trap-groups-configuring-junos-nm.html
"categories": [
"link", "authentication"
],
"targets": [
"172.29.158.19",
"172.29.146.73"
],
//version can be v1, v2 and all
"version": "v2"
}
],
"v2c_config": [
{
"community_name": "abc123",
"authorization": "read-only",
"view": "all" //view name here should be defined in views above
},
{
"community_name": "abc1233",
//client_list_name here should refer to client_list above
"client_list_name": "clist-1"
}
],
"v3_config": {
"usm": [
{
"engine_type": "remote_engine | local_engine",
"remote_engine_id": "00:00:00:0b:00:00:70:10:6f:08:b6:3f <remote engine required only>",
"users": [
{
"name": "m01620",
"authentication_type": "authentication-md5 | authentication-sha | authentication-sha224 | authentication-sha256 | authentication-sha384 | authentication-sha512 | authentication-none", //sha224, sha256, sha384, sha512 are supported in 21.1 and newer release
"authentication_password": "at least eight characters long, include alphabetic, numeric, and special characters, but it cannot include control characters. <Don't require if type is none>",
"encryption_type": "privacy-aes128 | privacy-des | privacy-3des | privacy-none",
"encryption_password": "at least eight characters long, include alphabetic, numeric, and special characters, but it cannot include control characters. <Don't require if type is none>",
}
]
}
],
"vacm": {
"access": [
{
"group_name": "group_name",
"prefix_list": [
{
"type": "default_context_prefix | context_prefix",
"context_prefix": "iil <needed only type is context_prefix>",
"security_model": "any | usm | v1 | v2c",
"security_level": "privacy | authentication | none",
"notify_view": "all <refer to above view name>",
"read_view": "all <refer to above view name>",
"write_view": "all <refer to above view name>"
}
]
}
],
"security_to_group": {
"security_model": "usm | v1 | v2c",
"content":[
{
"security_name": "security_name",
"group": "group_name, <refer to above group_name under access>"
}
]
}
},
"notify": [
{
"name": "notify_name",
"tag": "tag_name",
"type": "trap | inform"
}
],
"notify_filter": [
{
"profile_name": "notify_name",
"contents": [
{
"oid": "1.3.6.1.4.1",
"include": true //oid object-identifier (include | exclude)
}
]
}
],
"target_parameters": [
{
"name": "target_parameters_name",
"notify_filter": "profile_name <refer to profile-name in notify-filter above>",
"message_processing_model": "v1 | v2c | v3",
"security_level": "authentication | none | privacy",
"security_model": "usm | v1 | v2c",
"security_name": "m01620 <refer to security_name in usm>"
}
],
"target_address": [
{
"target_address_name": "target_address_name",
"address": "address",
"address_mask": "address_mask",
"port": 161,
"tag_list": "tag name <refer to notify tag above, can be multiple with blank>",
"target_parameters": "target_parameters <refer to notify target parameters name above>"
}
]
}
}
}
GET /api/v1/orgs/:org_id/aptemplates/:aptemplate_id
PUT /api/v1/orgs/:org_id/aptemplates/:aptemplate_id
DELETE /api/v1/orgs/:org_id/aptemplates/:aptemplate_id
{
"ap_matching": {
"enabled": true,
"rules": [
{
"name": "AP12",
"match_model": "AP12",
"port_config": {
"eth1,eth2": {
// see Device Config's port_config
}
}
},
}
},
"wifi": {
"enabled": true,
"mesh_enabled": true,
"mesh_allow_dfs": false,
"mesh_enable_crm": false
"cisco_enabled": true,
"proxy_arp": "default",
"enable_arp_spoof_check": false,
"locate_connected": false,
"locate_unconnected": false,
"enable_shared_radio_scanning": false,
"disable_11k": false,
"disable_radios_when_power_constrained": false,
},
}
Site template is intended to be applied to a Site. The items in site setting which should be shared for all device types.
POST /api/v1/orgs/:org_id/sitetemplates
GET /api/v1/orgs/:org_id/sitetemplates/:sitetemplate_id
PUT /api/v1/orgs/:org_id/sitetemplates/:sitetemplate_id
DELETE /api/v1/orgs/:org_id/sitetemplates/:sitetemplate_id
{
"name": "template_000",
"vars": {
"VLAN_ID': "2345",
"SSID_STR': "mist"
},
"auto_upgrade": {
"enabled": true,
"version": "stable",
"time_of_day": "01:00",
"day_of_week": "mon"
}
}
Mist provides many ways (device-type specific template, site template, device profile, per-device) to configure devices for different kind of scenarios.
The precedence goes from most specific to least specific
Device > Device Profile > RFTemplate (for AP only) > DeviceType-specific Template > Site Template > Site Setting
In some scenarios, you may want to have EVPN topologies across sites. For usage, seesee Site:EVPN
GET /api/v1/orgs/:org_id/evpn_topologies
POST /api/v1/orgs/:org_id/evpn_topologies
GET /api/v1/orgs/:org_id/evpn_topologies/:evpn_topology_id
PUT /api/v1/orgs/:org_id/evpn_topologies/:evpn_topology_id
DELETE /api/v1/orgs/:org_id/evpn_topologies/:evpn_topology_id
Networks are usually subnets that have cross-site significance. They will got merged into networks in and Site Setting
For gateways, they can be used to define Service Routes.
POST /api/v1/orgs/:org_id/networks
GET /api/v1/orgs/:org_id/networks/:network_id
PUT /api/v1/orgs/:org_id/networks/:network_id
DELETE /api/v1/orgs/:org_id/networks/:network_id
{
"name": "store",
"vlan_id": 70,
"subnet": "192.168.70.0/24",
"gateway": "192.168.70.1",
"subnet6": "fdad:b0bc:f29e::/32",
"gateway6": "fdad:b0bc:f29e::1",
// whether to allow clients in the network to talk to each other
"isolation": false,
// whether to disallow Mist Devices in the network
"disallow_mist_services": false, // default is false
// for a Network (usually LAN), it can be routable to other networks (e.g. OSPF)
"routed_for_networks": ["pos"],
// whether this network has direct internet access
"internet_access": {
"static_nat": {
"63.16.0.1": {"internal_ip": "192.168.70.3", "name": "printer-1"},
"63.16.0.32/30": {"internal_ip": "192.168.70.16/30", "name": "pos-stations"},
},
"destination_nat": {
":2222": {"internal_ip": "192.168.70.30", "name": "ssh", "port": 22},
"63.16.0.3:443": {"internal_ip": "192.168.70.5", "name": "web server", "port": 443}
},
// a quick way to enable this network to access Internet
"create_simple_service_policy": false // default is false
},
// whether this network can be accessed from vpn
"vpn_access": {
"data-center": {
"routed": true, // whether this network is routable
"allow_ping": false, // whether to allow ping from vpn into this routed network
// if routable = false (usually at Spoke), but some hosts needs to be reachable from Hub
"nat_pool": "172.16.0.0/26", // a subnet is required to create and advertise the route to Hub
"source_nat": {
"external_ip": "172.16.0.8/30"
},
"static_nat": {
"172.16.0.1": {"internal_ip": 192.168.70.3", "name": "pos-station-1"},
"172.16.0.2": {"internal_ip": 192.168.70.8", "name": "pos-station-2"}
"172.16.0.12/30": {"internal_ip": 192.168.70.12/30", "name": "pos-stations"}
},
"destination_nat": {
"172.16.0.5/30": {"internal_ip": "192.168.70.5/30", "name": "web server"}
"172.16.0.3:8443": {"internal_ip": "192.168.70.5", "name": "web server", "port": 443}
},
// if routed=true, whether to advertise an aggregated subnet toward HUB
// this is useful when there are multiple networks on SPOKE's side
"advertised_subnet": "172.16.0.0/24",
// optionally, how HUB should deal with routes it received from Spokes
// 1. toward overlay
"no_readvertise_to_overlay": false,
"summarized_subnet": "172.16.0.0/16",
// by default, the routes are only readvertised toward the same vrf on spoke
// to allow it to be leaked to other vrfs
"other_vrfs": [ "iot" ],
// 2. toward LAN-side BGP peers
"no_readvertise_to_lan_bgp": false,
"summarized_subnet_to_lan_bgp": "172.16.0.0/16"
// 2. toward LAN-side OSPF peers
"no_readvertise_to_lan_ospf": false,
"summarized_subnet_to_lan_ospf": "172.16.0.0/16"
}
},
// whether to enable multicast support (only PIM-sparse mode is supported)
"multicast": {
"enabled": true, // default is false
// group address to RP (rendezvous point) mapping
"groups": {
"225.1.0.3/32": {
"rp_ip": "10.10.0.5"
}
}
// if the network will only be the soruce of the multicast traffic, IGMP can be disabled
"disable_igmp": false // default is false
},
"tenants": {
"pos-stations": {
"addresses": ["192.168.70.16/30"]
},
"printer-1": {
"addresses": ["192.168.70.3"]
},
}
}
/api/v1/orgs/:org_id/services
{
"name": "dc_service",
"description": "optional",
"type": "custom", // custom (default) / apps / app_categories
// when type = custom, ip subnet
"addresses": ["10.0.0.0/8", "172.21.0.0/16", "2001:db8:abcd:12::/64", "fd28::/128"], // the subnets where the service resides (if more specific is required)
"specs": [
{
"protocol": "tcp", // tcp / udp / icmp / gre / any / ":protocol_number", `protocol_number` is between 1-254, default is `any`
"port_range": "80" // or
}
],
// when type = custom, web filtering
"hostnames": ["example.com", "*.google.com"], // the hostnames
// specs is optional, if it doesn't exist, http and https is assumed. If non-standard http/https ports are used
"specs": [
{
"protocol": "tcp",
"port_range": "8080,8443"
}
],
// when type = apps
"name": "allowed_apps",
"apps": [ "office365", "okta"], // list of applications are available through
/const/applications,
/insight/top-app-by-bytes?wired=true or
/const/gateway_applications
// when type = app_categories
"name": "allowed_app_categories",
"app_categories": [ "Sports"], // list of application categories are available through /const/app_categories
"app_subcategories": [ "Shopping" ], // list of application sub-categories are available through /const/app_subcategories
// when type = urls
"type": "urls",
"urls": ["http://example.com", "*.google.com"], // no need for spec as URL can encode the ports being used.
// when type=apps, we'll choose traffic_type automatically
// when type=addresses/hostnames, you can provide your own settings, also optionally,
"traffic_type": "data_best_effort", // data_best_effort (default) / ... (from /const/traffic_types) / custom
// when traffic_type is `custom`
"failover_policy": "revertable", // revertable (default) / non_revertable / none
"traffic_class": "best_effort", // best_effort (default) / high / medium / low
"dscp": 46,
"max_latency": 100,
"max_jitter": 30,
"max_loss": 1,
"ssr_relaxed_tcp_state_enforcement": true, // default is false
// bandwidth limiting - SSR only
"service_limit_up": 300000, // 0-107374182, optional, default is unlimited, in kbps
"service_limit_down": null, // 0-107374182, optional, default is unlimited, in kbps
"client_limit_up": 300000, // 0-107374182, optional, default is unlimited, in kbps
"client_limit_down": 100000, // 0-107374182, optional, default is unlimited, in kbps
}
VPN object represents an overlay network where gateways can participate in and optionally expose routes to.
/api/v1/orgs/:org_id/vpns
{
// type = hub_spoke (default)
"name": "data-center",
"type": "hub_spoke",
"paths": {
"dc1-broadband": {
},
"dc1-mpls": {
},
"dc2-broadband": {
},
"dc2-pod2-broadband": {
"pod": 2 // default is 1, 1-128
}
},
"path_selection": {
"strategy": "disabled", // disabled (default) / simple / manual
},
// type = mesh
"name": "mesh-useast",
"type": "mesh",
"paths": {
// the path offered
“wan0": {
“peer_paths”: {
// preference indicates which outgoing wan should be preferred
“wan0”: { “preference”: 2 }
“wan1”: { “preference”: 1 }
},
// behavior of this mesh path
"bfd_profile": "lte", // broadband (default) / lte
"bfd_use_tunnel_mode": true, // false (default), whether to use tunnel mode. SSR only
"traffic_shaping": {
"enabled": true,
"max_tx_kbps": 3000, // 3Mbps
// percentages for differet class of traffic: high / medium / low / best-effort
// adding up to 100
"class_percentages": [ 80, 10, 9, 1 ] // default is [80, 10, 9, 1 ]
}
},
“wan1”: {
“peer_paths”: {
“wan1”: { “preference”: 2 }
}
},
“mpls”: {
“peer_paths”: {
“mpls”: { “preference”: 1 }
}
}
}
/*
gateways participating will
// 1. defines which WAN port will join a mesh and how (meshlink_name)
"port_config": {
"ge-0/0/0": {
"usage": "wan",
"name": "wan0",
...
"vpn_paths": {
"wan0.mesh-useast": {
"role": "mesh" // assumed
},
...
},
}
}
// 2. path preference
“path_preference”: {
“to_mesh”: {
“strategy”: “ordered”, // ordered (default) / weighted / ecmp
“paths”: [
{
“type”: “vpn”,
“name”: “wan0.mesh1”
},
// ... path by hub-spoke-vpn or wan ...
]
}
}
*/
}
/api/v1/orgs/:org_id/servicepolicies
{
"name": "DC-APPs",
"tenants": ["pos.store", "camera.store"],
"services": ["dc-apps"],
"action": "allow", // allow (default) / deny
}
/api/v1/orgs/:org_id/idpprofiles
{
"name": "relaxed",
"base_profile": "strict", // strict (default) / standard
// overwrites takes precedence over the base_profile
"overwrites": [
{
"matching": {
"severity": [ "major" ], // critical / major / minor / info
"attack_name": [ "HTTP:INVALID:HDR-FIELD" ]
"dst_subnet": [ "63.1.2.0/24" ],
},
"action": "alert", // alert (default) / drop (siliently dropping packets) / close (notify client/server to close connection)
}
]
}
/api/v1/orgs/:org_id/avprofiles
{
"name": "av-custom",
"url_whitelist": [],
"mime_whitelist": [],
"fallback_action": "permit", // permit / block
"max_filesize": 10000 // 20-40000 (KB)
"protocols": [] // ftp / http / imap / pop3 / smtp
}
/api/v1/orgs/:org_id/aamwprofiles
{
"name": "aamw-custom",
// sky atp file scanning parameters
"categories": [{
"category": "executable" // archive / document / pdf / executable / rich_application / library / os_package / mobile / java / configuration / script
"hash_lookup_only": false, // default false, false / true
}]
"verdict_threshold": 8, // default 8, minimum: 1, maximum: 10
"file_action": "block", // default block, block / permit
"fallback_action": "block", // default block/ permit / block
}
/api/v1/orgs/:org_id/secintelprofiles
{
"name": "secintel-custom",
"profiles": [{"category": "CC", // CC / IH (Infected host) / DNS
"action": "default" // default / standard / strict
}]
}
Gateway Template is applied to a site for gateway(s) in a site.
POST /api/v1/orgs/:org_id/gatewaytemplates
GET /api/v1/orgs/:org_id/gatewaytemplates/:gatewaytemplate_id
PUT /api/v1/orgs/:org_id/gatewaytemplates/:gatewaytemplate_id
DELETE /api/v1/orgs/:org_id/gatewaytemplates/:gatewaytemplate_id
{
"name": "xxx",
"type": "standalone", // standalone (default) / spoke / hub
"networks": {
// additional networks that are not already defined from Networks
},
"port_config": {
// WAN
"ge-0/0/0": {
"usage": "wan",
"name": "wan0",
"critical": false, // default is false, if want to generate port up/down alarm, set it to true
"wan_disable_speedtest": false, // default is false. to disallow marvis/ scheduler to run speedtest on this port, set it to true
"description": "towards ISP”,
"wan_type": "broadband", // broadband (default), dsl, lte
"ip_config": {
"type": "dhcp", // dhcp (default) / static / pppoe
// if type=pppoe
"pppoe_auth": "none", // none (default) / chap / pap
"pppoe_username": "u13534",
"pppoe_password": "foryoureyesonly",
// for ipv6
"type6": "static", // autoconf (default) / dhcp / static
"ip6": "2601:1700:43c0:dc0:20c:29ff:fea7:93bc",
"netmask6": "/64",
"gateway6": "2601:1700:43c0:dc0::1",
},
// optional, if spoke should reach this port by a different IP
"wan_ext_ip": "64.2.4.3",
"wan_ext_ip6": "2601:1700:43c0:dc0::10",
// optional, by default, source-NAT is performed on all WAN Ports using the interface-ip
"wan_source_nat": {
// if alternative nat_pool is desired
"nat_pool": "64.2.4.0/30",
"nat6_pool": "2601:1700:43c0:dc0:20c:29ff:fea7:93bc/126",
// or to disable the source-nat
"disabled": false // default is false
},
"vpn_paths": {
"dc1-broadband.data-center": {
"role": "spoke", // spoke (default) / hub
"bfd_profile": "lte", // broadband (default) / lte
"bfd_use_tunnel_mode": true, // false (default), whether to use tunnel mode. SSR only
"traffic_shaping": {
"enabled": true,
"max_tx_kbps": 3000, // 3Mbps
// percentages for differet class of traffic: high / medium / low / best-effort
// adding up to 100
"class_percentages": [ 80, 10, 9, 1 ] // default is [80, 10, 9, 1 ]
},
// for a given VPN, when path_selection.strategy=simple, the preference for a path (lower is preferred)
"preference": 1
},
"wan0.mesh-useast": {
"role": "mesh" // assumed
// all other configs (bfd_profile, bfd_use_tunnel_mode, ...) is defined in the VPN object
}
},
// optionally, for WAN port, traffic_shaping can be performed
"traffic_shaping": {
"enabled": true,
// percentages for differet class of traffic: high / medium / low / best-effort
// adding up to 100
"class_percentages": [ 80, 10, 9, 1 ] // default is [80, 10, 9, 1 ]
},
// for 128T
"svr_port_range": "60000-60005", // none (default), 1025 - 65535
"ssr_no_virtual_mac": false, // default is false, when SSR is running as VM, this is required on certain hosting platforms
// other port settings
"speed": "1g", // auto (default)
"duplex": "full", // auto (default), full, and half
"disable_autoneg": false, // default is false
"poe_disabled": true, // default is false
"mtu": null, // default is null, between 552-1500 if specified
"disabled": false, // default is false, port admin up (false) / down (false)
// when wan_type = broadband
"wan_arp_policer": "recommended" // default (system default) / recommended / max
"wan_extra_routes": {
"100.100.100.0/24": {
"via": "64.2.4.1"
}
},
// for ipv6
"wan_extra_routes6": {
"2a02:1234:420a:10c9::/64": {
"via": "2a02:1234:200a::100"
}
},
"wan_probe_override": {
// when usage = wan
"ips": [ "10.173.5.3" ],
// for ipv6
"ip6s": ["2001:4860:4860::8844"],
"probe_profile": "broadband", // broadband (default)/ lte
},
// if some networks are connected to this WAN port, it can be added here so policies can be defined
"wan_networks": [ "ip-pool", "mpls-datacenter" ],
},
"cl-1/0/0": {
"usage": "wan",
"name": "lte",
"wan_type": "lte",
"lte_apn": "5ginternet",
"lte_auth": "none", // none (default) / chap / pap
"lte_username": "user1",
"lte_password": "pass",
"ip_config": {
"type": "dhcp" // dhcp (default), static
}
},
// DSL PPPoE (experimental)
"at-1/0/0": {
"usage": "wan",
"name": "dsl",
"wan_type": "dsl",
"dsl_type": "adsl" // vdsl (default), adsl
"dsl_vpi": 0 // 0 (default) 8 bit int
"dsl_vci": 35 // 35 (default) 16 bit int
"ip_config": {
"type": "dhcp" // dhcp (default), static
}
},
// LAN
"ge-0/0/1-5": {
"usage": "lan",
"networks": ["default", "guest", "pos"],
// whether to preserve dscp when sending traffic over VPN (SSR-only)
"preserve_dscp": true,
"port_network": "default"
},
// if WAN interface is on a VLAN (e.g. an MPLS link through uplink switch/router)
"ge-0/0/0.5": { // name suffixed with ".<vlan_id>"
"usage": "wan"
"name": "mpls",
"vlan_id": 5,
"outer_vlan_id": null // optional, for Q-in-Q
"ip_config": {
"type": "dhcp", // dhcp (default), static
}
"vpn_paths": {
"dc1-mpls.data-center": {
"role": "spoke"
}
},
// "wan_type" will be ignored
// "pci_address" will be ignored
},
},
"oob_ip_config": {
// out-of-band (vme/em0/fxp0) IP config
// same payload as `ip_config` except dns / dns_suffix
"vlan_id": xxx, // optional
"use_mgmt_vrf": true, // true (default) / false
// for host-out traffic (NTP/TACPLUS/RADIUS/SYSLOG/SNMP), if alternative source network/ip is desired,
"use_mgmt_vrf_for_host_out": false, // false (default), whether to use `mgmt_junos`
// for HA Cluster, node1 can have different IP Config
"node1": {
// same payload as `ip_config` except dns / dns_suffix
"vlan_id": xxx // optional, if different from parent
}
},
// all the IP configs on the LAN side
"ip_configs": {
"guest": {
"ip": "192.168.70.1",
"netmask": "/24",
// optional list of secondary IPs in CIDR format
"secondary_ips": [ "192.168.50.1/24", "192.168.60.1/26"],
"ip6": "2001:db8:abcd:12::1",
"netmask6": "/64"
},
},
"dhcpd_config": {
"guest": {
"type": "local", // local (default) / relay / none
"ip_start": "192.168.70.100",
"ip_end": "192.168.70.200",
"gateway": "192.168.70.1",
// optional, system one will be used
"dns_servers": [ "8.8.8.8", "4.4.4.4" ],
"dns_suffix": [ ".mist.local", ".mist.com" ],
// if using DHCP relay
"type": "relay",
"servers": ["11.2.3.4"]
// if using DHCPv6 server
"type6": "local" // none (default) / relay / local
"ip6_start": "2607:f8b0:4005:808::2",
"ip6_end": "2607:f8b0:4005:808::ff",
// if using DHCPv6 relay
"type6": "relay"
"serversv6": ["2607:f8b0:4005:808::64"]
}
},
"router_id": "10.2.1.10", // auto-assigned if unset
"path_preferences": {
"dc_path": {
"strategy": "ordered", // ordered (default) / weighted / ecmp
"paths": [
{
"type": "vpn",
"name": "dc1-broadband.data-center",
// optional, spoke's outgoing wan is desired
"wan_name": "wan0",
// optional params depending on strategy
"cost": 10,
// SSR only
"disabled": false // true if this specific path is undesired
},
{
"type": "vpn",
"name": "dc1-mpls.data-center",
},
{
"type": "vpn",
"name": "dc2-broadband.data-center",
}
}
},
"to_spoke": {
"strategy": "ordered", // ordered (default) / weighted / ecmp
"paths": [
{
"type": "vpn",
"name": "dc1-broadband.data-center",
// optional, spoke's outgoing wan is desired
"wan_name": "wan0",
// SSR only
"disabled": true // true if this specific path is undesired
}
}
},
"local_path": {
"strategy": "ecmp", // ordered (default) / weighted / ecmp
"paths": [
{
"type": "wan",
"name": "wan0"
},
{
"type": "wan"
"name": "lte"
},
{
// use mpls path to dc1 as backup
"type": "vpn"
"name": "dc1-mpls.data-center",
// additionally, if this vpn path can be used for internet
"internet_access": true // default is false
}
}
},
"local_breakout": {
"paths": [
{
"type": "tunnel",
"name": "zscalar"
},
{
"type": "wan",
"name": "wan0"
},
]
},
"customized": {
"paths": [
{
// it can also be local
"type": "local",
"networks": ["guest"],
// optional, if a different gateway is desired
"gateway_ip": "192.168.30.5",
// optional, if destination IP is to be replaced
"target_ips": ["30.1.2.5"]
}
]
}
},
"tunnel_provider_options": {
"jse": {
// for jse-ipsec
// this allow provisioning of adequate resource on JSE. Make sure adequate licenses are added
"num_users": 5
"org_name": "JSE_ORG1", // optional
"region": "auto", // auto (default) / africa / asia / europe / north_america / south_america / oceania
},
"prisma": {
// for prisma-ipsec
"service_account_name": "sa1@1823425211", // service account name to used for tunnel auto provisioning
},
"zscalar": {
// for zscaler-ipsec and zscaler-gre
// see https://help.zscaler.com/zia/configuring-locations
"use_xff": false, // location uses proxy chaining to forward traffic
"enforce_authentication": false, // default is false
// when enforce_authentication=false
"enable_caution": false, // display caution notification for non-authenticated users, default is false
"enable_aup": false, // display Acceptable Use Policy (AUP), default is false, use_xff has to be true
"aup_acceptance_required": true, // default is true
"aup_ssl_proxy": false, // proxy HTTPs traffic, requiring Zscaler cert to be installed in browser, default is false
"aup_expire": 2, // days before AUP is requested again, default is 1 day
// optional
"download_mbps": 200, // the download bandwidth cap of the link, in Mbps
"upload_mbps": 200, // the download bandwidth cap of the link, in Mbps
// if use_xff == true
"sub_locations": [
{
"name": "guest-wifi",
"subnets": ["172.16.8.0/24", "172.16.32.0/23"],
"enforce_authentication": false, // default is false
// when enforce_authentication=false
"enable_caution": false, // display caution notification for non-authenticated users, default is false
"enable_aup": false, // display Acceptable Use Policy (AUP), default is false, use_xff has to be true
"aup_acceptance_required": true, // default is true
"aup_ssl_proxy": false, // proxy HTTPs traffic, requiring Zscaler cert to be installed in browser, default is false
"aup_expire": 2, // days before AUP is requested again, default is 1 day
// optional
"download_mbps": 200, // the download bandwidth cap of the link, in Mbps
"upload_mbps": 200, // the download bandwidth cap of the link, in Mbps
}
]
},
},
"tunnel_configs": {
"zscalar": {
"provider": "zscaler-ipsec",
// if provider = zscaler-ipsec
"local_id": "{{ SITE_LOCAL_ID }}",
"psk": "{{ SITE_PRESHARED_KEY }}",
"primary": {
"hosts": [ "63.1.5.3" ],
"probe_ips": [ "1.1.1.1" ],
"wan_names": [ "wan0", "wan1" ]
},
"secondary": {
"hosts": [ "63.1.5.4" ],
"probe_ips": [ "2.2.2.2" ],
"wan_names": [ "wan1", "wan0" ]
},
// auto-provision (takes precedence)
"auto_provision": {
"enabled": true,
"latlng": { "lat": 37.295833, "lng": -122.032946 }, // overwrite can be given
"primary": {
"num_hosts": 2,
// optional, only needed if `vars_only`=false
"wan_names": ["wan0", "wan1"],
},
"secondary": null
},
"mode": "active-standby" // options are active-standby (default), active-active
},
"zscalar-gre": {
"provider": "zscaler-gre",
// if provider = zscaler-gre
"primary": {
"hosts": [ "216.66.5.49" ],
"internal_ips": [ "172.18.58.121" ],
"probe_ips": [ "172.18.58.122" ],
"wan_names": [
"wan0",
"wan1"
]
},
"secondary": {
"hosts": [ "199.168.149.179" ],
"internal_ips": [ "172.18.58.125" ],
"probe_ips": [ "172.18.58.126" ],
"wan_names": [
"wan0",
"wan1"
]
},
"mode": "active-standby" // options are active-standby (default), active-active
},
"jse-ipsec": {
"provider": "jse-ipsec",
// if provider = jse-ipsec
"local_id": "{{ SITE_LOCAL_ID }}",
"psk": "{{ SITE_PRESHARED_KEY }}",
"primary": {
"hosts": [ "63.1.5.3" ],
"probe_ips": [ "1.1.1.1" ],
"remote_ids": ["abcd@juniper.net"],
"wan_names": [ "wan0", "wan1" ]
},
"secondary": {
"hosts": [ "63.1.5.4" ],
"probe_ips": [ "2.2.2.2" ],
"remote_ids": ["edfg@juniper.net"],
"wan_names": [ "wan1", "wan0" ]
},
"mode": "active-standby" // options are active-standby (default), active-active,
},
"custom-ipsec": {
"provider": "custom-ipsec",
"protocol": "ipsec",
"local_id": "{{ SITE_LOCAL_ID }}",
"psk": "{{ SITE_PRESHARED_KEY }}",
"local_subnets": ["1.0.0.0/24", "2.0.0.1/32"], // Local protected subnet for policy-based IPSec negotiation
"remote_subnets": ["5.0.0.0/24", "6.0.0.1/32"], // Remote protected subnet for policy-based IPSec negotiation
"primary": {
"hosts": [ "63.1.5.3" ],
"probe_ips": [ "1.1.1.1" ],
"wan_names": [ "wan0" ]
},
"secondary": {
"hosts": [ "63.1.5.4" ],
"probe_ips": [ "2.2.2.2" ],
"wan_names": [ "wan0" ]
},
"mode": "active-standby" // options are active-standby (default), active-active
// customized ipsec parameters
"version": "2", // 2 (default) / 1
"ike_mode": "main", // main (default) / aggressive
"ike_proposals": [
{
"auth_algo": "sha2", // sha1, sha2, md5,
"enc_algo": "aes256", // 3des, aes128, aes256, aes_gcm256, aes_gcm128, null
"dh_group": "2" // 14 (default, 2048-bit) / 1 / 2 (1024-bit) / 5 / 15 (3072-bit) / 16 (4096-bit)
// 19 (256-bit ECP) / 20 (384-bit ECP) / 21 (521-bit ECP) / 24 (2048-bit ECP)
}
],
"ike_lifetime": 3600,
"ipsec_proposals": [
{
"auth_algo": "sha2", // sha1, sha2, md5,
"enc_algo": "aes256", // 3des, aes128, aes256, aes_gcm256, aes_gcm128, null
"dh_group": "2"
}
],
"ipsec_lifetime": 1800,
// networks reachable via this tunnel
"networks": [
"ntwk",
"protected-net"
],
"probe": {
"type": "icmp", // icmp (default) / http
"interval": 120, // how often to trigger the probe
"threshold": 3, // number of consecutive misses before declaring the tunnel down
"timeout": 20 // time within which to complete the connectivity check
}
},
"custom-gre": {
"provider": "custom-gre",
"protocol": "gre",
"primary": {
"hosts": [ "216.66.5.49" ],
"internal_ips": [ "172.18.58.121" ],
"probe_ips": [ "172.18.58.122" ],
"wan_names": [
"wan0",
"wan1"
]
},
"secondary": {
"hosts": [ "199.168.149.179" ],
"internal_ips": [ "172.18.58.125" ],
"probe_ips": [ "172.18.58.126" ],
"wan_names": [
"wan0",
"wan1"
]
},
"mode": "active-standby" // options are active-standby (default), active-active
},
"prisma-ipsec": {
"provider": "prisma-ipsec",
// networks reachable via this tunnel
"networks": [
"corp-network",
"protected-network"
],
"auto_provision": {
"enabled": true,
// by default, we'll use the location of the site to determine the optimal Remote Network location.
// optionally, service_connection can be considered, then we'll also consider this along with the site location
"service_connection": "Juniper-Lab-SC-1", // Define service_connection if the traffic is to be routed to a specific service connection.
// This field takes a service connection name that is configured in the Prisma cloud, Prisma Access Setup -> Service Connections.
// in the case user wants to override the auto discovery of remote network location and force the tunnel to use the specified peer location.
"region": "us-west-1", // auto(default) / us-west-1 / us-east-1 / eu-central-1 / ap-southeast-1 /..
// https://docs.paloaltonetworks.com/prisma/prisma-access/3-0/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/list-of-prisma-access-locations/list-of-locations-by-compute-location
"primary": {
"probe_ips": [
"8.8.8.8"
],
"wan_names": [
"wan0"
]
}
}
}
},
"idp_profiles": {
"relaxed": {
"base_profile": "strict", // strict (default) / standard
// overwrites takes precedence
"overwrites": [
{
"matching": {
"severity": [ "major" ], // critical / major / minor / info
"attack_name": [ "HTTP:INVALID:HDR-FIELD" ]
"dst_subnet": [ "63.1.2.0/24" ],
},
"action": "alert", // alert (default) / drop (siliently dropping packets) / close (notify client/server to close connection)
}
]
}
},
// when a service policy denies a app_category, what message to show in user's browser
"url_filtering_deny_msg": "Access to this URL Category has been blocked",
"service_policies": [
// policies for store
{
"name": "DC-APPs",
"tenants": ["pos.store", "camera.store"],
"services": ["dc-apps"],
"action": "allow",
"idp": {
"enabled": true, // default is false
"idpprofile_id": "89b9d208-84a4-fa8f-af57-78f92c639cf2", // org-level IDP Profile can be used, this takes precedence over `profile`
"profile": "strict", // strict (default) / standard / or keys from from idp_profiles
"alert_only": false
},
// SRX-only
"appqoe": {
"enabled": true, // default is false
},
// SRX-only
"antivirus": {
"enabled": true, // default is false
"avprofile_id": "5cb2e071-cfc5-4231-b5f8-3543e04dfb55" // org-level AV Profile can be used, this takes precendence over 'profile'
"profile": "default", // default / noftp / httponly / or keys from av_profiles
},
// SRX-only
"secintel": {
"enabled": True,
"secintelprofile_id": "5cb2e071-cfc5-4231-b5f8-3543e04dfb55" // org-level secintel Profile can be used, this takes precendence over 'profile'
"profile": "default", // default / standard / strict
},
// SRX-only
"aamw": {
"enabled": True,
"aamwprofile_id": "5cb2e071-cfc5-4231-b5f8-3543e04dfb55" // org-level secintel Profile can be used, this takes precendence over 'profile'
"profile": "standard", // standard / docsonly / executables
},
// by default, we derive all paths available and use them
// optionally, you can customize by
"path_preference": "dc_path",
// SRX-only, optional
"ssl_proxy": {
"enabled": true,
"ciphers_category": "strong" // strong(default), medium, weak
}
},
{
// we can use a policy defined at org level and overwrite some attributes
"servicepolicy_id": "dbdf808a-5429-51b7-89ac-1b52d7a4b4b5",
"name": "Cloud Apps",
"tenants": ["pos.store", "camera.store"],
"services": ["cloud-apps"],
"path_preference": "local_path"
},
{
"name": "Guest",
"tenants": ["guest"],
"service": ["internet"],
"path_preference": "local_breakout"
},
{
"name": "Mgmt from DC",
"tenants": ["it.datacenter"],
"services": ["store_servers"],
"path_preference": "customized"
},
{
"name": "local routing",
"tenants": ["corp", "vendor"],
"services": ["ping"],
// access within the same VRF
"local_routing": true
// no path_preference
},
"syslog": {
"enabled": False,
"server_names": "dc_syslog_server"
}
],
"bgp_config": {
"local": {
"type": "internal",
"networks": [ "corp" ], // networks where we expect BGP neighbor to connect to/from
"local_as": 65000,
"auth_key": "auth-key",
"export_policy": "export_policy",
"import_policy": "import_policy",
"neighbors": {
"10.1.10.5": {
"disabled": false // Default false. If true, the BGP session to this neighbor will be administratively disabled/shutdown
}
},
// by default, either inet/net6 unicast depending on neighbor IP family (v4 or v6)
// for v6 neighbors, to exchange v4 nexthop, which allows dual-stack support, enable this
"extended_v4_nexthop": true,
},
"attlink": {
"type": "external",
"via": "wan", // lan (default) / wan / tunnel
// if via = wan
"wan_name": "wan0",
// if via = lan
"networks": [ "corp" ], // networks where we expect BGP neighbor to connect to/from
// if via = tunnel
"tunnel_name": "custom-ipsec",
"local_as": 3000,
"neighbor_as": 3105,
"no_private_as": false // false(default) / true
"auth_key": "auth-key",
"disable_bfd": false, // BFD provides faster path failure detection and is enabled by default
"bfd_minimum_interval": 1-255000, by default, 1000 is used when type=external, 350 when type=internal
"bfd_multiplier": 1-255, default is 3
"hold_time":120, // 0-65535, default is 90s
"graceful_restart_time":240 // 1-4095, default is 0 (disabled)
"neighbors": {
"63.1.56.3": {
// if per-neighbor as is desired
"neighbor_as": 500
"multihop_ttl": 64, // 0-255, default is 0, assuming BGP neighbor is directly connected
"export_policy": "neighbor_specific_export_policy",
"import_policy": "neighbor_specific_import_policy",
"hold_time":120, // 0-65535, default is 90s
"disabled": false // Default false. If true, the BGP session to this neighbor will be administratively disabled/shutdown
}
},
// by default, we'll re-advertise all learned BGP routers toward overlay
"no_readvertise_to_overlay": false,
// default export/import policies if no per-neighbor policies defined
"export_policy": "export_policy",
"import_policy": "import_policy"
},
"vpn1": {
"via": "vpn", //
"vpn_name": "data-center",
"import_policy": "import_policy",
"export_policy": "export_policy"
}
}
// routing-policies
"routing_policies": {
"sample_import_policy": {
"terms": [
{
// zero or more criteria/filter can be specified
// to match the term, all criteria have to be met
"matching": {
"prefix": ["192.168.0.0/16-30"],
"as_path": ["65001,65353"],
"protocol": ["direct"], // direct / bgp / ospf / ...
"community": ["65001:2"],
// overlay-facing criteria (used for bgp_config where via=vpn)
"vpn_path": ["dc1-broadband"], // ordered list
"vpn_path_sla": {
"max_latency": 1500,
"max_loss": 30,
"max_jitter": null,
},
"vpn_neighbor_mac": ["7d027e0ffcb9"]
},
"actions": {
"accept": true,
"local_preference": "50", // optional, for an import policy, local_preference can be changed
// for SSR, hub decides how VRF routes are leaked on spole
"add_target_vrfs": ["guest"]
}
}
],
},
"sample_export_policy": {
"terms": [
{
"name": "export",
"matching": {
// zero or more criteria/filter can be specified
// to match the term, all criteria have to be met
"prefix": ["192.168.0.0/16-30"],
"as_path": ["65001", "65353"], // takes regular expression
"protocol": ["direct"], // direct / bgp / ospf / static / aggregate ...
"community": ["65001:2"], // community
"route_exists": [{
"route": "192.168.0.0/24",
"vrf_name": "guest" // name of the vrf instance, default is `default`
// it can also be the name of the VPN or wan if they
}]
},
"actions": {
"accept": true,
// when used as export policy, all optional
"community": [ "65003:10" ], // takes precedence
"add_community": [ "65003:10" ],
"exclude_community": [ "65003:10" ],
// by default, the local AS will be prepended, to change it
"prepend_as_path": ["65003"],
// exclude some as_path
"exclude_as_path": ["65002"],
// local preference
"local_preference": "30"
}
}
],
}
},
// static routes
"extra_routes": {
"it_mgmt": { // use names from `networks`
"via": "10.2.1.1"
},
"172.16.3.0/24": {
"via": "10.2.1.1"
}
},
// for ipv6
"extra_routes6": {
"2a02:1234:420a:10c9::/64": {
"via": "2a02:1234:200a::100"
}
},
// experimental
"gateway_matching": {
"enable": true,
// see network template
},
// additional CLI commands to append
// NOTE: no check is done
"additional_config_cmds": [
"set snmp community public2"
]
}
| Name | Type | Description |
|---|---|---|
speed |
string |
speed, default is auto to automatically negotiate speed |
duplex |
string |
link connection mode, choices are auto (default), full, and half |
disable_autoneg |
bool |
if speed and duplex are specified, whether to disable autonegotiation, default is false |
poe_disabled |
bool |
whether poe is disabled, default is false |
mtu |
int |
media maximum transmission unit (MTU) is the largest data unit that can be forwarded without fragmentation. The default value is 1514. |
{
"port_config": {
"ge-0/0/5,ge-1/0/5": {
"usage": "ha_control"
},
"ge-0/0/6,ge-1/0/6": {
// for HA Data
"usage": "ha_data"
},
"ge-0/0/0,ge-1/0/0": {
"usage": "wan",
"redundant": true,
"reth_idx": 0,
"reth_node": "node0"
},
"ge-0/0/2,ge-1/0/2": {
"usage": "lan",
"redundant": true,
"reth_idx": 1,
"reth_node": "node1",
"networks": ["corp", "guest"],
// SRX Only - support redundancy-group
"redundant_group": 3, // 1-128 for physical SRX, 1-64 for virtual SRX (optional)
// SSR only - supporting vlan-based redundancy (matching the size of `networks`)
"reth_nodes": ["node1", "node0"]
},
}
}
GET /api/v1/const/default_gateway_config?model=SRX320&ha=false
| Name | Type | Description |
|---|---|---|
model |
string |
model the default gateway config is intended (as the default LAN/WAN port can differ) |
ha |
boolean |
whether the config is intended for HA |
{
"port_config": {
"ge-0/0/0,ge-0/0/7": {
"usage": "wan",
"name": "wan",
"ip_config": {
"type": "dhcp"
}
},
"ge-0/0/1-6": {
"usage": "lan",
"port_network": "lan"
},
"cl-1/0/0": {
"usage": "wan",
"name": "lte",
"wan_type": "lte",
"ip_config": {
"type": "dhcp"
}
}
},
"networks": {
"lan": {
"name": "lan",
"vlan_id": 1,
"subnet": "192.168.1.0/24"
}
},
"ip_configs": {
"lan": {
"type": "static",
"ip": "192.168.1.1"
}
},
"dhcpd_config": {
"lan": {
"ip_start": "192.168.1.2",
"ip_end": "192.168.1.254"
}
},
"path_preferences": {
"wan": {
"paths": [
{
"type": "wan",
"name": "wan"
}
]
}
},
"service_policies": [
{
"name": "Internet",
"tenants": [
"lan"
],
"services": [
"any"
],
"action": "allow",
"path_preference": "wan"
}
]
}
It’s a common request we get from the customers. When a AP HW has problem and need a replacement, they would want to copy the existing attributes (Device Config) of this old AP to the new one. It can be done by providing the MAC of a device that’s currently in the inventory but not assigned. The Device replaced will become unassigned. This API also supports replacement of Mist Edges. This API copies device agnostic attributes from old Mist edge to new one. Mist manufactured Mist Edges will be reset to factory settings but will still be in Inventory.Brownfield or VM’s will be deleted from Inventory.
POST /api/v1/orgs/:org_id/inventory/replace
{
"site_id": "4ac1dcf4-9d8b-7211-65c4-057819f0862b",
"mac": "5c5b35000101",
"inventory_mac": "5c5b35000301",
"discard": []
// tunterm_port_config is optional and applicable for mist-edge replacement only
"tunterm_port_config": {"separate_upstream_downstream": true/false,
"upstream_ports": ["0", "1"],
"downstream_ports": ["2", "3"]
}
}
| Name | Type | Description |
|---|---|---|
site_id |
string |
the site_id of the device to be replaced |
mac |
string |
device mac |
inventory_mac |
string |
mac of the inventory that will be replacing the old one. It has to be claimed and unassigned. |
discard |
list |
attributes that you don’t want to copy |
NOTE
For Gateway devices only like-for-like replacements (can only replace a SRX320 with a SRX320 and not some otehr model) are allowed.
GET /api/v1/orgs/:org_id/devices
{
"results": [
{
"mac": "5c5b350eb31b",
"name": "Conference Room"
}
]
}
Templates are collection of configs that can be applied to orgs / sitegroups / sites
Conceptually, site is where configurations will be created (and eventually be derived). People with only a few deployments (or when each deployment is different) will mostly define their WLAN/Tunnels/Policies under a site.
For big deployments (hundreds / thousands of sites), it’s unpractical to do so. Instead, they can define templates (holding same set of stuff WLAN/Tunnels/Policies) and apply them to sites. Therefore,
So how does derivation work?
For WLANs, it’s straightforward, a site will simply have multiple WLANs from multiple templates plus those defined in a site itself For Wxlan, all template Wxlan Rules will be checked first. If there’s no match, it will continue checking the Site Wxlan Rules. If there’s no match, the default action defined in the Site Wxlan Rule will be used.
However, a template Wxlan Rule differs from a Site Wxlan Rule in two ways.
GET /api/v1/orgs/:org_id/templates
POST /api/v1/orgs/:org_id/templates
GET /api/v1/orgs/:org_id/templates/:template_id
PUT /api/v1/orgs/:org_id/templates/:template_id
DELETE /api/v1/orgs/:org_id/templates/:template_id
{
"name": "west",
"applies": {
"org_id": "2818e386-8dec-2562-9ede-5b8a0fbbdc71",
"sitegroup_ids": [ "581328b6-e382-f54e-c9dc-999983183a34", "f57096b9-0c2f-4df6-c77b-ae6ae87a3d43" ],
"site_ids": [ "4ac1dcf4-9d8b-7211-65c4-057819f0862b" ]
},
"exceptions": {
"sitegroup_ids": [ "90badd2e-c028-5e8e-dd8f-b3c718882b9d" ],
"site_ids": [ "52f4347e-3e4b-186c-21ca-ad5b70eb23d6" ]
},
"filter_by_deviceprofile": true,
"deviceprofile_ids": [
"6f4bf402-45f9-2a56-6c8b-7f83d3bc98e9",
]
}
| Name | Type | Description |
|---|---|---|
name |
string |
name of the template |
applies |
object |
where this template should be applied to, can be org_id, site_ids, sitegroup_ids |
exceptions |
object |
where this template should not be applied to (takes precedence) |
org_id |
string |
org id, should be the same as the org, this shadows sitegroup_ids and site_ids |
sitegroup_ids |
list |
list of sitegroup ids |
site_ids |
list |
list of site ids |
filter_by_deviceprofile |
boolean |
whether to further filter by Device Profile |
deviceprofile_ids |
list |
list of Device Profile ids |
POST /api/v1/orgs/:org_id/templates/:template_id/clone
{
"name": "Cloned"
}
/api/v1/orgs/:org_id/wlans
see Site:Wlan for schema
{
"name": "whatever",
"template_id": "867860f2-dd82-3677-54a5-4d6b139c96ca"
...
}
Upload background image for Portal
POST /api/v1/orgs/:org_id/wlans/:wlan_id/portal_image
see Site:Wlan Portal Image Upload for schema
Delete background image for Portal
DELETE /api/v1/orgs/:org_id/wlans/:wlan_id/portal_image
see Site:Wlan Portal Image Delete
/api/v1/orgs/:org_id/wxtunnels
There can be Management Tunnels (which can be applied to a sitegroup, see Org:Setting) as well as Data Tunnels, which can only be applied to Org Wlans in a Template. Moreover, the WxlanTunnel inside a template can only be used by Org Wlans in the same template
see Site:Wlan Tunnels for schema
Wxlan Tags can be defined inside a template. When used, it can be deployed to
/api/v1/orgs/:org_id/wxtags
see Site:Wlan Tags for schema
Wxlan Rules can be applied to template. WxlanRule defined inside a template will operate with the scope of specified template.
/api/v1/orgs/:org_id/wxrules
see Site:Wlan Rules for schema
/api/v1/orgs/:org_id/assetfilters
see Site:Asset Filters for schema
/api/v1/orgs/:org_id/asset
/api/v1/orgs/:org_id/asset/:asset_id
see Site:Asset for schema
POST /api/v1/orgs/:org_id/assets/import
see Site:Asset for schema
GET /api/v1/orgs/:org_id/stats/assets
GET /api/vi/orgs/:org_id/stats/assets/:asset_id
see Site:Asset:Stats for schema
GET /api/v1/orgs/:org_id/stats/assets/search
GET /api/v1/orgs/:org_id/stats/assets/search?mac='fbc721cc3022'
| Name | Type | Description |
|---|---|---|
org_id |
string | path |
query |
string |
site_id,mac,map_id,ibeacon_uuid,ibeacon_major,ibeacon_minor |
eddystone_uid_namespace, eddystone_uid_instance, eddystone_url, by, name, device_name |
{
"results": [
{
"battery_voltage": "283",
"eddystone_uid_namespace": "f7826da6bc5b71e0893e",
"last_seen": 1633971808,
"eddystone_uid_instance": "424c43527039",
"eddystone_url": "eddystone_url",
"mac": "fbc721cc3022",
"manufacture": "Unknown",
"timestamp": 1633971808667,
"map_id": "map_id",
"org_id": "org_id",
"by": "assetfilter",
"site_id": "site_id",
"name": "name",
"temperature": "0.0"
},
],
"start": 1633367108.3799882,
"end": 1633971908.3799632,
"limit": 100,
"total": 1
}
GET /api/v1/orgs/:org_id/stats/assets/count
GET /api/v1/orgs/:org_id/stats/assets/count?distinct=ibeacon_uuid
| Name | Type | Description |
|---|---|---|
org_id |
string | path |
distinct |
string |
site_id,mac,map_id,ibeacon_uuid,ibeacon_major,ibeacon_minor |
eddystone_uid_namespace, eddystone_uid_instance, eddystone_url, by, name, device_name, default is site_id |
{
"results": [
{
"site_id": "site_id",
"count": 19
}
],
"start": 1633368208.7445683,
"end": 1633973008.7445416,
"limit": 100,
"distinct": "site_id",
"total": 1,
}
Trigger a CoA against a client
POST /api/v1/orgs/:org_id/clients/:client_mac/coa
While Templates / RF Templates / Network Templates / Gateway Templates provides powerful ways to control how a Device’s configuration is derived for a Site. There are cases where you’d like another level of control at the Org Level.
A Device Profile contains a subset of Device’s configurations you’d like a device to have. It will be merged at runtime when we’re provisioning an AP.
GET /api/v1/orgs/:org_id/deviceprofiles?type=ap
POST /api/v1/orgs/:org_id/deviceprofiles
GET /api/v1/orgs/:org_id/deviceprofiles/:deviceprofile_id
PUT /api/v1/orgs/:org_id/deviceprofiles/:deviceprofile_id
DELETE /api/v1/orgs/:org_id/deviceprofiles/:deviceprofile_id
{
"id": "6f4bf402-45f9-2a56-6c8b-7f83d3bc98e9",
"type": "ap", // intended device type, default is AP
"name": "LowPower",
// anything provided here will be merged against the devices this profile applies to
"radio_config": {
"band_5": {
"power": 8
}
}
}
NOTE: see Device Config
POST /api/v1/orgs/:org_id/deviceprofiles/:deviceprofile_id/assign
POST /api/v1/orgs/:org_id/deviceprofiles/:deviceprofile_id/unassign
{
"macs": [
"5c5b350e0001",
"5c5b350e0003"
]
}
{
// devices that has deviceprofile_id changed
"success": [ "5c5b350e0001" ]
}
/api/v1/orgs/:org_id/psks
Add psk on the org. Required: ssid, passphrase.
POST /api/v1/orgs/:org_id/psks
Get list of psks on the org. This API is always paginated, default limit is 100.
Use query param, to filter or sort by name/role/ssid
GET /api/v1/orgs/:org_id/psks?name=Common&role=student&sort=ssid&limit=200&page=3
Delete list of psks on the org. This API accepts single string or list of strings
POST /api/v1/orgs/:org_id/psks/delete
{
"psk_ids": ['0039c16c-ca87-4d3f-bb94-b97c58199f18', '6562cc8e-5893-418a-acaa-4d7c1af8084f']
}
/api/v1/orgs/:org_id/psks?upsert=true
{
"name": "Common",
"passphrase": "foryoureyesonly",
"ssid": "warehouse",
"usage": "single",
"vlan_id": 417, // optional
"mac": "5684dae9ac8b", // optional
"role": "", // optional
"expire_time": 1614990263 // optional, epoch time in seconds, default is null, as no expiration
"max_usage": 20 // optional, default is 0 (unlimited)
"notes": "notes" // optional
"notify_expiry": true // optional
"expiry_notification_time": 2 // optional, unit days
"notify_on_create_or_edit": true // optional
"email": "admin@test.com" // optional, email to send psk expiring notifications to
"admin_sso_id": "sso_id" // optional, sso id for psk created from psk portal
}
PUT /api/v1/orgs/:org_id/psks
[
{
"id": "2f64a022-9422-4fa3-92aa-ff6559a9f7f9", //psk_id, required
"name": "common123",
},
{
"id": "110c59ae-d7b2-40f9-9bf2-82367370e55a", //psk_id, required
"usage": "single",
"name": "common12",
"passphrase": "foryoureyesonly1",
"role": "teacher",
}
]
| Name | Type | Description |
|---|---|---|
name |
string |
a name for the PSK |
passphrase |
string |
passphrase of the PSK (8-63 character or 64 in hex) |
ssid |
string |
SSID this PSK should be applicable to |
usage |
string |
multi (default) / single / macs |
vlan_id |
int |
VLAN for this PSK key |
mac |
string |
if usage==single, the mac that this PSK ties to, empty if auto-binding |
max_usage |
int |
max concurrent users for this PSK key. Default is 0 (unlimited) |
role |
string |
Role for this PSK key (32 character maximum) |
expire_time |
int |
Expire time for this PSK key. Default is half year, max is 5 year |
notes |
string |
notes |
notify_expiry |
boolean |
If set to true, reminder notification will be sent when psk is about to expire |
expiry_notification_time |
int |
Number of days before psk is expired. Used as to when to start sending reminder notification when the psk is about to expire |
notify_on_create_or_edit |
boolean |
If set to true, notification will be sent when psk is created or edited |
email |
string |
Email to send psk expiring notifications to |
admin_sso_id |
string |
sso id for psk created from psk portal |
old_passphrase |
string |
previous passphrase of the PSK if it has been rotated |
macs |
list |
if usage==macs, this list contains N number of client mac addresses or mac patterns(11:22:*) or both. This list is capped at 5000 |
Adds a PSK with usage type set to “macs”. When usage==macs, corresponding “macs” field will hold a list consisting of client mac addresses ([“xx:xx:xx:xx:xx”,…]) or mac patterns([“xx:xx:”,”xx”,…]) or both ([“xx:xx:xx:xx:xx:xx”, “xx:*”, …]). This list is capped at 5000
POST /api/v1/orgs/:org_id/psks
{
"name": "Common",
"passphrase": "foryoureyesonly",
"ssid": "warehouse",
"usage": "macs",
"macs": ["11:22:33:44:55:66", "aa:bb:*", "53*"],
"vlan_id": 417, // optional
"role": "", // optional
"expire_time": 1614990263 // optional, epoch time in seconds, default is null, as no expiration
"notify_expiry": true // optional
"expiry_notification_time": 2 // optional, unit days
"notify_on_create_or_edit": true // optional
"email": "admin@test.com" // optional, email to send psk expiring notifications to
}
old_passphrase from PSKPOST /api/v1/orgs/:org_id/psks/:psk_id/delete_old_passphrase
If successful, response is same as GET, returns the PSK with old_passphrase removed.
POST /api/v1/orgs/:org_id/psks/import
A multi-part POST
"file": CSV File
name,ssid,passphrase,usage,vlan_id,mac,max_usage,role,expire_time,notify_expiry,expiry_notification_time,notify_on_create_or_edit,email
Common,warehouse,foryoureyesonly,single,35,a31425f31278,0,student,1618594236
Justin,reception,visible,multi,1002,200,teacher,1618594236
Common2,ssid,1245678-xx,single,35,a31425f31278,0,student,1618594236,true,7,true,admin@test.com
| Name | Type | Description |
|---|---|---|
name |
string |
a name for the PSK |
passphrase |
string |
passphrase of the PSK (8-63 character or 64 in hex) |
ssid |
string |
SSID this PSK should be applicable to |
usage |
string |
multi (default) / single / macs |
vlan_id |
int |
VLAN for this PSK key |
mac |
string |
if usage==single, the mac that this PSK ties to, empty if auto-binding |
max_usage |
int |
max concurrent users for this PSK key. Default is 0 (unlimited) |
role |
string |
Role for this PSK key (32 character maximum) |
expire_time |
int |
Expire time for this PSK key. Default is half year, max is 5 year |
notify_expiry |
boolean |
If set to true, reminder notification will be sent when psk is about to expire |
expiry_notification_time |
int |
Number of days before psk is expired. Used as to when to start sending reminder notification when the psk is about to expire |
notify_on_create_or_edit |
boolean |
If set to true, notification will be sent when psk is created or edited |
email |
string |
Email to send psk expiring notifications to |
macs |
list |
if usage==macs, this list contains N number of client mac addresses or mac patterns(1122*) or both. This list is capped at 5000 |
[
{
"name": "Common",
"ssid": "warehouse",
"passphrase": "foryoureyesonly",
"usage": "single",
"vlan_id", 35,
"mac": "a31425f31278",
"max_usage": 300,
"role": "teacher",
"expire_time": "1618594236",
"notify_expiry": true,
"expiry_notification_time": 2,
"notify_on_create_or_edit"; true,
"email": "admin@test.com"
},
{
"name": "Justin",
"ssid": "reception",
"passphrase": "visible",
"usage": "multi",
"vlan_id", 1002,
"mac": null,
},
{
"name": "Alice",
"ssid": "guest",
"passphrase": "visible",
"usage": "macs",
"vlan_id", 1002,
"macs": ["112233445566", "aabbcc*"]
}
]
PSK Self-Service Portals are for
name, email so we can generate PSK/api/v1/orgs/:org_id/pskportals
{
"name": "get-wifi"
"ssid": "Corp", // intended SSID
// for personal psk portal
"type": "byod", // byod / admin
// how PSK should be generated
"vlan_id": 417, // optional
"role": "", // optional
"max_usage": 20, // optional, default is 0 (unlimited)
"cleanup_psk": true, // optional, default is false, used to cleanup exited psk when portal delete or ssid changed
// auth
"auth": "sso", // sso / sponsor(not yet)
"notification_renew_url": "https://custom-sso/url", // optional, will include the link in the notification email
// the customer can either provide their own url or use the one generate from mist, or do a url shorterner against either
"sso": {
"issuer": "https://app.onelogin.com/saml/metadata/138130"
"idp_cert": "-----BEGIN CERTIFICATE-----\nMIIFZjCCA06gAwIBAgIIP61/1qm/uDowDQYJKoZIhvcNAQELBQE\n-----END CERTIFICATE-----",
"idp_sign_algo": "sha256",
"idp_sso_url": "https://yourorg.onelogin.com/trust/saml2/http-post/sso/138130",
"nameid_format": "email",
// optional
"allowed_roles": ["Student", "Teather"], // allowed roles for accessing psk portal, if none, any role is permitted.
"use_sso_role_for_psk_role": true, // if enabled, the `role` above will be ignored
"role_mapping": {
"Student": "user",
"Teacher": "faculty"
}
},
// rule for generating psk
"passphrase_rules": {
"length": 8,
"max_length": int, (optional)
"min_length": int, (optional)
"alphabets_enabled": true,
"numerics_enabled": true,
"symbols_enabled": false, // disabled by default
"symbols": "()[]{}_%@#&$"
// for valid `max_length` and `min_length`, passphrase size is set randomly from that range.
// if `max_length` and/or `min_length` are invalid, passphrase size is equal to `length` parameter
// if `length` is not set or is invalid, default passphrase size is 8.
// valid `max_length`, `min_length`, `length` should be an integer between 8 to 63. Also, `max_length` > `min_length`
},
"expire_time": 1440, // unit min
"notify_expiry": true, // optional
"expiry_notification_time": 2, // optional, unit days
"notify_on_create_or_edit": true // optional
"hide_psks_created_by_other_admins": false // optional, for admin psk portal only
// what information to ask for (email is required by default)
"required_fields": ["name", "role"], // name / notes
// UI customization
"bg_image_url": ...
"thumbnail_url": ...
"template_url": ...
// for PSK admin portal
"type": "admin",
"auth": "sso",
}
GET /api/v1/orgs/:org_id/pskportals/:pskportal_id/saml_metadata
GET /api/v1/orgs/:org_id/pskportals/:pskportal_id/saml_metadata.xml
GET /api/v1/orgs/:org_id/pskportals/:pskportal_id/saml_failures
{
"results": [
{
"timestamp": 1431382121,
"detail": "Role attribute missing",
"saml_assertion_xml": "<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:nam..."
}
]
}
PUT /api/v1/orgs/:org_id/pskportals/:pskportal_id/portal_template
{
"poweredBy": false,
"color": "#1074bc",
"logo": null,
"alignment": "center",
"tos": false,
"tosText": "<< provide your Terms of Service here >>",
"tosAcceptLabel": "I accept the Terms of Service ",
"tosLink": "Terms of Service",
"tosError": "Please review and accept the Terms of Service",
"tosUrl": "https://company.com/wifi-policy"
}
poweredBy|boolean| whether to hide “Powered by Juniper Mist” and email footers, default is false
color|string| “#1074bc”
logo|string| custom logo with “data:image/png;base64,” format, default null, uses Juniper Mist Logo.
alignment|string| defines alignment on portal. “center” is default.
tos|boolean| enable terms and service for portal. default is false.
tosText|string| terms and service text displayed in footer if tos is enabled.
tosAcceptLabel|string| label for accept tos
tosLink|string| link for tos
tosError|string| error message for not accepting tos
tosUrl|string| customized url for defining terms of service
Upload background image for PskPortal
POST /api/v1/orgs/:org_id/pskportals/:pskportal_id/portal_image
A multi-part POST
"json": a JSON string describing the upload
"file": a binary file
Delete background image for PskPortal
DELETE /api/v1/orgs/:org_id/pskportals/:pskportal_id/portal_image
If image is not uploaded or is deleted, PskPortal will use default image.
GET /api/v1/orgs/:org_id/pskportals/logs?start=1431384000&end=1431298000&limit=100
GET /api/v1/orgs/:org_id/pskportals/logs/search?start=1431384000&end=1431298000&limit=100
| Name | Type | Description |
|---|---|---|
psk_name |
string |
psk_name |
psk_id |
string |
psk_id |
pskportal_id |
string |
pskportal_id |
id |
string |
audit_id |
admin_name |
string |
admin name or email |
admin_id |
string |
admin id |
name_id |
string |
name_id used in SSO |
Status: 200 OK
{
"start": 1428939600,
"end": 1428954000,
"limit": 100,
"total": 135,
"results": [{
'timestamp': 1686346104.096,
'org_id': '2818e386-8dec-2562-9ede-5b8a0fbbdc71',
'psk_name': 'test@mist.com',
'psk_id': '608fe603-f9f0-4ce9-9473-04ef6c6ea749',
'id': '8a3dcaa7-80e3-4bb0-a75b-7bc6322cfd09',
'message': 'Rotate PSK test@mist.com',
'pskportal_id': 'c1742c09-af35-4161-96ef-7dc65c6d5674',
'name_id': 'test@mist.com'
}]
}
| Name | Type | Description |
|---|---|---|
timestamp |
long |
start time, in epoch |
org_id |
string |
org id |
admin_id |
string |
admin id |
admin_name |
string |
name of the admin that performs the action |
message |
string |
log message |
psk_name |
string |
psk_name |
psk_id |
string |
psk_id |
id |
string |
audit_id |
name_id |
string |
user_id or user email |
GET /api/v1/orgs/:org_id/pskportals/logs/count?distinct=user_id
| Name | Type | Description |
|---|---|---|
distinct |
string |
admin_id / admin_name / psk_name / psk_id / pskportal_id / user_id, default is pskportal_id |
{
"start": 1511967600,
"end": 1513177200,
"limit": 10,
"distinct": "admin_name",
"total": 2,
"results": [
{
"admin_name": "John Smith john.smith@corp.com",
"count": 61
},
{
"admin_name": "Eric Sky eric@corp.com",
"count": 44
}
]
}
Import data from files is a multipart POST which has an file, an optional json, and an optional csv, to create floorplan, assign matching inventory to specific site, place ap if name or mac matches
POST /api/v1/orgs/:org_id/maps/import
A multi-part POST
"json": a JSON string, site id required, vendor option: ekahau, ibwave, etc., import_all_floorplans: optional, default: false,
import_height: optional, default: true, import_orientation: optional, default: true
"file": a binary file, option: .esx
"auto_deviceprofile_assignment": boolean, default: false, whether to auto assign device to deviceprofile by name
"csv": a csv file for ap name mapping, optional
// for the JSON payload
{
"vendor_name": "ekahau",
"site_id": "bee1902c-84aa-a993-bee2-d774ed6aa4cf",
"import_all_floorplans": true, // optional
"import_height": true, // optional
"import_orientation": false // optional
}
Vendor AP name,Mist AP Mac
US Office AP-2 - 5c:5b:35:00:00:02,5c5b35000002
{
"site_id": "4ac1dcf4-9d8b-7211-65c4-057819f0862b",
"aps": [
{
"mac": "5c5b35000001",
// placed
"action": "placed"
"map_id": "845a23bf-bed9-e43c-4c86-6fa474be7ae5"
// assigned to a site and placed
"action": "assigned-placed",
// named and placed
"action": "named-placed"
// assigned, named and placed
"action": "assigned-named-placed"
// if we ignore it (did nothing with it)
"action": "ignored",
"reason": "not found on site" // "not found in inventory",
// floorplan id, height, orientation for ignored ap
"floorplan_id": "cbdb7f0b-3be0-4872-88f9-58790b509c23-j68kows8"
"orientation": 45,
"height": 3
}
],
"floorplans": [
{
// whatever ID vendor has
"id": "cbdb7f0b-3be0-4872-88f9-58790b509c23-j68kows8",
"name": "map1",
// we only import the floorplan if at least one of the AP is being placed by default
"action": "imported",
"map_id": "845a23bf-bed9-e43c-4c86-6fa474be7ae5",
"action": "ignored",
"reason": "no aps placed"
}
],
"summary": {
"num_ap_assigned": 1,
"num_map_assigned": 1,
"num_inv_assigned": 1
}
}
GET /api/v1/orgs/:org_id/wired_clients/search
GET /api/v1/orgs/:org_id/wired_clients/search?mac=112233445566
The following fields are available for searching.
| Name | Type | Description |
|---|---|---|
device_mac |
string |
device mac |
mac |
string |
client mac |
port_id |
string |
port id |
vlan |
int |
vlan |
site_id |
string |
site id |
ip |
string |
ip |
manufacture |
string |
client manufacture |
text |
string |
single entry of hostname/mac |
nacrule_id |
string |
nacrule_id |
dhcp_hostname |
string |
dhcp hostname |
dhcp_fqdn |
string |
dhcp full qualified domain name |
dhcp_client_identifier |
string |
dhcp client identifier |
dhcp_vendor_class_identifier |
string |
dhcp vendor class identifier |
dhcp_request_params |
string |
dhcp request parameters |
auth_state |
string |
authentication state |
auth_method |
string |
authentication method |
source |
string |
source from where the client was learned (lldp, mac) |
{
"results": [
{
"ip": [
"11.216.202.61"
],
"device_mac": [
"001122334455"
],
"org_id": "c168ddee-c14c-11e5-8e81-1258369c38a9",
"vlan": [
0,
1001
],
"site_id": "c168ddee-c14c-11e5-8e81-1258369c38a9",
"device_mac_port": [
{
"device_mac": "001122334455",
"vlan": 1,
"ip": "",
"start": "2020-12-10T00:07:36.262+0000",
"port_id": "et-0/0/1",
"port_parent": "",
"when": "2022-03-29T04:56:05.172+0000"
},
],
"mac": "112233445566",
"timestamp": 1571174567.807,
"port_id": [
"et-0/0/1"
],
"dhcp_hostname": "ITS-VMMT0-D1N02",
"dhcp_fqdn": "ITS-VMMT0-D1N02.mgthub.local",
"dhcp_client_identifier": "MAC address 00155df6d500",
"dhcp_vendor_class_identifier": "MSFT 5.0",
"dhcp_request_params": "1 3 6 15 31 33 43 44 46 47 119 121 249 252",
"dhcp_client_options": [
{
"code": "DHO_DHCP_MESSAGE_TYPE(53)",
"data": "DHCPREQUEST"
}, {
"code": "DHO_DHCP_CLIENT_IDENTIFIER(61)",
"data": "MAC address 00155df6d500",
}, {
"code": "DHO_DHCP_REQUESTED_ADDRESS(50)",
"data": "172.17.10.255",
}, {
"code": "DHO_DHCP_SERVER_IDENTIFIER(54)",
"data": "172.17.8.1"
}, {
"code": "DHO_DHCP_MAX_MESSAGE_SIZE(57)",
"data": "1280"
}, {
"code": "DHO_DHCP_PARAMETER_REQUEST_LIST(55)",
"data": " 1 3 6 12 15 28 43 180"
}, {
"code": "DHO_VENDOR_CLASS_IDENTIFIER(60)",
"data": "MSFT 5.0"
}, {
"code": "DHO_HOST_NAME(12)",
"data": "ITS-VMMT0-D1N02"
}
],
"auth_method": "mac_auth",
"auth_state": "authenticated"
}
],
"start": 1648443400.8221116,
"end": 1648529800.8221116,
"limit": 1000,
"total": 1
}
GET /api/v1/orgs/:org_id/wired_clients/count
| Name | Type | Description |
|---|---|---|
distinct |
string |
port_id, vlan, device_mac, site_id, ip, manufacture, default is device_mac |
{
"start": 1648443400.8221116,
"end": 1648529800.8221116,
"limit": 1000,
"distinct": "device_mac",
"total": 20,
"results": [
{
"device_mac": "112233445566",
"count": 7
},
{
"device_mac": "aabbccddeeff",
"count": 2
},
...
]
}
GET /api/v1/orgs/:org_id/wired_clients/events/search
GET /api/v1/orgs/:org_id/wired_clients/events/search?mac=112233445566
The following fields are available for searching.
| Name | Type | Description |
|---|---|---|
device_mac |
string |
device mac |
mac |
string |
client mac |
port_id |
string |
port id |
vlan |
int |
vlan |
site_id |
string |
site id |
text |
string |
single entry of hostname/mac |
type |
string |
See Supported Events Type (E.g. CLIENT_DNS_OK) |
{
"results": [
{
"device_mac": "device_mac",
"timestamp": 1594708454.257958,
"org_id": "1688605f-916a-47a1-8c68-f19618300a08",
"site_id": "ec3b5624-73f1-4ed3-b3fd-5ba3ee40368a",
"port_id": "ge-0/0/5",
"type": "SW_DOT1XD_USR_AUTHENTICATED",
"text": "text",
"mac": "mac"
}
],
"start": 1663038067.062201,
"end": 1663113667.0622225,
"limit": 1000,
"total": 1
}
GET /api/v1/orgs/:org_id/wired_clients/events/count
| Name | Type | Description |
|---|---|---|
distinct |
string |
port_id, vlan, device_mac, site_id, mac, type |
{
"results": [{
"count": 1,
"type": "SW_DOT1XD_USR_AUTHENTICATED"
}],
"start": 1663038067.062201,
"end": 1663113667.0622225,
"limit": 1000,
"distinct": "type",
"total": 1,
"percentage": 100
}
POST /api/v1/orgs/:org_id/wired_clients/:mac/coa
| Name | Type | Description |
|---|---|---|
mac |
string |
wired_client mac |
{
"device_mac": "5c5b35000002",
"port_id": "ge-0/0/0",
"session": "0a2a11b8-4b30-40d8-a6d1-e91ea540d86f"
}
GET /api/v1/orgs/:org_id/tickets?start=1546300800&end=-1d
| Name | Type | Description |
|---|---|---|
start |
string |
start datetime, can be epoch or relative time like -1d, -1w; -1d if not specified |
end |
string |
end datetime, can be epoch or relative time like -1d, -2h |
duration |
string |
duration like 7d, 2w |
NOTE: if both start & duration are specified, duration will be ignored
[
{
"id": "00000000-0000-0000-0000-00000000000c",
"case_number": "12",
"created_at": 1453908369,
"updated_at": 1453908369,
"subject": "Please add me",
"type": "question",
"status": "open",
"requester": "John Smith",
"requester_email": "joe@abc.com"
}
]
| Name | Type | Description |
|---|---|---|
id |
string |
id of the ticket |
case_number |
string |
display name of the ticket |
created_at |
int |
when the ticket was created |
updated_at |
int |
when the ticket was last updated |
subject |
string |
subject |
type |
string |
question (default) / bug / critical |
status |
string |
open / pending / solved / closed |
requester |
string |
name of the requester |
requester_email |
string |
email of the requester |
Ticket Status
open: ticket is open, Mist is working on itpending: ticket is open and Requester attention is needed (e.g. Mist is asking for some more information)solved: ticket is marked as solved / considered by Mist (requester can update it, causing it to re-open; or rate it)closed: ticket is archived and cannot be changedPOST /api/v1/orgs/:org_id/tickets
{
"subject": "question regarding WPA",
"type": "question",
"comment": "where do I configure WPA1 / WPA2 / Auto?"
}
| Name | Type | Description |
|---|---|---|
subject |
string |
Required subject (usually short) |
type |
string |
question (default) / bug / critical |
comment |
string |
Required description |
PUT /api/v1/orgs/:org_id/tickets/:ticket_id
{
"subject": "question regarding WPA/WPA2",
"type": "question",
"status": "solved"
}
| Name | Type | Description |
|---|---|---|
subject |
string |
subject (usually short) |
type |
string |
question (default) / bug / critical |
status |
string |
open / solved |
POST /api/v1/orgs/:org_id/tickets/:ticket_id/comments
{
"comment": "this is urgent"
}
multipart:
"comment": "this is urgent, see my screenshot",
"file": a binary file
GET /api/v1/orgs/:org_id/tickets/:ticket_id
{
"id": "00000000-0000-0000-0000-00000000000c",
"case_number": "12",
"created_at": 1453908369,
"updated_at": 1453908369,
"subject": "Please add me",
"type": "bug",
"status": "open",
"requester": "John Smith",
"requester_email": "joe@abc.com",
"comments: [
{
"comment": "this is urgent, see my screenshot",
"created_at": 1453908369,
"author": "John Smith",
"attachment_ids": ["00000000-0000-0000-0000-15231a659c13"]
}
],
"attachments": [
{
"id": "00000000-0000-0000-0000-15231a659c13",
"file_name": "crash.png",
"created_at": 1453908369,
"content_url": "https://api.mist.com/api/v1/forward/download?jwt=..."
"content_type": "image/png",
"size_in_bytes": 1943
},
{
"id": "00000000-0000-0000-0000-15231a659c78",
"file_name": "crash.log",
"created_at": 1453908369,
"content_url": "https://api.mist.com/api/v1/forward/download?jwt=..."
"content_type": "text/plain",
"size_in_bytes": 2532
}
]
}
POST /api/v1/orgs/:org_id/tickets/:ticket_id/attachments
multipart:
"file": a binary file
GET /api/v1/orgs/:org_id/tickets/:ticket_id/attachments/:attachment_id
{
"content_url": "https://api.mist.com/api/v1/forward/download?jwt=..."
}
GET /api/v1/orgs/:org_id/tickets/count?distinct=status
| Name | Type | Description |
|---|---|---|
distinct |
string |
status (default) / type |
{
"limit": 1000,
"distinct": "status",
"total": 5,
"results": [
{
"status": "closed",
"count": 24
},
{
"status": "open",
"count": 12
},
{
"status": "solved",
"count": 15
},
{
"status": "pending",
"count": 10
},
{
"status": "hold",
"count": 3
}
]
}
POST /api/v1/orgs/:org_id/ssos
{
"name": "onelogin",
"idp_type": "saml", // saml (default) / ldap / oauth / mxedge_proxy / openroaming
"issuer": "https://app.onelogin.com/saml/metadata/138130"
"idp_cert": "-----BEGIN CERTIFICATE-----\nMIIFZjCCA06gAwIBAgIIP61/1qm/uDowDQYJKoZIhvcNAQELBQE\n-----END CERTIFICATE-----",
"idp_sign_algo": "sha256",
"idp_sso_url": "https://yourorg.onelogin.com/trust/saml2/http-post/sso/138130",
"nameid_format": "email",
// some IdP support a custom logout URL that is different from SP-initiated SLO process
"custom_logout_url": "https://6.4.5.7/saml/idp/SingleLogoutService.php?param1=value1"
// if idp_type = ldap
"ldap_type": "azure", // azure (default) / okta / google / custom
// if ldap_type is NOT custom:
// filters are automatically chosen based on chosen ldap_type
// if ldap_type = custom:
// user can specify below fileds:
// ldap_user_filter
// ldap_group_attr (optional, default is memberOf)
// ldap_group_dn (optional, default is base_dn)
// ldap_group_filter (optional, default is user_filter)
"ldap_server_hosts": [ "hostname", "63.1.3.5" ],
"ldap_base_dn": "DC=abc,DC=com",
"ldap_bind_dn": "CN=nas,CN=users,DC=abc,DC=com",
"ldap_bind_password": "credential_for_nas",
"ldap_cacerts": [
"-----BEGIN CERTIFICATE-----\nMIIFZjCCA06gAwIBAgIIP61/1qm/uDowDQYJKoZIhvcNAQELBQE\n-----END CERTIFICATE-----",
"-----BEGIN CERTIFICATE-----\nBhMCRVMxFDASBgNVBAoMC1N0YXJ0Q29tIENBMSwwKgYDVn-----END CERTIFICATE-----"
],
"ldap_client_cert": "-----BEGIN CERTIFICATE-----\nMIIFZjCCA06gAwIBAgIIP61/1qm/uDowDQYJKoZIhvcNAQELBQE\n-----END CERTIFICATE-----",
"ldap_client_key": "-----BEGIN PRI...",
"ldap_resolve_groups": false, // whether to recursively resolve LDAP groups, default is false
// if idp_type = oauth
"oauth_type": "azure", // azure (default) / azure-gov / okta / ping_identity
// if oauth_type is okta/ping_identity, oauth_tenant_id is of the form "dev-88336535"
"oauth_tenant_id": "1e6ae660-b7d3-4a6c-9efd-1fa606fc7304",
// cc = Client Credentialstunbne
"oauth_cc_client_id": "e60da615-7def-4c5a-8196-43675f45e174",
// if oauth_type is okta/ping_identity, oauth_cc_client_secret is RSA private key, of the form "-----BEGIN RSA PRIVATE KEY--...."
"oauth_cc_client_secret": "akL8Q~5kWFMVFYl4TFZ3fi~7cMdyDONi6cj01cpH",
"oauth_ping_identity_region": "us", // us (United States, default), ca (Canada), eu (Europe), asia (Asia), au (Australia)
// ropc = Resource Owner Password Credentials
"oauth_ropc_client_id": "9ce04c97-b5b1-4ec8-af17-f5ed42d2daf7",
// oauth_ropc_client_secret can be empty if oauth_type is azure or azure-gov
"oauth_ropc_client_secret": "blM9R~6kWFMVFYl4TFZ3fi~8cMdyDONi6cj01dqI",
// scim_enabled (default 'false') indicates if SCIM provisioning is enabled for the OAuth IDP
"scim_enabled": false,
// scim_secret_token (auto-generated when not provided by caller and scim_enabled=true, empty string when scim_enabled=false) is used as the Bearer token in the Authorization header of SCIM provisioning requests by the IDP
"scim_secret_token": "FBitbKPE1aecSloPGBuqqPxDUrFeZyZk",
// if idp_type = mxedge_proxy
// this requires `mist_nac` to be enabled on the mxcluster
"mxedge_proxy": {
"mxcluster_id": "572586b7-f97b-a22b-526c-8b97a3f609c4",
"proxy_hosts": ["mxedge1.corp.com", "63.1.3.5"], // public hostname/IPs
"ssids": ["eduroam_test, eduroam_main"], // SSIDs that support eduroam, default: "eduroam"
"operator_name": "1dartmouth.edu", // Operator name as Radius attribute while proxying
"auth_servers": [
{
"host": "1.2.3.4",
"port": 1812,
"secret": "testing123",
"require_message_authenticator": true, // default is false
},
{
"host": "radius.internal",
"port": 1812,
"secret": "testing123",
"timeout": 3, // seconds. default is 5
"retries": 1, // default is 2
}
],
"acct_servers": [
{
"host": "1.2.3.4",
"port": 1812,
"secret": "testing123",
}
]
},
// if idp_type = openroaming
"openroaming": {
// SSIDs that support OpenRoaming
"ssids": ["ssid_name1", "ssid_name2"],
// Optional WBA-issued certificate. If not provided, the default WBA-issued certificate for Juniper will be used.
"wba_cert": "-----BEGIN CERTIFICATE-----\nMIIFZjCCA06gAwIBAgIIP61/1qm/uDowDQYJKoZIhvcNAQELBQE\n-----END CERTIFICATE-----"
},
// common
"ignore_unmatched_roles": false,
"default_role": null,
}
| Name | Type | Description |
|---|---|---|
name |
string |
name |
issuer |
string |
IDP issuer URL |
idp_cert |
string |
IDP Cert (used to verify the signed response) |
idp_sso_url |
string |
IDP Single-Sign-On URL |
idp_sign_algo |
string |
signing algorithm for SAML Assertion |
nameid_format |
string |
email (default) / unspecified |
ignore_unmatched_roles |
boolean |
ignore any unmatched roles provided in assertion. By default, an assertion is treated as invalid for any unmatched role |
default_role |
string |
default role to assign if there’s no match. By default, an assertion is treated as invalid when there’s no role matched |
role_attr_from |
string |
optional, name of the attribute in SAML Assertion to extract role from (defaults to Role) |
role_attr_extraction |
string |
optional, user defined role parsing scheme. See Supported Role Parsing Schemes |
custom_logout_url |
string |
optional, a URL we will redirect the user after user logout from Mist (for some IdP which supports a custom logout URL that is different from SP-initiated SLO process) |
| Name | Scheme |
|---|---|
cn |
- The expected role attribute format in SAML Assertion is “CN=cn,OU=ou1,OU=ou2,…” - CN (the key) is case insensitive and exactly 1 CN is expected (or the entire entry will be ignored) E.g. if role attribute is “CN=cn,OU=ou1,OU=ou2” then parsed role value is “cn” |
GET /api/v1/orgs/:org_id/ssos
[
{
"name": "onelogin",
"issuer": "https://app.onelogin.com/saml/metadata/138130"
"idp_cert": "-----BEGIN CERTIFICATE-----\nMIIFZjCCA06gAwIBAgIIP61/1qm/uDowDQYJKoZIhvcNAQELBQE\n-----END CERTIFICATE-----",
"idp_sign_algo": "sha256",
"idp_sso_url": "https://yourorg.onelogin.com/trust/saml2/http-post/sso/138130"
}
]
PUT /api/v1/orgs/:org_id/ssos/:sso_id
DELETE /api/v1/orgs/:org_id/ssos/:sso_id
GET /api/v1/orgs/:org_id/ssos/:sso_id/metadata
{
// if idp_type = saml (default)
"entity_id": "https://api.mist.com/api/v1/saml/llDfa13f/login",
"acs_url": "https://api.mist.com/api/v1/saml/llDfa13f/login",
"logout_url": "https://api.mist.com/api/v1/saml/llDfa13f/logout",
"metadata_xml": "<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://api.mist.com/api/v1/saml/llDfa13f/login" validUntil="2027-10-12T21:59:01Z" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://api.mist.com/api/v1/saml/llDfa13f/login" index="0" isDefault="true"/></md:SPSSODescriptor></md:EntityDescriptor>"
// if idp_type = oauth and scim_enabled
"scim_base_url": "https://scim.nac-staging.mistsys.com/S_41b2525a-e8b8-4809-8168-f1d8dcbe9735/azure/4d72b1dc-7503-4717-81ea-80d0125b886e"
}
GET /api/v1/orgs/:org_id/ssos/:sso_id/metadata.xml
<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://api.mist.com/api/v1/saml/5hdF5g/login" validUntil="2027-10-12T21:59:01Z" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://api.mist.com/api/v1/saml/5hdF5g/logout" />
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://api.mist.com/api/v1/saml/5hdF5g/login" index="0" isDefault="true"/>
<md:AttributeConsumingService index="0">
<md:ServiceName xml:lang="en-US">Mist</md:ServiceName>
<md:RequestedAttribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="true"/>
<md:RequestedAttribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="false"/>
<md:RequestedAttribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="false"/>
</md:AttributeConsumingService>
</md:SPSSODescriptor>
</md:EntityDescriptor>
GET /api/v1/orgs/:org_id/ssos/:sso_id/failures
{
"results": [
{
"timestamp": 1431382121,
"detail": "Role attribute missing",
"saml_assertion_xml": "<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:nam..."
}
]
}
POST /api/v1/orgs/:org_id/ssoroles
{
"name": "NOC",
"privileges": [
{ "scope":"org", "role": "admin", "view": "reporting" },
{ "scope":"site", "site_id": "d96e3952-53e8-4266-959a-45acd55f5114", "role": "admin", "view": "reporting" },
{ "scope":"sitegroup", "sitegroup_id": "581328b6-e382-f54e-c9dc-999983183a34", "role": "admin", "view": "reporting" }
]
}
| Name | Type | Description |
|---|---|---|
name |
string |
name that would match the Role from SSO Login. Unique per Org, maximum length is 32 |
privileges |
list |
list of privileges |
scope |
string |
site / org / sitegroup |
role |
string |
admin / write / read / helpdesk / installer |
view |
string |
optional, see supported UI views |
PUT /api/v1/orgs/:org_id/ssoroles/:ssorole_id
{
"name": "NOC",
"privileges": [
{ "scope":"site", "site_id": "d96e3952-53e8-4266-959a-45acd55f5114", "role": "write", "view": "location" },
{ "scope":"site", "site_id": "4ac1dcf4-9d8b-7211-65c4-057819f0862b", "role": "write", "view": "location" }
]
}
GET /api/v1/orgs/:org_id/ssoroles
DELETE /api/v1/orgs/:org_id/ssoroles/:ssorole_id
Subscriptions define how Org Alarms/Reports are delivered to whom
POST /api/v1/orgs/:org_id/subscriptions
DELETE /api/v1/orgs/:org_id/subscriptions
GET /api/v1/self/subscriptions
GET /api/v1/orgs/:org_id/devices/search?ip=10.2.16.205
| Name | Type | Description |
|---|---|---|
hostname |
string |
partial / full hostname |
site_id |
string |
site id |
model |
string |
device model |
mac |
string |
AP mac |
version |
string |
version |
ip |
string |
ip address |
exp_ip |
string |
External IP Address |
mxtunnel_status |
string |
MxTunnel status, up / down |
mxedge_id |
string |
Mist Edge id, if AP is connecting to a Mist Edge |
mxedge_ids |
list |
Mist Edge ids, if AP is connecting to a Mist Edge |
lldp_system_name |
string |
LLDP system name |
lldp_system_desc |
string |
LLDP system description |
lldp_port_id |
string |
LLDP port id |
lldp_mgmt_addr |
string |
LLDP management ip address |
lldp_power_allocated |
int |
LLDP Allocated Power |
lldp_power_draw |
int |
LLDP Negotiated Power |
band_24_bandwidth |
int |
Bandwidth of band_24 |
band_5_bandwidth |
int |
Bandwidth of band_5 |
band_6_bandwidth |
int |
Bandwidth of band_6 |
band_24_channel |
int |
Channel of band_24 |
band_5_channel |
int |
Channel of band_5 |
band_6_channel |
int |
Channel of band_6 |
band_24_power |
int |
Power of band_24 |
band_5_power |
int |
Power of band_5 |
band_6_power |
int |
Power of band_6 |
eth0_port_speed |
int |
Port speed of eth0 |
power_constrained |
boolean |
if device is in Power Constrained mode |
{
"results": [
{
"mac": "5c5b353e5299",
"model": "AP41",
"sku": "AP41-US",
"ip": "10.2.16.205",
"version": "0.7.20216",
"uptime": 85280,
"org_id": "6748cfa6-4e12-11e6-9188-0242ac110007",
"site_id": "a8178443-ecb5-461c-b854-f16627619ab3",
"mxedge_id": "00000000-0000-0000-1000-43a81f238391",
"mxedge_ids": [
"00000000-0000-0000-1000-43a81f238391"
],
"mxtunnel_status": "down",
"hostname": [
"AP41-STB-3E5299-WH-2001",
"AP41-STB-3E5299-WH-50",
"AP41-STB-3E5299",
"5c5b353e5299"
],
"lldp_port_desc": "GigabitEthernet1/0/1",
"lldp_mgmt_addr": "10.2.10.139",
"lldp_system_desc": "Cisco IOS Software, C2960S Software (C2960S-UNIVERSALK9-M), Version 15.2(1)E1, RELEASE SOFTWARE (fc2)\nTechnical Support: http://www.cisco.com/techsupport\nCopyright (c) 1986-2013 by Cisco Systems, Inc.\nCompiled Fri 22-Nov-13 07:10 by prod_rel_team",
"lldp_system_name": "ME-DC-1-ACC-SW",
"lldp_port_id": "Gi1/0/1",
"lldp_power_draw": 19500,
"lldp_power_allocated": 19500,
"band_24_power": 18,
"band_24_channel": 6,
"band_6_power": 10,
"band_6_channel": 5,
"band_5_power": 17,
"band_5_channel": 44,
"eth0_port_speed": 1000,
"ext_ip": "125.228.68.139",
"timestamp": 1596588619.007,
"power_constrained": false
}
]
}
| Name | Type | Description |
|---|---|---|
type |
string |
Required. switch, gateway (default is ap) |
hostname |
string |
partial / full hostname |
site_id |
string |
site id |
model |
string |
device model |
mac |
string |
device mac |
version |
string |
version |
ip |
string |
ip address |
last_hostname |
string |
last hostname |
cpu |
string |
max cpu usage |
node |
string |
node0 / node1 |
node0_mac |
string |
mac for node0 |
node1_mac |
string |
mac for node1 |
ext_ip |
string |
external ip |
clustered |
string |
true / false |
t128agent_version |
string |
version of 128T agent |
evpntopo_id |
string |
EVPN topology id |
last_config_status |
string |
last configuration status of the switch/gateway |
radius_stats |
object |
Key-value pairs where the key is the RADIUS server address and the value contains authentication statistics |
| Name | Type | Description |
|---|---|---|
<server_address> |
string |
IP address of the RADIUS server as the key |
auth_accepts |
long |
Number of accepted authentication requests |
auth_rejects |
long |
Number of rejected authentication requests |
auth_timeouts |
long |
Number of authentication timeouts |
auth_server_status |
string |
Status of the server. Possible values: “up”, “down”, “unreachable” |
{
"results": [
{
"ip": "192.168.86.22",
"type": "switch",
"version": "21.4R1.12",
"mac": "3c8c939485ad",
"uptime": 2380356,
"ext_ip": "0.0.0.0",
"hostname": [
"3c8c939485ad",
"ludi-ex2300"
],
"timestamp": 1661273225.321,
"org_id": "6748cfa6-4e12-11e6-9188-0242ac110007",
"num_members": 1,
"site_id": "8721e817-96ee-4e34-b6b6-a80cc01642a6",
"model": "ex2300-c-12p",
"last_hostname": "3c8c939485ad"
"last_config_status": "success",
"radius_stats": {
"192.168.1.10": {
"auth_accepts": 120,
"auth_rejects": 5,
"auth_timeouts": 0,
"auth_server_status": "up"
},
"192.168.1.11": {
"auth_accepts": 110,
"auth_rejects": 15,
"auth_timeouts": 2,
"auth_server_status": "unreachable"
}
}
}
]
}
GET /api/v1/orgs/:org_id/devices/count?distinct=model
{
"end": 1545874660.211871,
"distinct": "model",
"results": [
{
"count": 22,
"model": "AP41-US"
}
],
"start": 1545788260.21184,
"limit": 10,
"total": 1
}
GET /api/v1/orgs/:org_id/devices/events/search?ip=10.2.10.22
| Name | Type | Description |
|---|---|---|
org_id |
string |
org id |
site_id |
string |
site id |
ap |
string |
AP mac |
apfw |
string |
AP Firmware |
model |
string |
device model |
text |
string |
event message |
timestamp |
string |
event time |
type |
string |
See Supported Events Type (E.g. CLIENT_DNS_OK) |
includes |
string |
Optional. Keyword to include events from additional indices (e.g. ext_tunnel for prisma events) |
GET /api/v1/const/device_events
| Name |
|---|
AP_CONFIG_CHANGED_BY_RRM |
AP_CONFIG_CHANGED_BY_USER |
AP_CONFIGURED |
AP_RECONFIGURED |
AP_RESTART_BY_USER |
AP_RESTARTED |
AP_RRM_ACTION |
CLIENT_DNS_OK |
MARVIS_DNS_FAILURE |
... |
{
"results": [
{
"org_id": "4ac1dcf4-9d8b-7211-65c4-057819f0862a",
"site_id": "4ac1dcf4-9d8b-7211-65c4-057819f0862b",
"ap": "5c5b351e13b5",
"apfw": "5c5b351e13b5",
"model": "BT11-WW",
"text": """Succeeding DNS query from 172.29.101.134 to 172.29.101.7 for "portal.mistsys.com" on vlan 1, id 60224""",
"timestamp": 1547235620.89,
"type": "CLIENT_DNS_OK"
},
...
]
}
Return last/recent event for passed in field
GET /api/v1/orgs/:org_id/devices/events/search?last_by=type
{
"results": [
{
"timestamp": 1685566764.144,
"org_id": "98272e44-d31d-4e9a-b52d-18ae2183446e",
"site_id": "b60a57e3-dd74-4da3-af12-02987a141665",
"port_id": "xe-2/2/2",
"type": "SW_PORT_UP",
"model": "EX4300-48MP",
"device_type": "switch",
"text": "SNMP_TRAP_LINK_UP: ifIndex 894, ifAdminStatus up(1), ifOperStatus up(1), ifName xe-2/2/2",
"version": "21.4R3-S3.4",
"mac": "c042d0f52a00"
},
{
"timestamp": 1685566645.128,
"org_id": "98272e44-d31d-4e9a-b52d-18ae2183446e",
"site_id": "b60a57e3-dd74-4da3-af12-02987a141665",
"type": "SW_VC_MEMBER_ADDED",
"model": "EX4300-48MP",
"device_type": "switch",
"text": "CHASSISD_VCHASSIS_MEMBER_OP_NOTICE: Member change: vc add of member 2",
"version": "21.4R3-S3.4",
"mac": "c042d0f52a00"
}
],
"total": 234266
}
Return last/recent event for passed in field
GET /api/v1/orgs/:org_id/devices/events/search?includes=ext_tunnel&last_by=type
{
"results": [
{
"timestamp": 1531855800.128,
"org_id": "98272e44-d31d-4e9a-b52d-18ae2183446e",
"site_id": "b60a57e3-dd74-4da3-af12-02987a141665",
"type": "SW_VC_MEMBER_ADDED",
"model": "EX4300-48MP",
"device_type": "switch",
"text": "CHASSISD_VCHASSIS_MEMBER_OP_NOTICE: Member change: vc add of member 2",
"version": "21.4R3-S3.4",
"mac": "c042d0f52a00"
},
{
"tunnel_name": "Prisma-Tunnel-II",
"type": "PRISMA_RN_SECONDARY_WAN_TUNNEL_UP",
"text": "Remote Network Site RN_SITE_1 SECONDARY WAN Tunnel Stage-Tunnel2 is down",
"timestamp": 1531856649,
"ext_tunnel_site": "RN_SITE_1",
"ext_tunnel_name": "Stage-Tunnel2",
"ext_tunnel_event_id": b1b1ccdd-4444-4a2d-a81d-8888bc8f6fa1",
"ext_tunnel_debug_url": "https://stratacloudmanager.paloaltonetworks.com/incidents-alerts/logviewer?logType=log.system&query=Event%25C2%25A0Component%20=%20%27RN_SITE_1%27%20OR%20Event%25C2%25A0Component%20=%20%27Stage-Tunnel2%27%20&timePreset=custom&startTime=1745977906000&endTime=1745980306000&queryMode=lq",
"site_id: "f1e17c67-8e42-4a2d-a81d-98ddbc8f6fa1",
"org_id: "f3045b5a-f2ea-445e-b923-5bbb5a670c35",
"device_type: "gateway",
"mac: "00c52c3cfaa4",
"port_id: "reth2.0",
"ext_tunnel_provider": "prisma"
},
{
"tunnel_name": "Prisma-Tunnel-II",
"type": "PRISMA_RN_SECONDARY_WAN_TUNNEL_DOWN",
"text": "Remote Network Site RN_SITE_1 SECONDARY WAN Tunnel Stage-Tunnel2 is down",
"timestamp": 1531855849,
"ext_tunnel_site": "RN_SITE_1",
"ext_tunnel_name": "Stage-Tunnel2",
"ext_tunnel_event_id": b1b1ccdd-4444-4a2d-a81d-8888bc8f6fa1",
"ext_tunnel_debug_url": "https://stratacloudmanager.paloaltonetworks.com/incidents-alerts/logviewer?logType=log.system&query=Event%25C2%25A0Component%20=%20%27RN_SITE_1%27%20OR%20Event%25C2%25A0Component%20=%20%27Stage-Tunnel2%27%20&timePreset=custom&startTime=1745977906000&endTime=1745980306000&queryMode=lq",
"site_id: "f1e17c67-8e42-4a2d-a81d-98ddbc8f6fa1",
"org_id: "f3045b5a-f2ea-445e-b923-5bbb5a670c35",
"device_type: "gateway",
"mac: "00c52c3cfaa4",
"port_id: "reth2.0",
"ext_tunnel_provider": "prisma"
}
],
"total": 234266
}
GET /api/v1/orgs/:org_id/devices/events/count?distinct=model
{
"end": 1545874660.211871,
"distinct": "model",
"results": [
{
"count": 22,
"model": "AP41-US"
}
],
"start": 1545788260.21184,
"limit": 10,
"total": 1
}
GET /api/v1/orgs/:org_id/devices/events/count?includes=ext_tunnel&distinct=type
{
"distinct": "type",
"results": [
{
"count": 1,
"type": "PRISMA_RN_PRIMARY_WAN_TUNNEL_UP"
},
{
"count": 1,
"type": "PRISMA_RN_PRIMARY_WAN_TUNNEL_DOWN"
},
{
"count": 2,
"type": "PRISMA_RN_SECONDARY_WAN_BGP_DOWN"
},
{
"count": 1,
"type": "PRISMA_RN_SECONDARY_WAN_BGP_UP"
}
],
"start": 1531776183.0,
"end": 1531862583.0,
"limit": 10,
"total": 4
}
GET /api/v1/orgs/:org_id/devices/last_config/search?device_type=ap&mac=5c5b350e0001&start=1531776183&end=1531862583&limit=10
| Name | Type | Description |
|---|---|---|
device_type |
string |
ap (default) / switch / gateway / mxedge |
see (Search Device Config History)[Site#search-device-config-history]
Counts the number of entries in device config history for distinct field with given filters
GET /api/v1/orgs/:org_id/devices/last_config/count?device-type=ap&distinct=mac&start=1531776183&end=1531862583&limit=10
GET /api/v1/orgs/:org_id/clients/search?hostname=john&limit=10
| Name | Type | Description |
|---|---|---|
mac |
string |
partial / full MAC address |
hostname |
string |
partial / full hostname |
device |
string |
device type, e.g. Mac, Nvidia, iPhone |
os |
string |
os, e.g. Sierra, Yosemite, Windows 10 |
model |
string |
model, e.g. “MBP 15 late 2013”, 6, 6s, “8+ GSM” |
ap |
string |
AP mac where the client has connected to |
ssid |
string |
SSID |
vlan |
string |
vlan |
psk_id |
string |
PSK ID |
psk_name |
string |
PSK name |
ip |
string |
ip address |
text |
string |
partial / full MAC address, hostname, username, psk_name or ip |
{
"results": [
{
"hostname": [
"jerry"
],
"ap": [
"5c5b350e0492",
"5c5b350eb39d",
"5c5b350e03c0"
],
"ip": [
"192.168.5.43",
"192.168.20.125"
],
"vlan": [
1
],
"mac": "60f81dd250cc",
"device": [
"Mac"
],
"os": [
"Sierra",
"High Sierra"
],
"model": [
"",
"MBP 15\" late 2013"
],
"ssid": [
"Guest"
],
"psk_id": [
"9d31efe6-e205-47eb-9f1d-dd66d8ef66bd"
],
"psk_name": [
"test key"
],
}
...
]
}
GET /api/v1/orgs/:org_id/clients/count?distinct=hostname
| Name | Type | Description |
|---|---|---|
distinct |
string |
ssid, ap, ip, vlan, hostname, os, model, device, default is device |
NOTE: the filters from /clients/search can also be used. E.g. /clients/count?device=iphone&distinct=os
GET /api/v1/orgs/:org_id/clients/events/search
| Name | Type | Description |
|---|---|---|
type |
string |
event type, e.g. MARVIS_EVENT_CLIENT_FBT_FAILURE |
reason_code |
int |
for assoc/disassoc events |
ssid |
string |
SSID |
ap |
string |
AP MAC |
proto |
string |
b / g / n / a / ac |
band |
string |
5 / 24 |
wlan_id |
string |
wlan_id |
nacrule_id |
string |
nacrule_id |
key_mgmt |
string |
Authentication key management, E.g. “WPA2-PSK/CCMP”, “WPA3-EAP-SHA256/CCMP”, “WPA3-EAP-FT/GCMP256” |
{
"start": 1512572151,
"end": 1513176951,
"limit": 10,
"total": 1,
"results": [
{
"ap": "5c5b350eb31b",
"ssid": "Guest",
"bssid": "5c5b350918f1",
"proto": "ac",
"timestamp": 1513358874.667,
"band": "5",
"type_code": 15,
"type": "CLIENT_DNS_OK",
"text": "Status code 0 \"Successful\" ",
"channel": 149,
"key_mgmt": "WPA2-EAP-FT/CCMP",
"wlan_id": "be22bba7-8e22-e1cf-5185-b880816fe2cf"
}
]
}
GET /api/v1/orgs/:org_id/clients/events/count?distinct=type
| Name | Type | Description |
|---|---|---|
distinct |
string |
type / proto / band / channel / wlan_id / ssid |
NOTE: the filters from /clients/:mac/events can also be used. E.g. /clients/events/count?distinct=device&ssid=Guest
{
"start": 1513276353,
"end": 1513362753,
"limit": 3,
"total": 3,
"results": [
{
"count": 580,
"type": "CLIENT_AUTHENTICATED"
},
{
"count": 536,
"type": "CLIENT_GW_ARP_OK"
},
{
"count": 519,
"type": "CLIENT_ASSOCIATION"
}
]
}
GET /api/v1/orgs/:org_id/clients/sessions/search
| Name | Type | Description |
|---|---|---|
ap |
string |
AP MAC |
band |
string |
5 / 24 |
client_family |
string |
E.g. “Mac”, “iPhone”, “Apple watch” |
client_manufacture |
string |
E.g. “Apple” |
client_model |
string |
E.g. “8+”, “XS” |
client_os |
string |
E.g. “Mojave”, “Windows 10”, “Linux” |
ssid |
string |
SSID |
wlan_id |
string |
wlan_id |
psk_id |
string |
PSK ID |
psk_name |
string |
PSK name |
{
"start": 1511967600,
"end": 1513177200,
"limit": 10,
"total": 100,
"results": [
{
"ap": "5c5b350e0262",
"disconnect": 1565208448.662,
"ssid": "Dummy WLAN 2",
"tags": [
"disassociate"
],
"org_id": "3139f2c2-fac6-11e5-8156-0242ac110006",
"site_id": "70e0f468-fc13-11e5-85ad-0242ac110008",
"mac": "b019c66c8348",
"connect": 1565208388.568,
"band": "5",
"timestamp": 1565208448.662,
"duration": 60.09423865,
"client_manufacture": "Apple",
"wlan_id": "99bb4c74-f954-4f36-b844-6b030faffabc",
"psk_id": "8a4a134b-210a-4908-a6be-105dca78e226",
"psk_name": "test key"
},
...
]
}
GET /api/v1/orgs/:org_id/clients/sessions/count
In addition to the filters that you can have in the search
| Name | Type | Description |
|---|---|---|
distinct |
string |
ssid, wlan_id, ap, mac, client_family, client_manufacture, client_model, client_os, site_id, default is mac |
NOTE: the filters from /clients/sessions/search can also be used. (E.g. /clients/count?distinct=client_manufacture)
{
"start": 1511967600,
"end": 1513177200,
"limit": 100,
"distinct": "client_manufacture",
"total": 20,
"results": [
{
"count": 217,
"client_manufacture": "Apple"
},
{
"count": 35,
"client_manufacture": "Intel Corporate"
},
...
]
}
GET /api/v1/orgs/:org_id/guests
[
{
"mac": "5684dae9ac8b",
"authorized": true,
"authorized_time": 1480704355,
"authorized_expiring_time": 1480704955,
"name": "John Smith",
"email": "john@abc.com",
"company": "abc",
"field1": "xxx",
"wlan_id": "6748cfa6-4e12-11e6-9188-0242ac110007",
"ssid": "SSID"
}
]
| Name | Type | Description |
|---|---|---|
mac |
string |
mac |
authorized |
boolean |
whether the guest is current authorized |
authorized_time |
long |
when the guest was authorized |
authorized_expiring_time |
long |
when the authorization would expire |
name |
string |
optional, the info provided by user |
email |
string |
optional, the info provided by user |
company |
string |
optional, the info provided by user |
field1 |
string |
optional, the info provided by user |
wlan_id |
string |
wlan_id |
ssid |
string |
ssid |
GET /api/v1/orgs/:org_id/guests/:guest_mac
[
{
"mac": "5684dae9ac8b",
"authorized": true,
"authorized_time": 1480704355,
"authorized_expiring_time": 1480704955,
"name": "John Smith",
"email": "john@abc.com",
"company": "abc",
"field1": "xxx",
"wlan_id": "6748cfa6-4e12-11e6-9188-0242ac110007",
"ssid": "SSID"
}
]
| Name | Type | Description |
|---|---|---|
mac |
string |
mac |
authorized |
boolean |
whether the guest is current authorized |
authorized_time |
long |
when the guest was authorized |
authorized_expiring_time |
long |
when the authorization would expire |
name |
string |
optional, the info provided by user |
email |
string |
optional, the info provided by user |
company |
string |
optional, the info provided by user |
field1 |
string |
optional, the info provided by user |
wlan_id |
string |
wlan_id |
PUT /api/v1/orgs/:org_id/guests/:guest_mac
{
"name": "guest1",
"email": "guest1@email.com",
"company":"companyXYZ",
"minutes": 60,
"field1": "value1",
"wlan_id": "6748cfa6-4e12-11e6-9188-0242ac110007"
......
}
| Name | Type | Description |
|---|---|---|
minutes |
int |
minutes, the maximum is 259200 (180 days) |
wlan_id |
string |
wlan_id which has cross_site enabled in portal settings |
DELETE /api/v1/orgs/:org_id/guests/:guest_mac
GET /api/v1/orgs/:org_id/guests/search?wlan_id=88ffe630-95b8-11e8-b294-346895ed1b7d&limit=2
{
"end": 1531862583.0,
"results": [
{
"ssid": "openNet",
"timestamp": 1531782218,
"company": "mistsystems",
"auth_method": "passphrase",
"ap": "5c5b350e0001",
"authorized_expiring_time": 1531810258.186273,
"authorized_time": 1531782218,
"email": "user@mistsys.com",
"name": "john"
},
{
"ssid": "openNet",
"timestamp": 1531782632,
"company": "xyz inc.",
"auth_method": "facebook",
"ap": "5c5b350e0001",
"authorized_expiring_time": 1531810821.145,
"authorized_time": 1531782632,
"email": "cool_user@yahoo.com",
"name": "John White"
}
],
"next": "/api/v1/orgs/8aaba0aa-09cc-44bd-9709-33b98040550c/guests/search?wlan_id=88ffe630-95b8-11e8-b294-346895ed1b7d&end=1531855849.000&limit=2&start=1531776183.0",
"start": 1531776183.0,
"limit": 2,
"total": 14
}
GET /api/v1/orgs/:org_id/guests/count?distinct=auth_method
{
"end": 1531862583.0,
"results": [
{
"auth_method": "passphrase",
"count": 2
},
{
"auth_method": "facebook",
"count": 4
}
],
"start": 1531776183.0,
"total": 2
}
GET /api/v1/orgs/:org_id/skyatp/events/count?distinct=type
| Name | Type | Description |
|---|---|---|
distinct |
string |
type, mac, device_mac, threat_level, default is type |
{
"start": 1511967600,
"end": 1513177200,
"limit": 10,
"distinct": "type",
"total": 2,
"results": [
{
"type": "mw",
"count": 6
},
{
"device": "fs",
"count": 3
}
]
}
GET /api/v1/orgs/:org_id/skyatp/events/search
| Name | Type | Description |
|---|---|---|
type |
string |
event type, e.g. cc, fs, mw |
mac |
string |
client MAC |
device_mac |
string |
device MAC |
threat_level |
int |
threat level |
ip |
string |
client ip |
{
"start": 1512572151,
"end": 1513176951,
"limit": 10,
"total": 1,
"results": [
{
"mac": "b019c66c8348",
"threat_level": 7,
"device_mac": "658279bb1fa4",
"timestamp": 1592524478,
"org_id": "3139f2c2-fac6-11e5-8156-0242ac110006",
"site_id": "70e0f468-fc13-11e5-85ad-0242ac110008",
"type": "cc",
"ip": "172.16.0.11"
}
]
}
GET /api/v1/orgs/:org_id/sites/search?honeypot_enabled=true
| Name | Type | Description |
|---|---|---|
id |
string |
site id |
name |
string |
site name |
country_code |
string |
site country code |
wifi_enabled |
boolean |
if WIFI feature is enabled |
locate_unconnected |
boolean |
if unconnected clients are located |
mesh_enabled |
boolean |
if Mesh feature is enabled |
rtsa_enabled |
boolean |
if managed mobility feature is enabled |
asset_enabled |
boolean |
if Asset Tracking is enabled |
app_waking |
boolean |
if App Waking feature is enabled |
vna_enabled |
boolean |
if Virtual Network Assistant is enabled |
analytic_enabled |
boolean |
if Advanced Analytic feature is enabled |
auto_upgrade_enabled |
boolean |
if Auto Upgrade feature is enabled |
auto_upgrade_version |
string |
Auto Upgrade version |
rogue_enabled |
boolean |
if Rogue detection is enabled |
honeypot_enabled |
boolean |
if Honeypot detection is enabled |
remote_syslog_enabled |
boolean |
if Remote Syslog is enabled |
{
"results": [
{
"rogue_enabled": true,
"honeypot_enabled": true,
"mesh_enabled": true,
"locate_unconnected": true,
"wifi_enabled": true,
"timezone": "America/Los_Angeles",
"country_code": "US",
"created_time": 1670284377.225059,
"modified_time": 1687888493.799605,
"org_id": "3139f2c2-fac6-11e5-8156-0242ac110006",
"name": "Mist Site",
"id": "70e0f468-fc13-11e5-85ad-0242ac110008",
"auto_upgrade_version": "stable",
"auto_upgrade_enabled": true,
"analytic_enabled": true
}
],
"limit": 10,
"total": 1
}
GET /api/v1/orgs/:org_id/sites/count?distinct=country_code
| Name | Type | Description |
|---|---|---|
distinct |
string |
all supported filters, default is id |
{
"results": [
{
"country_code": "US",
"count": 15
},
{
"country_code": "IN",
"count": 2
},
{
"country_code": "SE",
"count": 1
}
],
"distinct": "country_code",
"limit": 10,
"total": 3
}
GET /api/v1/orgs/:org_id/stats/ports/search
see Site:Search Switch / Gateway Ports for API request & response details.
GET /api/v1/orgs/:org_id/stats/ports/count
see Site:Count by Distinct Attributes of Switch Ports for API request & response details.
Security Policy is designed to audit / catch discripancies between “what’s intended to be running” versus “what’s actually running” in a network. Many big organizations have separated Security and IT team (for good reasons). Each site can be assigned a security policy. Whenever an AP is provisioned, the configuration will be checked against the security policy. Any violations will be flagged in Device Config History where you can search for the when and where the violation occurs.
/api/v1/orgs/:org_id/secpolicies
{
"name": "corporate only",
"wlans": [
{
"ssid": "office",
"band": "both",
"auth": {
"type": "psk",
"pairwise": ["wpa1-tkip", "wpa2-tkip"]
}
},
{
"ssid": "office-guest",
"band": "5",
"auth": {
"type": "open"
}
}
]
}
Alarms are triggered based on certain events. Alarms could be configured using an Alarm Template.
An Alarm Template is a set of Alarm Rules that could be applied to one or more sites (while each site can only pick one Alarm Template), or to the whole org.
/api/v1/orgs/:org_id/alarmtemplates
POST /api/v1/orgs/:org_id/alarmtemplates
{
"name": "Global",
"delivery": {
"enabled": false,
"to_org_admins": true,
"to_site_admins": true,
"additional_emails": []
},
"rules": {
"switch_down": { // here switch_down is an <alarm-key>
"enabled": true,
},
"device_down": {
"enabled": true,
// optional, if different from that in the template
"delivery": {
"enabled": false,
"to_org_admins": true,
"to_site_admins": true,
"additional_emails": []
}
}
}
}
| Name | Type | Description |
|---|---|---|
org_id |
string | path |
name |
string | body |
delivery |
object | body |
rules |
object | body |
delivery| Name | Type | Description |
|---|---|---|
enabled |
boolean | body |
to_org_admins |
boolean | body |
to_site_admins |
boolean | body |
additional_emails |
list | body |
rules| Name | Type | Description |
|---|---|---|
<alarm key> |
object | body |
| etc.) | ||
enabled |
boolean | body |
delivery |
object | body |
than the Alarm Template level delivery object) |
Status: 200 OK
{
"id": "684dfc5c-fe77-2290-eb1d-ef3d677fe168",
"name": "Global",
"delivery": {
"enabled": false,
"to_org_admins": true,
"to_site_admins": true,
"additional_emails": []
},
"rules": {
"switch_down": {
"enabled": true,
},
"device_down": {
"enabled": true,
// optional, if different from that in the template
"delivery": {
"enabled": false,
"to_org_admins": true,
"to_site_admins": true,
"additional_emails": []
}
}
}
}
| Name | Type | Description |
|---|---|---|
id |
string | UUID of the Alarm Template |
Note: Rest of the fields are same as defined in the API request Org:Alarm Template:Create Alarm Template:Response:Body.
GET /api/v1/orgs/:org_id/alarmtemplates
| Name | Type | Description |
|---|---|---|
org_id |
string | path |
Status: 200 OK
List of Alarm Templates
GET /api/v1/orgs/:org_id/alarmtemplates/:alarmtemplate_id
| Name | Type | Description |
|---|---|---|
org_id |
string | path |
alarmtemplate_id |
string | path |
Status: 200 OK
See Org:Alarm Template:Create Alarm Template:Response:Body
PUT /api/v1/orgs/:org_id/alarmtemplates/:alarmtemplate_id
See Org:Alarm Template:Create Alarm Template:Body
| Name | Type | Description |
|---|---|---|
org_id |
string | path |
alarmtemplate_id |
string | path |
Status: 200 OK
See Org:Alarm Template:Create Alarm Template:Response:Body
DELETE /api/v1/orgs/:org_id/alarmtemplates/:alarmtemplate_id
| Name | Type | Description |
|---|---|---|
org_id |
string | path |
alarmtemplate_id |
string | path |
Status: 200 OK
Get brief definitions of all the supported alarm types. The example field contains an example payload as you would recieve in the alarm webhook output.
GET /api/v1/const/alarm_defs
[
{
"key": "device_down",
"display": "Device offline",
"group": "infrastructure",
"severity": "warn",
"example": {
"severity": "warn",
"timestamp": 1629753888,
"last_seen": 1629753888,
"aps": [
"d420b02000fa"
],
"org_id": "09dac91f-6e73-4100-89f7-698e0fafbb1b",
"site_id": "dcfb31a1-d615-4361-8c95-b9dde05aa704",
"count": 1,
"hostnames": [
"Vendor_AP2"
],
"id": "f70c308f-7007-4866-9ecd-0d01842979ea",
"type": "device_down",
"group": "infrastructure"
},
"fields": [
"aps",
"hostnames"
]
},
...
]
| Name | Type | Description |
|---|---|---|
key |
string |
Key name of an alarm type |
display |
string |
Description of the alarm type |
group |
string |
Group to which the alarm belongs |
marvis_suggestion_category |
string |
Marvis defined category to which the alarm belongs |
severity |
string |
Severity of the alarm |
fields |
list |
(optional)List of fields available in an alarm details payload (in REST APIs & Webhooks); e.g. aps, switches, gateways, hostnames, ssids, bssids etc; see Site:Get Alarms:Additional Information for more details |
In certain situations, for example, scheduled maintenance, you may want to suspend alarms to be triggered against Sites for a period of time.
POST /api/v1/orgs/:org_id/alarmtemplates/suppress
{
"duration": 3600, // 0 is to un-suppress alarms
"scheduled_time": 1678232980,
"scope": "site", // default is site
"applies": {
"org_id": "2818e386-8dec-2562-9ede-5b8a0fbbdc71",
"sitegroup_ids": [ "581328b6-e382-f54e-c9dc-999983183a34", "f57096b9-0c2f-4df6-c77b-ae6ae87a3d43" ],
"site_ids": [ "4ac1dcf4-9d8b-7211-65c4-057819f0862b" ]
}
}
// to suppress org alarms
{
"duration": 3600, // 0 is to un-suppress alarms
"scheduled_time": 1678232980,
"scope": "org"
}
| Name | Type | Description |
|---|---|---|
duration |
int | duration, in seconds. Default is 3600. Maximum duration is 86400 * 180 (180 days). 0 is to un-suppress alarms. |
scheduled_time |
int | epoch_time in seconds, Default as now, accepted time range is from now to now + 7 days. |
scope |
string | level of scope, either org or site, default is site. |
applies |
object | Object defines the scope (within the org e.g. whole org, and/or some site-groups, and/or some sites) for which the alarm service has to be suppressed for some duration |
org_id |
string | UUID of the current org (if provided, the alarms will be suppressed at org level) |
sitegroups_ids |
string | List of UUID of the site groups within the org (if provided, the alarms will be suppressed for all the sites under those site groups) |
site_ids |
string | List of UUID of the sites within the org (if provided, the alarms will be suppressed for all the mentioned sites under the org) |
GET /api/v1/orgs/:org_id/alarmtemplates/suppress?scope=site
| Name | Type | Description |
|---|---|---|
scope |
string |
scope org/site; returns both scopes if not specified. |
{
"results": [
{
"site_id": "581328b6-e382-f54e-c9dc-9c998d183a34",
"expire_time": 1678233080,
"scheduled_time": 1678232900,
"duration": 48, // remaining duration
"scope": "site",
},
{
"site_id": "581328b6-e382-f54e-c9dc-9c998d183a35",
"expire_time": 1678233080,
"scheduled_time": 1678232900,
"duration": 48, // remaining duration
"scope": "org",
}
]
}
| Name | Type | Description |
|---|---|---|
site_id |
string | site_id |
duration |
int | remaining_duration, in seconds. |
DELETE /api/v1/orgs/:org_id/alarmtemplates/suppress
Acknowledge an alarm within an org.
POST /api/v1/orgs/:org_id/alarms/:alarm_id/ack
see Site:Ack An alarm for API request & response details.
Unacknowledge an alarm within an org.
POST /api/v1/orgs/:org_id/alarms/:alarm_id/unack
see Site:Unack An alarm for API request & response details.
Acknowledge multiple alarms at once within an org.
POST /api/v1/orgs/:org_id/alarms/ack
see Site:Ack mutiple alarms for API request & response details.
Unacknowledge multiple alarms at once within an org.
POST /api/v1/orgs/:org_id/alarms/unack
see Site:UnAck mutiple alarms for API request & response details.
Acknowledge all the alarms of an org.
POST /api/v1/orgs/:org_id/alarms/ack_all
see Site:Ack all alarms for API request & response details.
Unacknowledge all the alarms of an org.
POST /api/v1/orgs/:org_id/alarms/unack_all
see Site:Unack all alarms for API request & response details.
List or Search alarms within an org.
GET /api/v1/orgs/:org_id/alarms/search
see Site:Get Alarms for API request & response details.
Count alarms within an org.
GET /api/v1/orgs/:org_id/alarms/count
see Site:Count Alarms for API request & response details.
Mist Edge is a software component outside of Mist Cloud. Stay tuned for what it can do.
GET /api/v1/orgs/:org_id/mxedges
| Name | Type | Description |
|---|---|---|
for_site |
string |
true / false/ any (default false). Filter for site level mist edges |
[
{
"id": "95ddd29a-6a3c-929e-a431-51a5b09f36a6",
"name": "Guest",
"model": "ME-100",
"magic": "L-NpT5gi-ADR8WTFd4EiQPY3cP5WdSoD",
"tunterm_registered": true,
"mxagent_registered": true,
"mxedge_mgmt": {
"mist_password": "MIST_PASSWORD",
"root_password": "ROOT_PASSWORD",
"config_auto_revert": true, // default is false
},
"oob_ip_config": {
"type": "static", // dhcp (default) / static / disabled
"ip": "10.2.1.10",
"netmask": "255.255.255.0",
"gateway": "10.2.1.254",
"type6": "static", // autoconf (default) / dhcp / static / disabled
"ip6": "2601:1700:43c0:dc0:20c:29ff:fea7:93bc",
"netmask6": "/64",
"gateway6": "2601:1700:43c0:dc0::1",
// IPv4 ignored if type!=static
// IPv6 ignored if type6!=static
"dns": ["10.2.1.2", "2601:1700:43c0:dc0::2"], // default is ["8.8.8.8", "4.4.4.4" , "2001:4860:4860::8888", "2001:4860:4860::8844"]
},
"proxy": {
"url": "http://proxy.internal:8080/"
},
"tunterm_ip_config": {
"ip": "10.2.1.1", // VLAN ID 1
"netmask": "255.255.255.0",
"gateway": "10.2.1.254",
"ip6": "2001:1010:1010:1010::2", // VLAN ID 1
"netmask6": "/64",
"gateway6": "2001:1010:1010:1010::1",
},
"tunterm_other_ip_configs": {
"5": { // VLAN ID
"ip": "10.3.3.1",
"netmask": "255.255.255.0",
}
},
"tunterm_extra_routes": {
"11.0.0.0/8": {
"via": "10.3.3.1"
}
},
"tunterm_dhcpd_config": {
"enabled": false,
"servers": ["11.2.3.4"],
"2": {
"enabled": true,
"servers": ["11.2.3.44"],
}
},
"tunterm_port_config": {
// draft, not finalized
"separate_upstream_downstream": true,
"downstream_ports": ["3"],
"upstream_ports": [ "0", "1", "2" ],
"upstream_port_vlan_id": 30
},
// if custom vlan settings are desired
"tunterm_switch_config": {
"enabled": true,
"0": { // port0
"vlan_ids": [1, 3055],
"port_vlan_id": 1
}
},
// overwrite mxcluster or site settings when set
"tunterm_monitoring": [
{
"protocol": "ping", // arp / ping / tcp
"host": "10.2.8.15", // can be ip, ipv6, hostname
"timeout": 300, // 60 - 3600, default is 300
// when protocol==tcp
"port": 80,
// optional source for the monitoring check, vlan_id configured in tunterm_other_ip_configs
"src_vlan_id": 5
}
],
"ntp_servers": [],
"mxcluster_id": "572586b7-f97b-a22b-526c-8b97a3f609c4",
"tunterm_igmp_snooping_config": {
"enabled": true,
"vlan_ids": [2, 3, 5],
"querier": {
"query_interval": 125,
"max_response_time": 10,
"robustness": 2,
"version": 3,
"mtu": 1500
}
},
"tunterm_multicast_config": {
"mdns": {
"enabled": true,
"vlan_ids": [2, 3, 5]
},
"ssdp": {
"enabled": true,
"vlan_ids": [2, 3, 5]
}
}
}
]
| Name | Type | Description |
|---|---|---|
mxcluster_id |
string |
MxCluster this MxEdge belongs to |
oob_ip_config |
object |
ip configuration of the Mist Edge out-of-band management interface |
proxy |
object |
Proxy Configuration to talk to Mist |
tunterm_ip_config |
object |
ip configuration of the Mist Tunnel interface |
tunterm_other_ip_configs |
object |
ip configuration of the Mist Tunneled VLANs |
tunterm_extra_routes |
object |
extra routes for Mist Tunneled VLANs |
tunterm_dhcpd_config |
object |
DHCP server/relay configuration of Mist Tunneled VLANs |
services |
list |
list of services to run, tunterm only for now |
tunterm_port_config |
object |
ethernet port configurations |
separate_upstream_downstream |
boolean |
weather to separate upstream / downstream ports. default is false where all ports will be used. |
downstream_ports |
list |
list of ports to be used for downstream (to AP) purpose |
upstream_ports |
list |
list of ports to be used for upstrea purpose (to LAN) |
upstream_port_vlan_id |
int |
native VLAN id for upstream ports, default is 1 |
tunterm_igmp_snooping_config |
object |
tunterm igmp snooping config |
| Name | Type | Description |
|---|---|---|
oob_ip_config |
object |
ip config |
type |
string |
static. default: not managed from cloud. |
ip |
string |
required if type==static |
netmask |
string |
required if type==static |
gateway |
string |
required if type==static |
dns |
list |
if type==static. default is 8.8.8.8, 8.8.4.4 |
| Name | Type | Description |
|---|---|---|
tunterm_ip_config |
object |
ip config |
ip |
string |
required |
netmask |
string |
required |
gateway |
string |
required |
| Name | Type | Description |
|---|---|---|
tunterm_other_ip_configs |
object |
ip configs by VLAN ID |
ip |
string |
required |
netmask |
string |
required |
| Name | Type | Description |
|---|---|---|
tunterm_extra_routes |
object |
key is the dest |
via |
string |
next-hop |
| Name | Type | Description |
|---|---|---|
tunterm_dhcpd_config |
object |
global and per-VLAN |
type |
string |
relay (default) |
enabled |
boolean |
enabled or not, default is false |
servers |
list |
DHCP servers; required if type==relay |
| Name | Type | Description |
|---|---|---|
tunterm_igmp_snooping_config |
object |
tunterm igmp snooping config |
enabled |
boolean |
enabled or not, default is false |
vlan_ids |
array of ints |
the list of vlans on which tunterm performs IGMP snooping |
querier.query_interval |
int |
querier’s query interval, in seconds |
querier.max_response_time |
int |
querier’s query response interval, in tenths-of-seconds |
querier.robustness |
int |
querier’s robustness (1 to 7) |
querier.version |
int |
querier’s maximum protocol version |
querier.mtu |
int |
the MTU we use (needed when forming large IGMPv3 Reports) |
POST /api/v1/orgs/:org_id/mxedges
{
"name": "Guest",
"model": "ME-100",
"services": ["tunterm"],
"versions": {
"mxagent": "2.4.194",
"tunterm": "0.1.928-1"
},
"ntp_servers": [],
"mxedge_mgmt": {},
"oob_ip_config": {},
"notes": "note for mxedge"
"proxy": {},
"tunterm_ip_config": {
"ip": "10.2.1.1", // VLAN ID == "1"
"netmask": "255.255.255.0",
"gateway": "10.2.1.254", // default route
},
"tunterm_port_config": {
"separate_upstream_downstream": true, // default == false
"downstream_ports": [ "0", "1", "2", "3" ], // default == available ports
"upstream_ports": [ "0", "1", "2", "3" ], // default == available ports
"upstream_port_vlan_id": 1,
},
"tunterm_switch_config": {
"enabled": true, // default == false
"0": {"vlan_ids": [5, 2, 3], "port_vlan_id": None}
},
"mxcluster_id": "572586b7-f97b-a22b-526c-8b97a3f609c4"
}
{
"id": "95ddd29a-6a3c-929e-a431-51a5b09f36a6",
"name": "Edge1",
"magic": "ExNpT5gi-ADR8WTFd4EiQPY3cP5WdSoD",
"tunterm_registered": false,
"mxagent_registered": false,
"mxcluster_id": "572586b7-f97b-a22b-526c-8b97a3f609c4"
}
POST /api/v1/orgs/:org_id/mxedges/assign
{
"site_id": "4ac1dcf4-9d8b-7211-65c4-057819f0862b",
"mxedge_ids": ["387804a7-3474-85ce-15a2-f9a9684c9c90"]
}
{
"success": ["387804a7-3474-85ce-15a2-f9a9684c9c90"]
}
POST /api/v1/orgs/:org_id/mxedges/unassign
{
"mxedge_ids": ["387804a7-3474-85ce-15a2-f9a9684c9c90"]
}
{
"success": ["387804a7-3474-85ce-15a2-f9a9684c9c90"]
}
PUT /api/v1/orgs/:org_id/mxedges/:mxedge_id
{
"name": "Guest",
"model": "ME-100",
"services": ["tunterm"],
"versions": {
"mxagent": "2.4.194",
"tunterm": "0.1.928-1"
},
"ntp_servers": [],
"notes": "note for mxedge"
"tunterm_ip_config": {
"ip": "10.2.1.1",
"netmask": "255.255.255.0",
"gateway": "10.2.1.254"
},
"tunterm_port_config": {
"upstrem": {
"ports": [ "0", "1", "2", "3" ]
},
"downstream": {
"ports": [ "0", "1", "2", "3" ],
"port_vlan_id": 1
}
},
"mxcluster_id": "572586b7-f97b-a22b-526c-8b97a3f609c4"
}
In the case where a Mist Edge is replaced, you would need to unregister it. Which disconnects the currently the connected Mist Edge and allow another to register.
POST /api/v1/orgs/:org_id/mxedges/:mxedge_id/unregister
DELETE /api/v1/orgs/:org_id/mxedges/:mxedge_id
GET /api/v1/orgs/:org_id/mxedges/search
| Name | Type | Description |
|---|---|---|
mxedge_id |
string | mist edge id |
site_id |
string | mist edge site id |
mxcluster_id |
string | mist edge cluster id |
model |
string | model name |
distro |
string | debian code name(buster, bullseye) |
tunterm_version |
string | tunterm version |
sort |
string |
sort options, -prefix represents DESC order, default is -last_seen |
stats |
boolean |
whether to return device stats, default is false |
{
"results": [
{
"last_seen": 1695151551.833,
"org_id": "35d96b1a-1a13-4ba8-90f5-1e78dd2a10c5",
"mxedge_id": "00000000-0000-0000-1000-d420b0f0025d",
"tunterm_version": "0.1.2813",
"model": "ME-X5",
"distro": "buster",
"uptime": 5662632
},
{
"last_seen": 1695151550.622,
"org_id": "23ab5425-55d8-4d4e-98a8-f572a11e9282",
"mxedge_id": "00000000-0000-0000-1000-d420b0f0042b",
"model": "ME-X1",
"distro": "buster",
"uptime": 2842400
}
],
"start": 1694622179,
"end": 1694708579,
"limit": 10,
"total": 2
}
GET /api/v1/orgs/:org_id/mxedges/count?distinct=model
| Name | Type | Description |
|---|---|---|
distinct |
string |
model(default) / mxcluster_id / distro / tunterm_version / site_id |
{
"results": [
{
"model": "ME-100",
"count": 27
},
{
"model": "ME-X1",
"count": 8
},
],
"start": 1694622935,
"end": 1694709335,
"limit": 10,
"distinct": "model",
"total": 2
}
POST /api/v1/orgs/:org_id/mxedges/:mxedge_id/restart
POST /api/v1/orgs/:org_id/mxedges/:mxedge_id/services/:name/:action
| Name | Type | Description |
|---|---|---|
name |
string |
tunterm or radsecproxy or mxagent or mxocproxy or mxdas or mxnacedge |
action |
string |
restart or start or stop |
Support / Upload Mist Edge support files
POST /api/v1/orgs/:org_id/mxedges/:mxedge_id/support
POST /api/v1/orgs/:org_id/mxedges/:id/services/tunterm/bounce_port
{
"ports": ["0", "2"]
}
| Name | Type | Description |
|---|---|---|
ports |
list |
list of ports to bounce |
hold_time |
int |
in milli seconds, hold time between multiple port bounces |
POST /api/v1/orgs/:org_id/mxedges/:id/services/tunterm/disconnect_aps
{
"macs": ["5c5b353e4eb1", "5c5b353e4eb2"]
}
| Name | Type | Description |
|---|---|---|
macs |
list |
mac address of AP’s to disconnect |
percentage |
float |
percentage of AP’s to disconnect (only used when macs is empty) |
POST /api/v1/orgs/:org_id/mxedges/upgrade
{
// filters that can be used, if no filter specified, it means entire org
"mxedge_ids": ["387804a7-3474-85ce-15a2-f9a9684c9c90"],
"channel": "stable",
// version initially installed: highest qualified version at that time
"versions": {
"mxagent": "latest", // highest version
"tunterm": "default" // highest qualified version (<=latest)
"radsecproxy": "<version>" // specific <version> e.g. 1.9.1-1.mist.12
},
"allow_downgrades": {
"mxagent": false,
"tunterm": true
},
"strategy": "serial",
"canary_phases": [5,25,50,100],
"max_failures": [1,1,5,5], // will be used if provided, else max_failure_percentage will be used
"max_failure_percentage": 5,
"start_time": 1624399840,
}
| Name | Type | Description |
|---|---|---|
mxedge_ids |
list |
list of mxedge IDs to upgrade or all mxedges in this organization (default) |
channel |
string |
upgrade channel to follow, stable (default) / beta / alpha |
versions |
object |
services to upgrade, ignored if distro upgrade, tunterm or radsecproxy or mxagent or mxocproxy or mxdas or mxnacedge |
allow_downgrades |
object |
optional, default value is false |
strategy |
string |
big_bang(upgrade all at once - no orchestration), serial(one at a time), canary(upgrade in phases). Default is big_bang |
canary_phases |
array of ints |
phases for canary deployment. Each phase represents percentage of devices that need to be upgraded in that phase. default is [1, 10, 50, 100] |
max_failures |
array of ints |
number of failures allowed within each phase. Only applicable for canary. Array length should be same as canary_phases. Will be used if provided, else max_failure_percentage will be used |
max_failure_percentage |
int |
failure threshold before we stop the upgrade and mark it as failed, default is 5 |
start_time |
long |
upgrade start time in epoch seconds, default is now |
POST /api/v1/orgs/:org_id/mxedges/upgrade
{
// filters that can be used, if no filter specified, it means entire org
"mxedge_ids": ["387804a7-3474-85ce-15a2-f9a9684c9c90"],
"distro": "buster", // buster
"strategy": "serial",
"canary_phases": [5,25,50,100],
"max_failures": [1,1,5,5], // will be used if provided, else max_failure_percentage will be used
"max_failure_percentage": 5,
"start_time": 1624399840,
}
| Name | Type | Description |
|---|---|---|
mxedge_ids |
list |
list of mxedge IDs to upgrade or all mxedges in this organization (default) |
channel |
string |
upgrade channel to follow, stable (default) / beta / alpha |
distro |
string |
distro upgrade, optional, to specific codename (e.g. bullseye) with highest qualified versions |
strategy |
string |
big_bang(upgrade all at once - no orchestration), serial(one at a time), canary(upgrade in phases). Default is big_bang |
canary_phases |
array of ints |
phases for canary deployment. Each phase represents percentage of devices that need to be upgraded in that phase. default is [1, 10, 50, 100] |
max_failures |
array of ints |
number of failures allowed within each phase. Only applicable for canary. Array length should be same as canary_phases. Will be used if provided, else max_failure_percentage will be used |
max_failure_percentage |
int |
failure threshold before we stop the upgrade and mark it as failed, default is 5 |
start_time |
long |
upgrade start time in epoch seconds, default is now |
GET /api/v1/orgs/:org_id/mxedges/upgrade
[{
"status": "upgrading",
"strategy": "serial",
"versions": {},
"channel": "stable",
"id": "ceef2c8a-e2e6-447a-8b27-cb4f3ec1adae",
"counts": {
"queued": 1,
"upgrading": 1,
"success": 0,
"failed": 0
}
}]
GET /api/v1/orgs/:org_id/mxedges/upgrade/:upgrade_id
{
"status": "upgrading",
"strategy": "serial",
"versions": {},
"channel": "stable",
"id": "5cbcee0a-c620-4bb4-a25e-15000934e9d8",
"targets": {
"queued": ["387804a7-3474-85ce-15a2-f9a9684c9c90"],
"upgrading": ["8e525f1d-4178-4ae1-a988-2b0176855e55"],
"success": [],
"failed": []
}
}
GET /api/v1/orgs/:org_id/mxedges/versions?channel=stable&distro=<codename>
[
{
"package": "mxagent",
"version": "2.4.100",
"_version": "2.4.100",
"distro": "bullseye",
"default": true
},
{
"package": "tunterm",
"version": "1.0.0",
"distro": "buster",
"_version": "1.0.0-nd"
}
]
GET /api/v1/const/mxedge_models
[
{
"model": "ME-100",
"display": "ME-Small",
"ports": {
"0": {
"display": "Gigabit Ethernet 0",
"speed": 1000
},
"1": {
"display": "Gigabit Ethernet 1",
"speed": 1000
},
"2": {
"display": "Gigabit Ethernet 2",
"speed": 1000
},
"3": {
"display": "Gigabit Ethernet 3",
"speed": 1000
}
}
}
]
Attach up to 3 images to a mxedge
POST /api/v1/orgs/:org_id/mxedges/:id/image1
POST /api/v1/orgs/:org_id/mxedges/:id/image2
POST /api/v1/orgs/:org_id/mxedges/:id/image3
Delete up to 3 images which are attached to a mxedge
DELETE /api/v1/orgs/:org_id/mxedges/:id/image1
DELETE /api/v1/orgs/:org_id/mxedges/:id/image2
DELETE /api/v1/orgs/:org_id/mxedges/:id/image3
GET /api/v1/const/mxedge_events
[
{
"key": "ME_CONFIG_CHANGED_BY_USER",
"display": "ME Config changed by user",
"description": "Config change on ME was triggered as a result of change made by user",
"example": {
"type": "ME_CONFIG_CHANGED_BY_USER",
"service": "mxagent",
"timestamp": 1552408871,
"org_id": "2818e386-8dec-2562-9ede-5b8a0fbbdc71",
"site_id": "4ac1dcf4-9d8b-7211-65c4-057819f0862b",
"mxcluster_id": "ed4665ed-c9ad-4835-8ca5-dda642765ad3",
"mxedge_id": "387804a7-3474-85ce-15a2-f9a9684c9c90",
"audit_id": "e9a88814-fa81-5bdc-34b0-84e8735420e5"
}
},
{
"key": "ME_CONFIGURED",
"display": "ME Configured",
"description": "ME received and applied a new config",
"example": {
"type": "ME_CONFIGURED",
"timestamp": 1552408871,
"org_id": "2818e386-8dec-2562-9ede-5b8a0fbbdc71",
"site_id": "4ac1dcf4-9d8b-7211-65c4-057819f0862b",
"mxcluster_id": "ed4665ed-c9ad-4835-8ca5-dda642765ad3",
"mxedge_id": "387804a7-3474-85ce-15a2-f9a9684c9c90",
"audit_id": "e9a88814-fa81-5bdc-34b0-84e8735420e5"
}
},
...
]
GET /api/v1/orgs/:org_id/mxedges/events/search
| Name | Type | Description |
|---|---|---|
mxedge_id |
string | mist edge id |
mxcluster_id |
string | mist edge cluster id |
type |
string | mist edge event type Supported Events |
service |
string | service running on mist edge(mxagent, tunterm etc) |
start |
string |
start datetime, can be epoch or relative time like -1d, -1w; -1d if not specified |
end |
string |
end datetime, can be epoch or relative time like -1d, -2h; now if not specified |
duration |
string |
duration like 7d, 2w |
component |
string |
component like PS1, PS2 |
{
"results": [
{
"mxcluster_id": "2815c917-58e7-472f-a190-bfd44fb58d05",
"timestamp": 1694678225.927,
"org_id": "f2695c32-0e83-4936-b1b2-96fc88051213",
"mxedge_id": "00000000-0000-0000-1000-020000dc585c",
"type": "ME_SERVICE_STOPPED",
"service": "tunterm"
},
{
"timestamp": 1694678004.821,
"org_id": "f2695c32-0e83-4936-b1b2-96fc88051213",
"mxedge_id": "00000000-0000-0000-1000-020000dc585c",
"type": "ME_SERVICE_STARTED",
"service": "tunterm"
},
{
"package": "radsecproxy",
"timestamp": 1694678010.108,
"org_id": "f2695c32-0e83-4936-b1b2-96fc88051213",
"mxedge_id": "00000000-0000-0000-1000-020000dc585c",
"type": "ME_PACKAGE_INSTALLED",
"to_version": "1.9.1-1.mist.16"
},
{
"timestamp": 1694679111.253,
"org_id": "f2695c32-0e83-4936-b1b2-96fc88051213",
"mxedge_id": "00000000-0000-0000-1000-020000dc585c",
"type": "ME_POWERINPUT_DISCONNECTED",
"component": "PS1"
}
],
"start": 1694622179,
"end": 1694708579,
"limit": 10,
"total": 4
}
GET /api/v1/orgs/:org_id/mxedges/events/count?distinct=type
| Name | Type | Description |
|---|---|---|
distinct |
string |
mxedge_id(default) / type / mxcluster_id / package |
start |
string |
start datetime, can be epoch or relative time like -1d, -1w; -1d if not specified |
end |
string |
end datetime, can be epoch or relative time like -1d, -2h; now if not specified |
duration |
string |
duration like 7d, 2w |
{
"results": [
{
"type": "ME_SERVICE_RESTARTED",
"count": 5003
},
{
"type": "ME_SERVICE_STARTED",
"count": 124
},
{
"type": "ME_SERVICE_FAILED",
"count": 120
}
],
"start": 1694622935,
"end": 1694709335,
"limit": 10,
"distinct": "type",
"total": 3
}
A Mist Edge Cluster represents a group of Mist Edges that will work together to do load-balancing and handle fail-overs.
/api/v1/orgs/:org_id/mxclusters
{
"id": "572586b7-f97b-a22b-526c-8b97a3f609c4",
"name": "Guest Cluster",
"proxy": {
"url": "http://proxy.corp.com:8080/"
},
"mxedge_mgmt": {
"fips_enabled": true, // default is false
"oob_ip_type": "disabled", // dhcp (default) / disabled
"oob_ip_type6": "disabled", // autoconf (default) / dhcp / disabled
"config_auto_revert": true, // default is false
},
// for AP, how to connect to tunterm or radsecproxy
"tunterm_hosts": ["guest-sj1.corp.com"],
"tunterm_ap_subnets": [
"0.0.0.0/0"
],
"tunterm_hosts_selection": "shuffle",
// if tunterm_hosts_selection is ordered, then re-order with tunterm_hosts with tunterm_hosts_order
"tunterm_hosts_order": [0, 1],
"mist_das": {
// configure cloud-assisted dynamic authorization service on this cluster of mist edges
"enabled": true,
"coa_servers": [ // dynamic authorization clients configured to send CoA|DM to mist edges on port 3799
{
"enabled": false,
"host": "aaa.internal",
"secret": "testing456",
"require_message_authenticator": false,
"disable_event_timestamp_check": false
}
],
},
"radsec": {
// configure radsecproxy service on this cluster of mist edges
"enabled": true,
"proxy_hosts": ["mxedge1.corp.com"], // must be superset of all wlans[*].radsec.proxy_hosts
"match_ssid": false,
"server_selection": "ordered",
"auth_servers": [
{
"host": "1.2.3.4",
"port": 1812,
"secret": "testing123",
"ssids": ["corporate"],
// if used for Mist AP
"keywrap_enabled": true, // enable keywrap algorithm. Default is false
"keywrap_format": "hex", // key format: hex or ascii
“keywrap_kek”: “1122334455", // Key encryption key
“keywrap_mack” “1122334455", // Message Authentication Code Key
},
{
"host": "radius.internal",
"port": 1812,
"secret": "testing123",
"require_message_authenticator": true,
"ssids": ["guest"],
"inband_status_check": true,
"inband_status_interval": 60,
"timeout": 3, // seconds. default is 5
"retries": 1, // default is 2
}
],
"acct_servers": [
{
"host": "1.2.3.4",
"port": 1812,
"secret": "testing123",
}
],
"src_ip_source": "tunnel",
"nas_ip_source": "tunnel",
},
// mist_nac
"mist_nac": {
"enabled": true,
"secret": "testing123",
"client_ips": {
"10.0.3.0/24": {
// convention to be followed is : "<vendor>-<variant>"
// <variant> could be an os/platform/model/company
// for ex: for cisco vendor, there could variants wrt
// os (such as ios, nxos etc), platforms (asa etc),
// or acquired companies (such as meraki, airnonet) etc.
//
// currentluy supported vendor values are:
// generic, juniper, aruba, paloalto, brocade
// cisco-aironet, cisco-ios, cisco-meraki, cisco-dnac
"vendor": "cisco-ios",
"secret": "alternative_one", // optional, if different from above
"require_message_authenticator": true, // default is false
"site_id": "00000000-0000-0000-1234-000000000000" // optional; present only for 3rd party clients
}
},
"auth_server_port": 1812, // optional, default is 1812
"acct_server_port": 1813, // optional, default is 1813
}
"tunterm_monitoring_disabled": false,
"tunterm_monitoring": [
{
"protocol": "ping", // arp / ping / tcp
"host": "10.2.8.15", // can be ip, ipv6, hostname
"timeout": 300, // 60 - 3600, default is 300
// when protocol==tcp
"port": 80
}
],
"tunterm_extra_routes": {
"11.0.0.0/8": {
"via": "10.3.3.1"
}
},
// default type == "relay"
"tunterm_dhcpd_config": {
"enabled": false, // required
"servers": ["11.2.3.4"],
"2": { // VLAN ID
"enabled": true, // required
"servers": ["11.2.3.44"],
}
},
"tunterm_multicast_config": {
"mdns": {
"enabled": true,
"vlan_ids": [2, 3, 5]
},
"ssdp": {
"enabled": true,
"vlan_ids": [2, 3, 5]
},
"multicast_all": true
}
}
| Name | Type | Description |
|---|---|---|
proxy |
object |
Proxy Configuration to talk to Mist |
tunterm_hosts |
list |
hostnames or IPs where a Mist Tunnel will use as the Peer (i.e. they are reachable from AP) |
tunterm_hosts_selection |
string |
shuffle (default) / shuffle-by-site / ordered. Ordering of tunterm_hosts for mxedge within the same mxcluster. When shuffle, the ordering of tunterm_hosts is randomized by the device’s MAC. When shuffle-by-site, we shuffle by site_id+tunnel_id (so when client connects to a specific Tunnel, it will go to the same (order of) mxedge, and we load-balancing between tunnels). When ordered, the order is decided by tunterm_hosts_order. |
tunterm_hosts_order |
list |
list of index of tunterm_hosts |
tunterm_ap_subnets |
list |
list of subnets where we allow AP to establish Mist Tunnels from |
tunterm_extra_routes |
object |
extra routes for Mist Tunneled VLANs |
tunterm_dhcpd_config |
object |
DHCP server/relay configuration of Mist Tunneled VLANs |
tunterm_multicast_config |
object |
tunterm multicast configs |
enabled|boolean| whether to enable mist das, default is false
coa_servers|list| list of COA (change of authorization) servers allowed as dynamic authorization clients; default for enabled is false
require_message_authenticator|boolean| whether to require Message-Authenticator in requests, default is false
disable_event_timestamp_check|boolean| whether to disable Event-Timestamp Check, optional, default is false
| Name | Type | Description |
|---|---|---|
enabled |
boolean |
whether to enable service on Mist Edge i.e. RADIUS proxy over TLS |
proxy_hosts |
list |
hostnames or IPs for Mist AP to use as the TLS Server (i.e. they are reachable from AP) in addition to tunterm_hosts |
match_ssid |
boolean |
whether to match ssid in request message to select from a subset of RADIUS servers |
server_selection |
string |
ordered (default) / unordered. When ordered, Mist Edge will prefer and go back to the first radius server if possible |
auth_servers |
list |
list of RADIUS authentication servers, order matters where the first one is treated as primary |
acct_servers |
list |
list of RADIUS accounting servers, optional, order matters where the first one is treated as primary |
src_ip_source |
string |
tunnel / oob / any (default). Specify IP address to connect to auth_servers and acct_servers |
nas_ip_source |
string |
tunnel / oob / passthrough (default). Specify NAS-IP-ADDRESS, NAS-IPv6-ADDRESS to use with auth_servers |
| Name | Type | Description |
|---|---|---|
host |
string |
ip / hostname of RADIUS server |
port |
int |
port of RADIUS server, default is 1812 for auth server and 1813 for acct server |
secret |
string |
secret of RADIUS server |
require_message_authenticator |
boolean |
whether to require Message-Authenticator in response messages, default is false |
ssids |
list |
list of ssids that will use this server if match_ssid is true and match is found |
inband_status_check |
boolean |
whether to enable inband status check, default is false |
inband_status_interval |
int |
inband status interval, in seconds, default is 300 |
A Mist Tunnel is a special type of L2TPv3 Tunnel that is terminated by a Mist Edge. As we’re configuring both sides, some parameters are automatically generated.
/api/v1/orgs/:org_id/mxtunnels
{
"name": "HQ",
"protocol": "udp",
"vlan_ids": [3, 4, 5, "7-9"],
"mxcluster_ids": ["572586b7-f97b-a22b-526c-8b97a3f609c4"],
"anchor_mxtunnel_ids": ["1e970fec-0a7a-4d73-a472-3ef3b6a456aa"],
"hello_interval": 60,
"hello_retries": 3,
"ipsec": {
"enabled": true,
"split_tunnel": true,
"dns_servers": [ "172.16.0.8" ],
"dns_suffix": ["corp.juniper.com", "juniper.internal"],
"extra_routes": [
{"dest": "172.16.0.0/12", "next_hop": "172.16.0.1" }
]
},
"auto_preemption": {
"enabled": true,
"time_of_day": "23:00",
"day_of_week": "sun"
}
}
| Name | Type | Description |
|---|---|---|
name |
string |
the name of the tunnel |
protocol |
list |
udp / ip, default is udp |
vlan_ids |
list |
list of vlan ids/ranges that will be used |
mxcluster_ids |
list |
list of mxclusters to deploy this tunnel to |
anchor_mxtunnel_ids |
list |
list of anchor mxtunnels used for forming edge to edge tunnels |
hello_interval |
float |
in seconds, used as heartbeat to detect if a tunnel is alive. AP will try another peer after missing N hellos specified by hello_retries. between 0.5 and 300, default is 60 seconds |
hello_retries |
int |
between 1 and 30, default is 7 |
auto_preemption |
object |
schedule(daily/weekly) to preempt ap’s which are not connected to preferred peer |
| Name | Type | Description |
|---|---|---|
enabled |
boolean |
whether auto preemption should happen, default is false |
time_of_day |
string |
any / HH:MM (24-hour format). Preemption will happen within 15 mins of this time |
day_of_week |
string |
any / mon / tue / wed / thu / fri / sat / sun |
To preempt AP’s which are not connected to preferred peer to the preferred peer
POST /api/v1/orgs/:org_id/mxtunnels/:mxtunnel_id/preempt_aps
{
"preempted_aps": ["5c5b35000001", "5c5b35000002"]
}
GET /api/v1/orgs/:org_id/stats/mxedges
| Name | Type | Description |
|---|---|---|
for_site |
string |
true / false/ any (default false). Filter for site level mist edges |
[
{
"memory_stat": {
"total": 8365957120,
"free": 4330659840,
"usage": 48,
"available": 4699291648,
"buffers": 107646976,
"cached": 478060544,
"swap_cached": 0,
"active": 394936320,
"inactive": 211980288,
"swap_total": 1022357504,
"swap_free": 1022357504
},
"proxy": {
"url": "http://proxy.internal:8080/"
},
"oob_ip_stat": {
"type": "static",
"ip": "10.2.1.10",
"netmask": "255.255.255.0",
"gateway": "10.2.1.254",
"type6": "static",
"ip6": "2601:1700:43c0:dc0:20c:29ff:fea7:93bc",
"netmask6": "/64",
"gateway6": "2601:1700:43c0:dc0::1",
"dns": ["10.2.1.2", "2601:1700:43c0:dc0::2"]
},
"ip_stat": {
"ips": {
"ens18": "192.168.1.244/24,fd4e:c615:b27d:5555::45/128,fd4e:c615:b27d:5555:20c:29ff:fe44:af25/64,fe80::104c:ffff:fee0:caf8/64"
},
"ip": "192.168.1.244",
"ip6": "fd4e:c615:b27d:5555::45",
"netmask": "255.255.255.0",
"netmask6": "/128",
"macs": {
"ens18": "e4434b217044"
}
},
"mxcluster_id": "678bc339-7635-4556-bbc0-e77ad493ef8b",
"virtualization_type": "KVM",
"distro": "buster",
"idrac_version": "7.00.00.00",
"fwupdate": {
"timestamp": 1633721215,
"status": "inprogress"
"progress": 50
},
"last_seen": 1633721215,
"uptime": 76281,
"service_stat": {
"tunterm": {
"running_state": "Running",
"package_state": "Installed",
"package_version": "0.1.2449+deb10",
"last_seen": 1633721203,
"ext_ip": "99.0.86.164",
"uptime": 76261
},
"mxagent": {
"running_state": "Running",
"package_state": "Installed",
"package_version": "3.1.1037-1",
"last_seen": 1633721215,
"ext_ip": "99.0.86.164",
"uptime": 21240
}
},
"tunterm_stat": {
"monitoring_failed": false
},
"num_tunnels": 0,
"lag_stat": {
"lacp0": {
"active_ports": [
"port0",
"port1"
]
}
},
"port_stat": {
"port0": {
"up": true,
"speed": 10000,
"full_duplex": true,
"tx_bytes": 647200748038,
"tx_pkts": 8788647466,
"tx_errors": 0,
"rx_bytes": 646898375700,
"rx_pkts": 8784449574,
"rx_errors": 0,
"mac": "9e294e49091d",
"state": "forwarding"
},
"port1": {
"up": true,
"speed": 10000,
"full_duplex": true,
"tx_bytes": 646898681650,
"tx_pkts": 8784452092,
"tx_errors": 0,
"rx_bytes": 647200437652,
"rx_pkts": 8788644886,
"rx_errors": 0,
"mac": "a270fe53437e",
"state": "forwarding"
}
},
"name": "me-vm-1",
"model": "ME-VM",
"tunterm_ip_config": {
"ip": "192.168.11.91",
"netmask": "255.255.255.0",
"gateway": "192.168.11.1"
},
"tunterm_port_config": {
"separate_upstream_downstream": false,
"upstream_ports": [
"0",
"1"
],
"downstream_ports": [
"0",
"1"
]
},
"services": [
"tunterm"
],
"id": "00000000-0000-0000-1000-020000a80cb4",
"for_site": false,
"org_id": "11b08247-b1ee-4152-9b25-312b323ce480",
"created_time": 1632684398,
"modified_time": 1633643629,
"site_id": "00000000-0000-0000-0000-000000000000",
"mac": "020000a80cb4",
"mxagent_registered": true,
"tunterm_registered": true,
"status": "connected"
}
]
| Name | Type | Description |
|---|---|---|
name |
string |
The name of the tunnel |
virtualization_type |
string |
Virtualization environment |
memory_stats |
object |
Memory usage |
total |
int |
Total amount of usable RAM, in kibibytes, which is physical RAM minus a number of reserved bits and the kernel binary code. |
free |
int |
The amount of physical RAM, in kibibytes, left unused by the system. |
available |
int |
An estimate of how much memory is available for starting new applications, without swapping. |
buffers |
int |
The amount, in kibibytes, of temporary storage for raw disk blocks. |
cached |
int |
The amount of physical RAM, in kibibytes, used as cache memory. |
swap_cached |
int |
The amount of memory, in kibibytes, that has once been moved into swap, then back into the main memory, but still also remains in the swapfile. |
active |
int |
The amount of memory, in kibibytes, that has been used more recently and is usually not reclaimed unless absolutely necessary. |
inactive |
int |
The amount of memory, in kibibytes, that has been used less recently and is more eligible to be reclaimed for other purposes. |
swap_total |
int |
The total amount of swap available, in kibibytes. |
swap_free |
int |
The total amount of swap free, in kibibytes. |
cpu_stat |
object |
CPU/core stats list |
usage |
int |
percentage of load, Busy/(Idle + Busy) since last sampling |
user |
float |
percentage of User, User/(Idle + Busy) since last sampling |
system |
float |
percentage of System, System/(Idle + Busy) since last sampling |
idle |
float |
percentage of Idle, Idle/(Idle + Busy) since last sampling |
interrupt |
float |
percentage of Interrupt, (Irq + SoftIrq)/(Idle + Busy) since last sampling |
ip_stat |
object |
OOBM IP stats |
ips |
object |
IPs for each net interface |
macs |
object |
MAC addresses for each net interface |
service_stat |
object |
stat for each services |
ext_ip |
string |
external IP from ep-terminator’s point of view. valid only for service having its own cloud connection |
last_seen |
int |
timestamp when the last stats is seen (cloud unix time, in second). valid only for service having its own stats or whole system (last among last_seen of all services) |
uptime |
int |
service or system uptime. |
package_state |
string |
package/service installation state. |
package_version |
string |
package/service installation state. |
running_state |
string |
service running state. |
lag_stat |
object |
stat for LAG (Link Aggregation Group) |
active_ports |
list |
list of ports active on the LAG defined by the LACP |
distro |
string | debian code name(buster, bullseye) |
fips_enabled |
bool | value indicating fips configuration on the device |
fwupdate |
object |
information about firmware upgrade status. |
idrac_version |
object |
IDRAC version of the mist edge device |
| Name | Type | Description |
|---|---|---|
timestamp |
float |
timestamp |
status |
string |
possible values are inprogress, failed, upgraded. |
progress |
int |
progress percentage of the distro upgrade |
GET /api/v1/orgs/:org_id/stats/mxedges/:mxedge_id
| Name | Type | Description |
|---|---|---|
for_site |
string |
false (default) / true / any |
GET /api/v1/orgs/:org_id/stats/tunnels/search
{
"total": 1,
"start": 1531776183.0,
"limit": 10,
"end": 1531862583.0,
"results": [
{
"org_id": "2818e386-8dec-2562-9ede-5b8a0fbbdc71",
"site_id": "4ac1dcf4-9d8b-7211-65c4-057819f0862b",
"mxedge_id": "387804a7-3474-85ce-15a2-f9a9684c9c90",
"mxcluster_id": "572586b7-f97b-a22b-526c-8b97a3f609c4",
"mxtunnel_id": "7dae216d-7c98-a51b-e068-dd7d477b7216",
"ap": "5c5b35000010",
"remote_ip": "172.16.1.2",
"remote_port": 13535
"state": "established_with_sessions",
"last_seen": 1547437078,
"uptime": 135,
"tx_control_pkts": 14862,
"rx_control_pkts": 7571,
"peer_mxedge_id": "09320a5c-bc23-441e-80a0-b96c632d45f5",
"mtu": 582,
"sessions: [
{
"remote_id": "mxtunnel",
"state": "established",
"remote_sid": 13,
"local_sid": 31
}
]
}
}
}
| Name | Type | Description |
|---|---|---|
mxtunnel_id |
string |
Mist Tunnel ID |
state |
string |
idle / wait-ctrl-reply / wait-ctrl-conn / established / established_with_sessions |
uptime |
int |
uptime |
sessions |
list |
list of sessions |
remote_id |
string |
WxlanTunnel Remote ID |
remote_sid |
int |
remote sessions id (dynamically unless Tunnel is said to be static) |
local_sid |
int |
remote sessions id (dynamically unless Tunnel is said to be static) |
peer_mxedge_id |
string |
MxEdge ID of the peer(mist edge to mist edge tunnel) |
mtu |
int |
Maximum Transmission Unit |
GET /api/v1/orgs/:org_id/stats/tunnels/count
GET /api/v1/orgs/:org_id/stats/tunnels/count?distinct=mxedge_id
| Name | Type | Description |
|---|---|---|
distinct |
string |
wxtunnel_id / ap / remote_ip / remote_port / state / mxedge_id / mxcluster_id / site_id / peer_mxedge_id; default is wxtunnel_id |
{
"results": [
{
"mxedge_id": "00000000-0000-0000-1000-d420b0f000e0",
"count": 5
},
{
"mxedge_id": "00000000-0000-0000-1000-0200009eddfb",
"count": 3
},
{
"mxedge_id": "00000000-0000-0000-1000-d420b0f00064",
"count": 1
}
],
"start": 1660159907.3540995,
"end": 1660160207.3541,
"limit": 10,
"distinct": "mxedge_id",
"total": 3
}
GET /api/v1/orgs/:org_id/stats/tunnels/search?type=wan
{
"total": 1,
"start": 1531776183.0,
"limit": 10,
"end": 1531862583.0,
"results": [
{
"tunnel_name" : "Device-ipsec-1",
"mac" : "020001ae9dd5",
"uptime" : 10,
"up": true,
"node" : "node0",
"protocol" : "ipsec",
"When" : "2022-10-27T10:53:20.973Z",
"peer_ip" : "10.224.8.16",
"priority" : "primary",
"org_id" : "78c11da8-f984-4425-bedb-a7ddd7d0f6da",
"site_id" : "e83e7928-eda1-4e93-82db-df3dd42ab726",
"rx_bytes" : 150,
"tx_bytes" : 100,
"tx_pkts" : 50,
"rx_pkts" : 75,
"peer_host" : "sunnyvale1-vpn.zscalerbeta.net",
"last_event": "down reason",
"ip" : "192.168.233.0",
"auth_algo" : "hmac-md5-96",
"encrypt_algo" : "aes-256-cbc",
"ike_version" : "2",
"wan_name" : "wan"
}
]
}
| Name | Type | Description |
|---|---|---|
tunnel_name |
string |
Mist Tunnel Name |
mac |
string |
router mac address |
uptime |
int |
duration from first (or last) SA was established |
up |
boolean |
true/false |
node |
string |
node0/node1 |
protocol |
string |
ipsec/gre |
peer_ip |
string |
peer ip address |
peer_host |
string |
peer host |
priority |
string |
primary/secondary |
org_id |
string |
org ID |
site_id |
string |
site ID |
rx_bytes |
int |
received bytes |
tx_bytes |
int |
sent bytes |
tx_pkts |
int |
count of data packets sent |
rx_pkts |
int |
count of data packets received |
last_event |
string |
reason of why the tunnel is down |
ip |
string |
ip address |
auth_algo |
string |
authentication algorithm |
encrypt_algo |
string |
encryption algorithm |
ike_version |
string |
ike version |
wan_name |
string |
wan interface name |
GET /api/v1/orgs/:org_id/stats/tunnels/count?type=wan
GET /api/v1/orgs/:org_id/stats/tunnels/count?type=wan&distinct=mac
| Name | Type | Description |
|---|---|---|
distinct |
string |
mac / site_id / node / peer_ip / peer_host/ ip / tunnel_name / protocol / auth_algo / encrypt_algo / ike_version / last_event / up |
| ### Response |
{
"results": [
{
"mac": "020001c04668",
"count": 2
},
{
"mac": "02000111d2dc",
"count": 1
},
{
"mac": "d420b080516d",
"count": 1
}
],
"start": 1660159907.3540995,
"end": 1660160207.3541,
"limit": 10,
"distinct": "mac",
"total": 3
}
## Subscribe to devices Stream
WS /api-ws/v1/stream
### Request
{
"subscribe": "/orgs/:org_id/mxedges"
}
### Response
{
"event": "data",
"channel": "/orgs/67970e46-4e12-11e6-9188-0242ac110007/mxedges",
"data": {
"device_id": "00000000-0000-0000-1000-5c5b3524500b",
"event_type": "fwupdate",
"detail": {
"timestamp": 1485381027,
"status": "inprogress",
"progress": 45
}
}
}
### Definition
| Name | Type | Description |
|---|---|---|
device_id |
string |
device_id of the device corresponding to the event |
event_type |
string |
type of the event that occurred. currently, on device updates are reported on the stream. |
detail |
object |
detail will be specific to the event_type. |
For packet captures of org level Mist Edges only. Use site API for site level Mist Edges.
POST /api/v1/orgs/:org_id/pcaps/capture
{
"type": "mxedge",
"num_packets": 100,
"duration": 600,
"max_pkt_len": 1500,
"mxedges": {
"00000000-0000-0000-1000-001122334455": {
"interfaces": {"port1": {"tcpdump_expression": "udp port 67 or udp port 68"},
}
},
},
"tcpdump_expression": "vlan 999",
"format": "tzsp",
"tzsp_host": "192.168.1.2",
"tzsp_port": 37008
}
| Name | Type | Description |
|---|---|---|
num_packets |
int |
number of packets to capture, default is 1024, maximum of 10000 |
duration |
int |
duration of the capture, in seconds, default is 600, maximum is 86400 |
max_pkt_len |
int |
max_len of each packet to capture, default is 128, maximum is 2048 |
mxedges |
dict |
dict of mxedges which uses mxedge_id as the key, currently limited to one mxedge per org capture session |
interfaces |
dict |
dict of interfaces to capture for, for given mxedge (examples: port1, kni0, lacp0, ipsec, drop, oobm), currently limited to specifying one interface per mxedge |
tcpdump_expression |
string |
tcpdump expression, interface specific if specified under interfaces dict, otherwise applicable across interfaces if specified at top level of payload. Interface specific value overrides top level value when both exist. |
format |
string |
pcap format: stream (default, to Mist cloud), tzsp (stream packets (over UDP as TZSP packets) to a remote host (typically running Wireshark) instead of Mist cloud) |
tzsp_host |
string |
remote host accessible to mxedges over the network for receiving the captured packets. Required when format is tzsp. |
tzsp_port |
int |
optional port on remote host for receiving the captured packets, default (if not provided) 37008 (TZSP). |
DELETE /api/v1/orgs/:org_id/pcaps/capture
GET /api/v1/orgs/:org_id/pcaps?start=1461099816&end=1461089816&limit=100
| Name | Type | Description |
|---|---|---|
start |
int |
start time |
end |
int |
end time |
{
"start": 1461099816,
"end": 1461089816,
"limit": 100,
"next": "/api/v1/orgs/78c11da8-f984-4425-bedb-a7ddd7d0f6da/pcaps?end=1695836987&limit=10&search_after=%5B1693259163006%5D&start=1693244987"
"results": [
{
"duration": 9999.0,
"timestamp": 1693525333.234066,
"last_seen": 1693482149.417,
"org_id": "78c11da8-f984-4425-bedb-a7ddd7d0f6da",
"format": "stream",
"mxedges": [
"00000000-0000-0000-1000-001122334455"
],
"termination_reason": "default",
"site_id": null,
"id": "80cec4c9-322c-4712-95ce-6ba47fb54fc0",
"pcap_url": "https://...",
"type": "mxedge"
}
]
}
GET /api/v1/orgs/:org_id/pcaps/capture
{
// from the initiation of the packet capture
"timestamp": 1695837460.309526,
"id": "c5bd6c89-fa52-486f-9fd0-801cfc613328",
"org_id": "78c11da8-f984-4425-bedb-a7ddd7d0f6da",
"site_id": null,
"type": "mxedge",
"max_num_packets": 1024,
"max_pkt_len": 512,
"duration": 600,
"enabled": true,
"expiry": 1695838060.309526,
"mxedge_count": 1,
"invalid_mxedges": {},
"format": "stream",
"raw": true,
// what's actually being done
"mxedges": {
"00000000-0000-0000-1000-001122334455": {
"interfaces": {
"port1": {
"tcpdump_expression": "udp port 67 or udp port 68"
}
}
}
}
}
| Name | Type | Description |
|---|---|---|
max_num_packets |
int |
number of packets to capture |
duration |
int |
duration of the capture, in seconds |
max_pkt_len |
int |
max_len of each packet to capture |
mxedges |
dict |
dict of mxedges which uses mxedge_id as the key |
interfaces |
dict |
dict of interfaces to capture for, for given mxedge |
tcpdump_expression |
string |
tcpdump expression, interface specific if specified under interfaces dict, otherwise applicable across interfaces if specified at top level of payload. Interface specific value overrides top level value when both exist. |
format |
string |
pcap format: stream (default), tzsp |
tzsp_host |
string |
remote host receiving the captured packets, when format is tzsp |
tzsp_port |
int |
port on remote host for receiving the captured packets, when format is tzsp |
WS /api-ws/v1/stream
{
{subscribe: "/orgs/:org_id/pcaps"}
}
{
"event": "data"
"channel": "/orgs/67970e46-4e12-11e6-9188-0242ac110007/pcaps"
"data": {
"capture_id": "f039b1b4-a23e-48b2-906a-0da40524de73",
"pcap_dict": {
"dst_mac": "68:ec:c5:09:2e:87",
"src_mac": "8c:3b:ad:e0:47:40",
"vlan": 1,
"src_ip": "34.224.147.117",
"dst_ip": "192.168.1.55",
"dst_port": 51635,
"src_port": 443,
"protocol": "TCP",
"mxedge_id": "00000000-0000-0000-1000-001122334455",
"direction": "tx",
"timestamp": 1652247615,
"length": 159.0,
"interface": "port0",
"info": "1652247616.007409 IP ec2-34-224-147-117.compute-1.amazonaws.com.https > ip-192-168-1-55.ec2.internal.51635: Flags [P.], seq
2192123968:2192124057, ack 4035166782, win 12, options [nop,nop,TS val 597467050 ecr 740580660], length 89\\n",
},
"pcap_raw": "1MOyoQIABAAAAAAAAAAAAP//AAABAAAAQEx7YhMzAACfAAAAnwAAAGjsxQkuh4w7reBHQIEAAAEIAEUAAI1bLEAAKAZ/CiLgk3XAqAE3AbvJs4KpKEDwg8I+gBgADFf9AAABAQgKI5yfqiwkXTQXAwMAVKY5JopoKQrVEn0/3ld4YntctGEH/rTZuwtCvzSncFw71QJveJi9uxHs57KC8w9Apph3YvXJrmWg7M37+o+YV0KH/xmr626s5Bkhb3QhKOu+NoNEmA==\"
}
}
{
"event": "data"
"channel": "/orgs/67970e46-4e12-11e6-9188-0242ac110007/pcaps"
"data": {
"capture_id": "a2f7374d-6a70-41fd-8a3f-71e42573baaf",
"pcap_dict": null
}
}
| Name | Type | Description |
|---|---|---|
event |
string |
what type of event is received. |
channel |
string |
from which channel the data is received |
capture_id |
string |
Capture id for the current PCAP. |
pcap_dict |
json |
contains json data for PCAP content. If null, capture has been stopped. |
dst_mac |
string |
destination mac address |
src_mac |
string |
source mac address |
vlan |
int |
vlan id |
src_ip |
string |
source ip address |
dst_ip |
string |
destination ip address |
dst_port |
string |
destination port |
src_port |
string |
source port |
protocol |
string |
Application / Transport layer protocol associated with the packet |
mxedge_id |
string |
Packet belongs to which Mist Edge |
direction |
string |
tx/rx based on Mist Edge |
timestamp |
float |
precision upto milliseconds. i.e (1652247616.740) |
length |
int |
length of the packet |
lost_messages |
int |
number of messages lost before sending this packets |
info |
string |
PCAP content recieved after running tcpdump. |
interface |
string |
Used to identify what interface on the Mist Edge the packet belongs |
Juniper devices can be managed/adopted by Mist. Currently outbound-ssh + netconf is used.
A few lines of CLI commands are generated per-Org, allowing the Juniper devices to phone home to Mist.
GET /api/v1/orgs/:org_id/ocdevices/outbound_ssh_cmd
GET /api/v1/orgs/:org_id/ocdevices/outbound_ssh_cmd?site_id=02ce013c-7f98-4afb-a937-463d0046a4e7
| Name | Type | Description |
|---|---|---|
site_id |
string |
UUID of the site |
Note: site_id would be used for proxy config check of the site and automatic site assignment
{
"cmd": "set system services ssh...\n...\nset system services outbound-ssh client mist ..."
}
If there is already a blacklist, this API will replace it with the new one. Max number of blacklist clients is 1000.
Retrieve the current blacklisted clients from ‘blacklist_url’ under Org:Setting
POST /api/v1/orgs/:org_id/setting/blacklist
{
"macs": ["5c5b35000001", "5c5b35000002"]
}
This endpoint is to remove the client blacklist
DELETE /api/v1/orgs/:org_id/setting/blacklist
128T devices can be managed/adopted by Mist.
GET /api/v1/orgs/:org_id/128routers/register_cmd
| Name | Type | Description |
|---|---|---|
ttl |
int |
duration for the token to stay valid, in seconds. Defaults to 1 year (31536000 seconds) if not specified. |
asset_ids |
list |
Asset IDs. Optional. When specified, only specified assets are allowed for registration. This parameter can and is preferred to be set in HTTP body, especially when the list is long, so that HTTP header size will never exceed limit. |
{
"registration_code": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJvcmdfaWQiOiIyODE4ZTM4Ni04ZGVjLTI1NjItOWVkZS01YjhhMGZiYmRjNzEiLCJzdmMiOiIxMjhyb3V0ZXIiLCJwcm92aWRlciI6ImF3cyIsImVudiI6ImxvY2FsIiwiZXB0ZXJtX3VybCI6IndzczovL2xvY2FsL3dzIiwiaWF0IjoxNjEzODQ3NDg0LCJleHAiOjE2NDUzODM0ODR9.YnhgThKYAj1uaooi6j-zY8dMipp5YqJxnn79B9TB5XQ",
"conductor_cmd": "register mist eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJvcmdfaWQiOiIyODE4ZTM4Ni04ZGVjLTI1NjItOWVkZS01YjhhMGZiYmRjNzEiLCJzdmMiOiIxMjhyb3V0ZXIiLCJwcm92aWRlciI6ImF3cyIsImVudiI6ImxvY2FsIiwiZXB0ZXJtX3VybCI6IndzczovL2xvY2FsL3dzIiwiaWF0IjoxNjEzODQ3NDg0LCJleHAiOjE2NDUzODM0ODR9.YnhgThKYAj1uaooi6j-zY8dMipp5YqJxnn79B9TB5XQ",
"router_shell_cmd": "128agent register --registration-code eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJvcmdfaWQiOiIyODE4ZTM4Ni04ZGVjLTI1NjItOWVkZS01YjhhMGZiYmRjNzEiLCJzdmMiOiIxMjhyb3V0ZXIiLCJwcm92aWRlciI6ImF3cyIsImVudiI6ImxvY2FsIiwiZXB0ZXJtX3VybCI6IndzczovL2xvY2FsL3dzIiwiaWF0IjoxNjEzODQ3NDg0LCJleHAiOjE2NDUzODM0ODR9.YnhgThKYAj1uaooi6j-zY8dMipp5YqJxnn79B9TB5XQ"
}
| Name | Type | Description |
|---|---|---|
registration_code |
string |
Mist org-level registration code (JWT) |
conductor_cmd |
string |
128T conductor registration command |
router_shell_cmd |
string |
128T router registration command used by the 128-agent (which connects to the Mist cloud) |
GET /api/v1/orgs/:org_id/ssr/versions
| Name | Type | Description |
|---|---|---|
channel |
string |
One of stable (default), beta, alpha |
mac |
string |
Optional. MAC address, or comma separated MAC address list. |
[
{
"package": "SSR",
"version": "5.3.1-17",
"_version": "SSR-5.3.1-17.el7.x86_64",
"default": true,
"tags": [ "mist_suggested" ]
}
]
POST /api/v1/orgs/:org_id/ssr/upgrade
{
"strategy": "big_bang",
"channel": "stable",
"version": "5.3.0-93",
"start_time": 1624405840,
"device_ids": [
"00000000-0000-0000-1000-5c5b35000020"
]
}
| Name | Type | Description |
|---|---|---|
device_ids |
list |
list of 128T device IDs to upgrade, currently only one 128T device allowed |
channel |
string |
upgrade channel to follow, stable (default) / beta / alpha |
version |
string |
128T firmware version to upgrade (e.g. 5.3.0-93) |
strategy |
string |
big_bang(upgrade all at once) or serial(one at a time), default is big_bang |
start_time |
long |
128T firmware download start time in epoch seconds, default is now, -1 disables download |
reboot_at |
long |
reboot start time in epoch seconds, default is start_time, -1 disables reboot |
GET /api/v1/orgs/:org_id/ssr/upgrade
[{
"status": "upgrading",
"strategy": "serial",
"versions": {},
"channel": "stable",
"device_type": "gateway",
"_id": "ceef2c8a-e2e6-447a-8b27-cb4f3ec1adae",
"counts": {
"queued": 1,
"upgrading": 1,
"success": 0,
"failed": 0
}
}]
GET /api/v1/orgs/:org_id/ssr/upgrade/:upgrade_id
{
"status": "upgrading",
"strategy": "serial",
"versions": {},
"channel": "stable",
"device_type": "gateway",
"_id": "5cbcee0a-c620-4bb4-a25e-15000934e9d8",
"targets": {
"queued": ["387804a7-3474-85ce-15a2-f9a9684c9c90"],
"upgrading": ["8e525f1d-4178-4ae1-a988-2b0176855e55"],
"success": [],
"failed": []
}
}
Best effort to cancel an upgrade. Devices which are already upgraded wont be touched
POST /api/v1/orgs/:org_id/ssr/upgrade/:upgrade_id/cancel
GET /api/v1/orgs/:org_id/stats/vpn_peers/search
{
"results": [
{
"org_id": "0c160b7f-1027-4cd1-923b-744534c4b070",
"site_id": "725a8d34-a126-4f2c-b990-d1219421cb75",
"mac": "020001c04668",
"port_id": "Lte",
"peer_mac": "020001367edd",
"peer_site_id": "725a8d34-a126-4f2c-b990-d1219421cb75",
"peer_port_id": "DC_Internet",
"type": "svr", // ipsec for SRX, svr for 128T
"up": true,
"is_active": true,
"uptime": 1527128046,
"last_seen": 1619518709.222,
# for svr
"router_name": "RIST01544AP1",
"peer_router_name": "RIDCBBP1",
"latency": 91.0,
"mtu": 1500,
"mos": 436.0
# for ipsec
"auth_algo": "hmac-sha1-96",
"enc_algo": "aes-cbc-128",
"ike_version": "1",
},
],
"start": 1619518689.4989705,
"end": 1619518989.4989712,
"limit": 10,
"total": 1
}
| Name | Type | Description |
|---|---|---|
org_id |
string |
router org ID |
site_id |
string |
router site ID |
peer_site_id |
string |
peer router site ID |
mac |
string |
router mac address |
peer_mac |
string |
peer router mac address |
port_id |
string |
router device interface |
peer_port_id |
string |
peer router device interface |
timestamp |
long |
sampling time (in epoch) |
router_name |
string |
router name |
peer_router_name |
string |
peer router name |
mtu |
int |
Maximum Transmission Unit of peer path |
latency |
long |
Network latency in a peer path |
mos |
float |
Mean opinion score in a peer path |
uptime |
int |
uptime |
is_active |
boolean |
Redundancy status of the associated interface |
GET /api/v1/orgs/:org_id/stats/vpn_peers/count
{
"results": [
{
"mac": "02000111d2dc",
"count": 2
}
],
"start": 1619518707.800029,
"end": 1619519007.8000295,
"limit": 10,
"distinct": "mac",
"total": 1,
}
GET /api/v1/orgs/:org_id/stats/bgp_peers/search
{
"results": [
{
"org_id": "0c160b7f-1027-4cd1-923b-744534c4b070",
"site_id": "725a8d34-a126-4f2c-b990-d1219421cb75",
"mac": "020001c04668",
"node" : "node0",
"timestamp": 1666251056.07,
"local_as": 65000,
"neighbor_as": 65000,
"vrf_name": "default", // default (default) / or VRF name
"neighbor": "15.8.3.5",
"neighbor_mac": "020001e53153", // if it's another device in the same org
"uptime": 31355,
"up": true,
"for_overlay": true, // if this is created for overlay
"state": "established", // idle, connect, active, open_sent, open_confirm and established
"tx_pkts": 1735,
"rx_pkts": 63366,
"rx_routes": 60,
"tx_routes": 60,
"evpn_overlay": true // if this is created for evpn overlay
},
],
"start": 1619518689.4989705,
"end": 1619518989.4989712,
"limit": 10,
"total": 1
}
| Name | Type | Description |
|---|---|---|
org_id |
string |
router org ID |
site_id |
string |
router site ID |
mac |
string |
router mac address |
node |
string |
node0/node1 |
timestamp |
long |
sampling time (in epoch) |
local_as |
string |
local AS |
neighbor_as |
string |
neighbor AS |
vrf_name |
string |
VRF name |
neighbor |
string |
IP of neighbor |
neighbor_mac |
string |
Mac of neighbor |
state |
string |
idle, connect, active, open_sent, open_confirm and established |
up |
boolean |
true/false |
tx_pkts |
int |
tx pkts |
rx_pkts |
int |
rx pkts |
rx_routes |
int |
number of received routes |
tx_routes |
int |
number of sent routes |
uptime |
int |
uptime |
for_overlay |
boolean |
true/false, if this is created for overlay |
evpn_overlay |
boolean |
true/false, if this is created for evpn overlay |
GET /api/v1/orgs/:org_id/stats/bgp_peers/count?state=disconnected&distinct=mac
{
"results": [
{
"mac": "02000111d2dc",
"count": 2
}
],
"start": 1619518707.800029,
"end": 1619519007.8000295,
"limit": 10,
"distinct": "mac",
"total": 1,
}
POST /api/v1/orgs/:org_id/devices/upgrade
{
"device_type": "ap",
"versions": [
// ap upgrade
{
"firmware_type": "ap",
"version": "0.12.27139",
"force": true
},
// switch upgrade
{
"firmware_type": "junos"
"model_version": {
"EX4400-24P": "23.4R1.9" // used to select different versions for different models
}
],
"rules": [
{
// all AP63's in this site will be selected for upgrade
"match_model": "AP63"
},
{
// AP43's whose name has the word 'access' from character 2 to 7 will be selected for upgrade
"match_model": "AP43",
"match_name[2:8]": "access"
}
],
"all_sites": false // true will upgrade all sites in this org
"site_ids": ["4ac1dcf4-9d8b-7211-65c4-057819f0862b"], // only devices belonging to these sites will be selected for upgrade. Will be ignored if "all_sites": true
"models": ["AP41"], // only devices of these model types will be selected for upgrade
"download_strategy": "canary",
"reboot_strategy": "serial",
"canary_phases": [5,25,50,100],
"max_failures": [1,1,5,5], // will be used if provided, else max_failure_percentage will be used
"max_failure_percentage": 5
"start_datetime": "2024-06-13T15:00:00-07:00", // ISO 8601
"reboot_datetime": "2024-06-13T15:00:00", // ISO 8601 - exclude timezone component if site local timezone needs to be used
}
| Name | Type | Description |
|---|---|---|
device_type |
string |
ap, switch |
versions |
array |
array of version objects |
version |
string |
(deprecated, use versions instead) specific version / stable, default is to use the latest |
all_sites |
boolean |
set to true if all sites belonging to this org need to be selected for upgrade. Overrides site_ids. Default false |
site_ids |
array |
only devices belonging to these sites will be selected for upgrade |
models |
array |
only devices of these model types will be selected for upgrade |
rules |
array of objects |
rules used to identify devices which will be selected for upgrade. Device will be selected as long as it satisfies any one rule |
download_strategy |
string |
big_bang(download all at once - no orchestration), serial(one at a time), canary(download in phases), default is big_bang |
reboot_strategy |
string |
big_bang(upgrade all at once - no orchestration), serial(one at a time), canary(upgrade in phases) or rrm(AP only), default is serial |
strategy |
string |
(deprecated, use download_strategy/reboot_strategy instead) big_bang(upgrade all at once - no orchestration), serial(one at a time), canary or rrm(AP only), default is big_bang |
canary_phases |
array of ints |
phases for canary deployment. Each phase represents percentage of devices that need to be upgraded in that phase. default is [1, 10, 50, 100] |
max_failures |
array of ints |
number of failures allowed within each phase. Only applicable for canary. Array length should be same as canary_phases. Will be used if provided, else max_failure_percentage will be used |
max_failure_percentage |
int |
percentage of failures allowed across the entire upgrade(not applicable for big_bang), default is 5 |
start_datetime |
string |
firmare download start time in ISO 8601 format. Default is now. |
start_time |
long |
(deprecated, use start_datetime instead) firmware download start time in epoch seconds, default is now |
reboot_datetime |
string |
reboot start time in ISO 8601 format. Default is start_datetime |
reboot_at |
long |
(deprecated, use reboot_datetime instead) reboot start time in epoch seconds, default is start_time |
enable_p2p |
boolean |
(AP only) whether to allow local AP-to-AP FW upgrade |
p2p_parallelism |
int |
(AP only) number of parallel p2p download batches to create, default is 1 |
p2p_cluster_size |
int |
(AP only) size to split the devices for p2p, default 10 |
rrm_node_order |
string |
(AP only) fringe_to_center or center_to_fringe (default fringe_to_center). Used in rrm to determine whether to start upgrade from fringe or center AP’s |
rrm_slow_ramp |
boolean |
(AP only) true will make rrm batch sizes slowly ramp up |
rrm_max_batch_percentage |
int |
(AP only) max percentage of AP’s that need to be present in each rrm batch |
rrm_first_batch_percentage |
int |
(AP only) percentage of AP’s that need to be present in the first rrm batch |
rrm_mesh_upgrade |
string |
(AP only) sequential or parallel (default parallel). Whether to upgrade mesh AP’s parallelly or sequentially at the end of the upgrade |
snapshot |
boolean |
Perform recovery snapshot after device is rebooted. default is false (Available on Junos OS devices) |
| Name | Type | Description |
|---|---|---|
firmware_type |
string |
ap, junos |
version |
string |
version to upgrade to |
force |
boolean |
set to true if upgrade is needed when target version <= running version, default false. Supported for device_type ap |
model_version |
dict |
map of device model to firmware version used to select different versions for different models. Overrides version for the specified models |
| Name | Type | Description |
|---|---|---|
match_model |
string |
match devices of this model. Can optionally use offsets to select a substring. For eg: match_model[1:3] |
match_name |
string |
match devices with this name. Can optionally use offsets to select a substring. For eg: match_name[1:3] |
{
"id": "f57096b9-0c2f-4df6-c77b-ae6ae87a3d43"
}
GET /api/v1/orgs/:org_id/devices/upgrade/:id
{
"id": "510faff9-0c55-4112-8796-f7589da0f7bc",
"target_version": "apfw-0.7.20216-gilly-d4fc",
"strategy": "big_bang",
"enable_p2p": false,
"force": false
"upgrades": [{
"site_id": "1916d52a-4a90-11e5-8b45-1258369c38a9",
"upgrade": {
"id": "9b5fde1d-bda4-486f-8eb6-4368aa30cf30",
"status": "created",
"start_time": 1626892546,
"targets": {
"scheduled": [],
"downloaded": [],
"download_requested": [],
"reboot_in_progress": [],
"rebooted": [],
"skipped": [],
"failed": [],
"total": 1
}
}
}, {
"site_id": "65c2095a-e049-4267-88a5-5019e4b69a4d",
"upgrade": {
"id": "510faff9-0c55-4112-8796-f7589da0f7bc",
"status": "created",
"start_time": 1626892546,
"targets": {
"scheduled": [],
"downloaded": [],
"download_requested": [],
"reboot_in_progress": [],
"rebooted": [],
"skipped": [],
"failed": [],
"total": 1
}
}
}]
}
Same as one defined in Site API
Best effort to cancel an upgrade. Devices which are already upgraded won’t be touched
POST /api/v1/orgs/:org_id/devices/upgrade/:upgrade_id/cancel
GET /api/v1/orgs/:org_id/devices/upgrade
[{
"id": "c4a69d92-46b9-44a8-ae90-7de44be58a4b",
"upgrades": [{
"site_id": "1916d52a-4a90-11e5-8b45-1258369c38a9",
"upgrade_id": "f9d03e9a-28ae-4b09-8cef-f682801b46c3"
}, {
"site_id": "495363c9-be25-4fde-8bef-65b28a1a6eaa",
"upgrade_id": "6de92826-a348-4bae-9005-2d1d8041d327"
}]
}]
| Name | Type | Description |
|---|---|---|
id |
uuid |
unique id for the org upgrade |
upgrades |
array of upgrades |
site upgrades part of this upgrade |
upgrades.upgrade_id |
uuid |
id of the site upgrade |
upgrades.site_id |
uuid |
site the upgrade belongs to |
For some scenarios like E911 or security systems, the BSSIDs are required to identify which AP the client is connecting to. Then the location of the AP can be used as the approximate location of the client.
Each radio MAC can have 16 BSSIDs (enumerate the last octet from 0-F)
GET /api/v1/orgs/:org_id/devices/radio_macs
[
{
"mac": "5c5b35000001",
"radio_macs": ["5c5b35000040", "5c5b35000050", "5c5b35000060"]
},
{
"mac": "5c5b45000001",
"radio_macs": ["5c5b45000040", "5c5b45000050", "5c5b45000060"]
}
]
| Name | Type | Description |
|---|---|---|
mac |
string |
device(AP) MAC address |
radio_macs |
array of mac addresses |
array of radio MAC addresses for each AP |
GET /api/v1/orgs/:org_id/devices/versions
see Site:Get Available Device Versions for API request & response details.
GET /api/v1/const/ap_esl_versions
| Name | Type | Description |
|---|---|---|
model |
string |
filter versions by model |
[
{
'esl_version': '2.5.1',
'model': 'AP34'
},
{
'esl_version': '2.5.0',
'model': 'AP43'
}
]
/api/v1/orgs/:org_id/nactags
nactags are the building blocks to compose nacrules.
They can either appear in the "matching" / "not_matching" sections of a nacrule,
in which case they play the role of classifiers, or they could appear in the "apply_tags"
section of the of a nacrule, in which case they influence the result.
When the "type" field of nactag is "match", it can be used as the classfier of a nacrule.
- "match" field specifies the attribute name and "values" field specifies the list of
attribute values to match on.
- When multiple values are specified, its treated as an OR condition
between those values. This behavior can be changed by setting "match_all" field to "true",
in which case it is treated as an AND condition between those values.
- By default exact match is performed. This behavior can be changed as follows:
- Adding '*' at the beginning will perform suffix match
(ex: *-staff will match foo-staff and bar-staff)
- Adding '*' at the end will perform prefix match
(ex: foo-* will match foo-staff and foo-interns)
- Adding '*' at both ends will perform substring match
(ex: *printer* will match hp-printer-bldg1, brother-printer-lab)
- Adding '!' at the beginning will perform negation of the match
(ex: !ssid-guest will match any string that is not ssid-guest)
- Note: when negation should be used along with suffix/substring operation,
! should always precede *
(ex: !*guest will match any string that is not ending with guest)
When the "type" field of nactag is NOT "match", it can be used as the result of a nacrule.
"type" field identifies the action to take and the corresponding field would provide any associated
parameters to that action.
When the "type" field of nactag is NOT "match" and is any of the result type also supported by usermac table('vlan'),
"allow_usermac_override" field can be set to true to allow the override by usermac result
// when type = match
// matches vendor
// NOTE: match on 'vendor' is now obsoleted. DO NOT use it anymore.
// You can now add vendor based match directly as part of nacrule object
{
"type": "match",
"name": "guest-wlan",
"match": "vendor",
"values": [ "cisco" ]
}
// matches ssid
{
"type": "match",
"name": "corp-wlan",
"match": "ssid",
"values": [ "corp-ssid" ]
}
// matches cert_cn
{
"type": "match",
"name": "staff",
"match": "cert_cn",
"values": [ "john", "staff*" ]
}
// matches cert_sub
{
"type": "match",
"name": "subject1",
"match": "cert_sub",
"values": [ "/C=CN/ST=defy/O=defy/OU=defy/CN=steve" ]
}
// matches cert_serial
{
"type": "match",
"name": "serial1",
"match": "cert_serial",
"values": [ "6a524ab782fb468c00c59f51cff00268d95533b8"]
}
// matches cert_issuer
{
"type": "match",
"name": "issuer1",
"match": "cert_issuer",
"values": ["/C=CN/ST=defy/L=defy/O=defy/OU=defy/CN=defy"]
}
// matches cert_san
{
"type": "match",
"name": "san1",
"match": "cert_san",
"values": ["henry1@defy.com"]
}
// matches cert_eku
{
"type": "match",
"name": "EKU-Match",
"match": "cert_eku",
"values": ["1.3.6.1.4.1.54321.10.1","1.3.6.1.4.1.54321.20.2"]
}
// matches cert_template
{
"type": "match",
"name": "templ1",
"match": "cert_template",
"values": ["1.3.6.1.4.1.311.21.8.4200806.605933.871088.11229391.9863893.29.13545645.4807979",
"1.3.6.1.4.1.311.21.8.3285427.4093958.2707341.9961608.11572555.6.4903431.2258457"]
}
// matches hostname
{
"type": "match",
"name": "hostname1",
"match": "hostname", // list of strings(hostnames)
"values": [ "CP*", "CP*"]
}
// matches idp_role
{
"type": "match",
"name": "finance",
"match": "idp_role",
"values": ["finance"]
}
// matches realm
{
"type": "match",
"name": "defy",
"match": "realm",
"values": ["defy.com"]
}
// matches user_name
{
"type": "match",
"name": "admins",
"match": "user_name",
"values": ["bob", "steve"]
}
// matches client_mac
// either complete mac can be specified OR wildcards can be used to match OUI etc.
{
"type": "match",
"name": "cameras",
"match": "client_mac",
"values": ["010203040506", "abcdef*"]
}
// matches mdm_status
{
"type": "match",
"name": "mdm_compliance",
"match": "mdm_status",
"values": ["compliant", "non-compliant", "unknown"]
}
// matches edr_status
{
"type": "match",
"name": "edr_health",
"match": "edr_status",
"match_all": false, // false (default) or true
"values": ["sentinelone_healthy", "sentinelone_infected", "crowdstrike_low", "crowdstrike_medium", "crowdstrike_high", "crowdstrike_critical", "crowdstrike_informational", "unknown"]
}
// matches usermac_label
{
"type": "match",
"name": "my_label_tag",
"match": "usermac_label",
"values": ["bldg3", "bldg5", "camera", "printer"]
}
// matches nas_ip
// either complete nas ip can be specified OR subnet
{
"type": "match",
"name": "switches_floor1",
"match": "nas_ip",
"values": ["194.168.0.0/16", "193.167.4.1"]
}
// matches ingress_vlan
// ingress_vlan appears in radius requests
{
"type": "match",
"name": "radius_request_vlan",
"match": "ingress_vlan",
"values": ["999", "10"]
}
// when type = radius_group
{
"type": "radius_group",
"radius_group": "VIP",
"allow_usermac_override": true
}
// when type = vlan
{
"type": "vlan",
"vlan": "30"
"allow_usermac_override": true
}
// when type = gbp_tag (Group Based Policy Tag)
{
"type": "gbp_tag",
"gbp_tag": "100"
}
// when type = session_timeout
{
"type": "session_timeout",
"session_timeout": 86400 // integer - in seconds
}
// when type = egress_vlan_names
{
"type": "egress_vlan_names",
"egress_vlan_names": [ "1vlan-30", "1vlan-20", "2-vlan10"] // list of strings(vlan names)
}
{
"type": "username_attr",
"username_attr": "automatic", // automatic / cn / upn / email / dns
// if true, use the usermac->name instead, if present
"allow_usermac_override": false
}
// when type = radius_attrs, user can specify a list of one or more standard attributes
// in the field "radius_attsr" . It is the responsibility of the user to provide a
// syntactically correct string, otherwise it may not work as expected.
// note that it is allowed to have more than one radius_vendor_attr in the result of a given rule.
// examples:
{
"type": "radius_attrs",
"radius_attrs": ["Idle-Timeout=600", "Termination-Action=RADIUS-Request"]
}
// when type = radius_vendor_attrs, user can specify a list of one or more vendor-specific attributes
// in the field "radius_vendor_attrs". It is the responsibility of the user to provide a
// syntactically correct string, otherwise it may not work as expected.
// note that it is allowed to have more than one radius_vendor_attr in the result of a given rule.
// examples:
{
"type": "radius_vendor_attrs",
"radius_vendor_attrs": ["PaloAlto-Admin-Role=superuser", "PaloAlto-Panorama-Admin-Role=administrator"]
}
{
"type": "radius_vendor_attrs",
"radius_vendor_attrs": ["Cisco-Av-pair=shell:priv-lvl=15"]
}
// when type = redirect_nacportal_id
{
"type": "redirect_nacportal_id",
"redirect_nacportal_id": "9954cfed-6235-f6c1-d5cf-f357b12b2aa7"
}
| Name | Type | Description |
|---|---|---|
name |
string |
the name |
type |
string |
match / radius_group / vlan |
match |
string |
type of match, vendor / ssid / cert_cn / cert_sub / cert_serial / cert_issuer / cert_san / idp_role / realm / user_name / client_mac / mdm_status / usermac_label / nas_ip / hostname / edr_status |
match_all |
boolean |
false’: means it is sufficient to match any of the values (i.e., match-any behavior), ‘true’: means all values should be matched (i.e., match-all behavior), default is ‘false This field is applicalbe only when ‘type’ field is set to ‘match’ Currently it makes sense to set this field to ‘true’ only if the ‘match’ is set to ‘idp_role’, ‘usermac_label’ and ‘edr_status’. |
values |
list |
list of values to match |
vlan |
string |
vlan id or name to return |
radius_group |
string |
filter_id to return |
gbp_tag |
string |
gbp tag to return |
session_timeout |
int |
session timeout value to return in seconds |
egress_vlan_names |
list |
list of egress vlans to return |
radius_attrs |
list |
list of one or more standard radius attributes in “\ |
radius_vendor_attrs |
list |
list of one or more vendor specific radius attribute in “\ |
redirect_nacportal_id |
string |
UUID of nac portal |
/api/v1/orgs/:org_id/nactags?type=gbp_tag
| Name | Type | Description |
|---|---|---|
type |
string |
Type of NAC Tag |
name |
string |
Name of NAC Tag |
match |
string |
Type of match of NAC Tag |
[
{
"gbp_tag": "300",
"id": "700e6dca-3a77-4dda-af86-e299d5df72a3",
"name": "Printer",
"org_id": "2818e386-8dec-2562-9ede-5b8a0fbbdc71",
"created_time": 1706662152,
"modified_time": 1706662152,
"type": "gbp_tag",
"match": "gbp_tag"
},
{
"gbp_tag": "500",
"id": "700e6dca-3a77-4dda-af86-e299d5df72a3b2250cbf-baaf-47a9-b68a-3a8a1382f4d8",
"name": "Cameras",
"org_id": "2818e386-8dec-2562-9ede-5b8a0fbbdc71",
"created_time": 1706662152,
"modified_time": 1706662152,
"type": "gbp_tag",
"match": "gbp_tag"
},
...
]
/api/v1/orgs/:org_id/nacrules
{
"name": "name1",
"id": "7e700e85-6080-69b9-729e-ee9e012d7408",
"order": 1,
// enable dry_run knob if you want the rule to be evaluated, but not acted upon.
// clients/events, wired_clients/events, nac_clients/events endpoints
// reports dryrun_nacrule_matched, dryrun_nacrule_id attributes
// hit-counts against the nac_rules are obtained using es query on the endpoints
"dry_run": false
// match conditions
"matching": {
"auth_type": "eap-tls", // eap-tls (default) / eap-peap / eap-ttls / eap-teap / mab / device-auth
// based on NAS-Port-Type
"port_types": ["wired"], // wireless (18), wired (15),
// refer to const/fingerprint_types API for allowed family, mfg, model, os_types
"family": ["Access Point""],
"mfg": ["Apple, Inc.", "Amazon Technologies Inc."],
"model": ["1535 IP Phone", "AP41E-US"],
"os": ["Android 11", "Windows"],
// refer to "mist_nac" subsection under "Mist Edge Cluster" configuration
// for the list of allowed vendors and the naming convention of vendor names
"vendors": ["cisco-ios", "cisco-meraki"] // list of vendors to match
// guest portal
"guest_auth_state": "authorized", // unknown / authorized
"site_ids": [
"bb19fc3e-4124-4b57-80d9-c3f6edce47c4",
"bb19fc3e-6564-4b57-80d9-c3f6edce47c1"
],
"sitegroup_ids": [
"bb19fc3e-4124-4b57-80d9-c3f6edce47c4",
"bb19fc3e-6564-4b57-80d9-c3f6edce47c1"
],
"nactags": [ "041d5d36-716c-4cfb-4988-3857c6aa14a2", "a809a97f-d599-f812-eb8c-c3f84aabf6ba" ]
},
"not_matching": {
// same as `matching`
},
// all optional, this goes into Access-Accept
"apply_tags": [ "c049dfcd-0c73-5014-1c64-062e9903f1e5" ],
"action": "allow", // "allow" / "block"
}
| Name | Type | Description |
|---|---|---|
name |
string |
the name |
enabled |
boolean |
enabled or not, default is true |
order |
int |
the order of the rule, lower value implies higher priority |
auth_type |
string |
eap-tls / peap-tls / eap-ttls / eap-teap / mab / device-auth |
port_types |
list |
list of port_types (wired / wireless) to match |
family |
list |
list of client device families to match |
model |
list |
list of client device models to match |
mfg |
list |
list of client device manufacturers to match |
os_type |
list |
list of client device os types to match |
site_ids |
list |
list of site ids to match |
sitegroup_ids |
list |
list of sitegroup ids to match |
action |
string |
allow / block |
guest_auth_state |
string |
unknown or authorized |
Juniper Support Insight is a free service provided to all Mist customers. You can adopt your devices via a few lines CLI comands. Allowing you to - get some basic information about the adopted devices - web shell into device (write privilege required) - upgrade (write privilege required)
GET /api/v1/orgs/:org_id/jsi/devices?limit=100&model=EX2300&serial=DGCOO0015&mac=c15353123096
[
{
"mac": "c15353123096",
"model": "EX2300-C-12P",
"serial": "DGCOO0015",
// when it's available
"last_seen": 1654636867,
"uptime": 1654550467,
"version": "19.2R1.8"
},
...
]
GET /api/v1/orgs/:org_id/jsi/devices/outbound_ssh_cmd
{
"cmd": "set system services ssh...\n...\nset system services outbound-ssh client mist ..."
}
POST /api/v1/orgs/:org_id/jsi/devices/:mac/shell
{
"session': "19e73828-937f-05e6-f709-e29efdb0a82b",
"url": "wss://api-ws.mist.com/ssh?jwt=xxxx"
}
POST /api/v1/orgs/:org_id/jsi/devices/:mac/upgrade
{
"version": "3.1.5"
}
This gets all devices purchased from the accounts associated with the Org - Fetch Install base devices for all linked accounts and associated account of the linked accounts. - The primary and the associated account ids will be queries from SFDC by passing the linked account - Retruns only the device centeric details of the Install base device. No customer specific information will be returned.
GET /api/v1/orgs/:org_id/jsi/inventory?limit=100&model=EX2300&serial=DGCOO0015
see Get Juniper Linked Accounts
Status 400
{
"detail": "no juniper account linked"
}
[
{
'model': 'EX4300-48T',
'type': 'switch',
'serial': 'PE3721050223',
'sku': 'EX4300-48T-AFI',
'warranty_type': 'Enhanced Hardware Warranty',
'eol_time': 1671062400,
'eos_time': 1828828800
}
]
| Name | Type | Description |
|---|---|---|
model |
string |
model of the install base inventory |
type |
string |
device type, ap / switch / gateway |
serial |
string |
serial Number of the inventory |
sku |
string |
serviceable device stock |
warranty_type |
string |
type of warranty |
eol_time |
timestamp |
end of life time |
eos_time |
timestamp |
end of support time |
This gets all devices purchased from the accounts associated with the Org - Fetch Assets & Contracts for all linked accounts and associated account of the linked accounts. - The primary and the associated account ids will be queries from SFDC by passing the linked account - Retruns only the device centeric details of the Install base device. No customer specific information will be returned.
GET /api/v1/orgs/:org_id/jsi/inventory/search?limit=100&page=1&sort=serial
The following fields are available for searching.
| Name | Type | Description |
|---|---|---|
model |
string |
device model |
sku |
string |
sku name of the device |
serial |
string |
device serial number |
status |
string |
status whether connected , disconnected |
warranty_type |
string |
Type of warranty |
eol_duration |
string |
duration in format 30d , 4w , 5M , 2Y |
eos_duration |
string |
duration in format 30d , 4w , 5M , 2Y |
text |
string |
wildcards for serial , model,accountid |
| ### Warranty Types | ||
| ‘WTY00001’: ‘Standard Hardware Warranty’, | ||
| ‘WTY00002’: ‘Enhanced Hardware Warranty’, | ||
| ‘WTY00003’: ‘Dead On Arrival Warranty’, | ||
| ‘WTY00004’: ‘Limited Lifetime Warranty’, | ||
| ‘WTY00005’: ‘Software Warranty’, | ||
| ‘WTY00006’: ‘Limited Lifetime Warranty for WLA’, | ||
| ‘WTY00007’: ‘Warranty–JCPO EOL (DOA Not Included)’, | ||
| ‘WTY00008’: ‘MIST Enhanced Hardware Warranty’, | ||
| ‘WTY00009’: ‘MIST Standard Warranty’, | ||
| ‘WTY00099’: ‘Determine Lifetime warranty’ |
GET /api/v1/orgs/:org_id/jsi/inventory/search?model=QFX5200-32C-AFO2&limit=1000&page=1&sort=serial
GET /api/v1/orgs/:org_id//jsi/inventory/search?text=WH3623020574&limit=1000&page=1&sort=serial
Text search can be done on the following fields [‘model’,’serial’,’account_id’, ‘status’,’warranty_type’]
see Get Juniper Linked Accounts
Status 400
{
"detail": "no juniper account linked"
}
{
"results": [
{
"serial": "XN3123300095",
"type": "switch",
"sku": "EX2300",
"model": "EX2300-24MP",
"eol_time": 1561507200,
"eos_time": 1672012800,
"warranty_type": "WTY00002",
"warranty": "Enhanced Hardware Warranty",
"warranty_time": 1672012800,
"org_id": "6e843b41-f953-4af9-80e5-e1a70f65754a",
"device_name": "name1",
"status": "connected",
"master": true,
"version": "23.4R2-S4.11",
"suggested_version": "Latest 21.4R3-Sx",
"version_time": 1561507200,
"version_eos_time": 1672012800
}
],
"limit": 1000,
"start": 1748019708,
"end": 1748023308,
"total": 1
}
| Name | Type | Description |
|---|---|---|
serial|string| serial Number of the inventory
type|string| device type, ap / switch / gateway
sku|string| serviceable device stock
model|string| model of the install base inventory
eol_time|timestamp | end of life time
eos_time|timestamp | end of support time
warranty_type|string | type of warranty
warranty |string | warranty description
warranty_time |timestamp | Time when warranty needs to be renewed
org_id|string | ORG ID where the device belongs to
device_name|string | Name of the device
status|string | Status of the connected device
master|boolean | Indicates whether it is Master
version|string | SW version running
suggested_version|string | Suggested SW version
version_time|timestamp | FRS date of the version
version_eos_time|timestamp | End of Service of version
GET /api/v1/orgs/:org_id/jsi/inventory/count?distinct=model
| Name | Type | Description |
|---|---|---|
distinct |
string |
‘model’, ‘sku’ , ‘account_id’,’type’,’version’,’warranty_type’,’status’ , ‘eol_time’,’eos_time’ , ‘version_time’ |
{
"results": [
{
"model": "QFX5200-32C-FANAFI",
"count": 297
},
{
"model": "JPSU-850W-AC-AFI",
"count": 123
},
{
"model": "QFX5200-32C-AFI2",
"count": 114
},
{
"model": "EX3400-FAN-AFO",
"count": 67
},
{
"model": "JPSU-150-AC-AFI",
"count": 55
},
{
"model": "JPSU-150-AC-AFO",
"count": 55
},
{
"model": "EX3400-FAN-AFI",
"count": 51
},
{
"model": "EX3400-48T-AFI",
"count": 46
},
{
"model": "EX3400-48T-RD-PSU",
"count": 42
},
{
"model": "QFX5200-32C-FANAFO",
"count": 26
}
],
"limit": 10,
"start": 1747926245,
"end": 1747929845,
"distinct": "model",
"total": 48
}
PUT /api/v1/orgs/:org_id/inventory
{
"op": "upgrade_to_mist",
"macs": [
"c15353123096",
"5c5b350e0001"
]
}
{
"op": "upgrade_to_mist",
"success": [ "c15353123096" ],
"error": [ "5c5b350e0001" ],
"reason": [ "already upgraded to mist" ]
}
When downgrading a VC member to jsi, we will move the cloud connection of the VC to jsi-terminator and keep all VC device/inventories intact for pain-free upgrading back to mist.
{
"op": "downgrade_to_jsi",
"macs": [
"c15353123096",
"5c5b350e0001"
]
}
{
"op": "downgrade_to_jsi",
"success": [ "5c5b350e0001" ],
"error": [ "c15353123096" ],
"reason": [ "already downgraded to jsi" ]
}
Troubleshoot sites, devices, clients, and wired clients for maximum of last 7 days from current time. See search APIs for device information.
GET /api/v1/orgs/:org_id/troubleshoot?mac=:mac&site_id=4ac1dcf4-9d8b-7211-65c4-057819f0862b&start=1655065456&end=1655151856
| Name | Type | Description |
|---|---|---|
mac |
string |
mac |
site_id |
string |
site_id |
type |
string |
type of network to troubleshoot in a site, wireless / wired / wan, default type is wireless, each type should be queried separately |
{
"results": [
{
"category": "client",
"reason": "slow association",
"text": "Clients of the AP had slow association 8% of the time on Bhavabhi and 5 GHz. ...",
"recommendation": "Ensure the IP helper-address is configured on the VLAN interface.",
"site_id": "4ac1dcf4-9d8b-7211-65c4-057819f0862b"
},
...
],
"start": 1655065456,
"end": 1655151856
}
NOTE: requires Marvis subscription license
This all the premium analytics dashboards for this Org
GET /api/v1/orgs/:org_id/pma/dashboards?limit=100
[
{
'name': 'dashboard_1',
'url': 'https://api.mist.com/api/v1/forward/looker?jwt=...',
'label': 'Wireless',
'description': 'Dashboard 1 description.'
}
]
| Name | Type | Description |
|---|---|---|
name |
string |
name of the dashboard |
url |
string |
url to access dashboard. Url will redirect the user to the dashboard. |
label |
string |
group label name |
description |
string |
description of the dashboard |
GET /api/v1/orgs/:org_id/otherdevices/events/search?mac=4c9614a78e00
| Name | Type | Description |
|---|---|---|
org_id |
string |
org id |
site_id |
string |
site id |
mac |
string |
mac |
device_mac |
string |
mac of attached device |
vendor |
string |
vendor name |
type |
string |
event type |
model |
string |
device model |
GET /api/v1/const/otherdevice_events
| Name |
|---|
CELLULAR_EDGE_CONNECTED_TO_NCM |
CELLULAR_EDGE_DISCONNECTED_FROM_NCM |
CELLULAR_EDGE_ETHERNET_WAN_CONNECTED |
CELLULAR_EDGE_ETHERNET_WAN_DISCONNECTED |
CELLULAR_EDGE_ETHERNET_WAN_PLUGGED |
CELLULAR_EDGE_ETHERNET_WAN_UNPLUGGED |
CELLULAR_EDGE_FIRMWARE_UPGRADED |
CELLULAR_EDGE_LOGIN_FAILED |
CELLULAR_EDGE_LOGIN_SUCCEEDED |
... |
{
"results": [
{
"org_id": "4ac1dcf4-9d8b-7211-65c4-057819f0862a",
"site_id": "4ac1dcf4-9d8b-7211-65c4-057819f0862b",
"vendor": "cradlepoint",
"mac": "5c5b351e13b5",
"device_mac": "5c5b351e13b5",
"text": "Plugged: The Internal 5GB (SIM1) has been inserted into Internal 1.",
"timestamp": 1547235620.89,
"type": "CELLULAR_EDGE_MODEM_WAN_PLUGGED",
"model": "W1850"
},
...
]
}
GET /api/v1/const/otherdevice_models
{
"model": "W1850",
"id": "65",
"vendor": "cradlepoint",
"device_type": "router",
"display": "W1850",
},
...
GET /api/v1/orgs/:org_id/otherdevices/events/count?distinct=mac
{
"end": 1545874660.211871,
"distinct": "mac",
"results": [
{
"count": 22,
"mac": "0030448c6e40"
}
],
"start": 1545788260.21184,
"limit": 10,
"total": 1
}
GET /api/v1/orgs/:org_id/wan_clients/search
| Name | Type | Description |
|---|---|---|
mac |
string |
partial / full MAC address |
hostname |
string |
partial / full hostname |
ip |
string |
client IP |
mfg |
string |
Manufacture |
network |
string |
network |
ip_src |
string |
IP source |
{
"results": [
{
"wcid": "8bbe7389-212b-c65d-2208-00fab2017936",
"hostname": [
"sonoszp"
],
"ip": [
"192.168.1.139",
"192.168.1.122"
],
"mfg": "Sonos",
"last_hostname": "sonoszp",
"timestamp": 1718791390,
"org_id": "b4e16c72-d50e-4c03-a952-a3217e231e2c",
"site_id": "f688779c-e335-4f88-8d7c-9c5e9964528b",
"last_ip": "192.168.1.139",
"network": "lan",
"ip_src": "dhcp",
"dhcp_expire_time": 1718798190,
"dhcp_start_time": 1718788190
}
]
}
GET /api/v1/orgs/:org_id/wan_clients/count?distinct=mfg
| Name | Type | Description |
|---|---|---|
distinct |
string |
hostname, ip, mfg, network, default is mac |
{
"start": 1511967600,
"end": 1513177200,
"limit": 10,
"distinct": "device",
"total": 2,
"results": [
{
"mfg": "Apple",
"count": 61
},
{
"mfg": "Sonos",
"count": 44
}
]
}
GET /api/v1/orgs/:org_id/wan_clients/events/search
| Name | Type | Description |
|---|---|---|
type |
string |
Event type, e.g. CLIENT_IP_ASSIGNED, CLIENT_IP_RENEWED, CLIENT_IP_EXPIRED |
mac |
string |
Client mac |
mac |
string |
partial / full MAC address |
hostname |
string |
partial / full hostname |
ip |
string |
client IP |
mfg |
string |
Manufacture |
{
"start": 1512572151,
"end": 1513176951,
"limit": 10,
"total": 1,
'results': [
{
"When": "2022-12-31T23:59:59.293Z",
"org_id": "b0b9f142-aaba-11e6-aafc-0242ac110002",
"site_id": "fc656275-b157-43fd-b922-5f4f341c19bf",
"wcid": "62bbfb75-10d8-49d1-dec7-d2df91624287",
"random_mac": False,
"ev_type": "CLIENT_IP_ASSIGNED",
"text": "DHCP Ack IP 192.168.88.216",
"metadata": {
"client_ip": "192.168.88.216",
"expiration": 1672823632.127
}
}
]
}
GET /api/v1/orgs/:org_id/wan_client/events/count?distinct=type
| Name | Type | Description |
|---|---|---|
distinct |
string |
type, hostname, ip, mfg, mac |
{
"start": 1513276353,
"end": 1513362753,
"limit": 3,
"total": 3,
"results": [
{
"type": "CLIENT_IP_ASSIGNED",
"count": 4
},
{
"type": "CLIENT_IP_RENEWED",
"count": 2
},
{
"type": "CLIENT_IP_EXPIRED",
"count": 2
}
]
}
POST /api/v1/orgs/:org_id/mist_nac/test_idp
{
"username": "suriyas@juniper.net",
"password": "xxxxxx"
}
{
"session": "1587919a-bf51-4153-9a85-8855a9b5ba8a"
}
{
"subscribe": "/orgs/:org_id/mist_nac/test_idp"
}
{
"event": "data",
"channel": "/orgs/:org_id/mist_nac/test_idp",
"status":
"data": {
"status": "failure",
"error": "No matching IDP found"
}
}
{
"event": "data",
"channel": "/orgs/:org_id/mist_nac/test_idp",
"status":
"data": {
"status": "success",
"idp_id": "915793c0-1355-4e98-b1c0-23df2227b357",
"idp_type": "ldap",
// more attributes will be added later
}
}
{
"event": "data",
"channel": "/orgs/:org_id/mist_nac/test_idp",
"status":
"data": {
"status": "failure",
"error": "Invalid Credentials",
"idp_id": "915793c0-1355-4e98-b1c0-23df2227b357",
"idp_type": "ldap",
}
}
GET /api/v1/orgs/:org_id/nac_clients/events/search
| Name | Type | Description |
|---|---|---|
type |
string |
event type, e.g. NAC_CLIENT_PERMIT |
nacrule_id |
string |
NAC Policy Rule ID, if matched |
dryrun_nacrule_id |
string |
NAC Policy Dry Run Rule ID, if present and matched |
auth_type |
string |
authentication type, e.g. “eap-tls”, “peap-tls”, “eap-ttls”, “eap-teap”, “mab”, “psk”, “device-auth” |
vlan |
string |
Vlan ID |
nas_vendor |
string |
vendor of NAS device |
bssid |
string |
SSID |
ssid |
string |
SSID |
idp_username |
string |
Username presented to the Identity Provider |
username |
string |
Username presented by the client |
org_id |
string |
org id |
site_id |
string |
site id if assigned, null if not assigned |
ap |
string |
AP MAC |
mac |
string |
MAC address |
mxedge_id |
string |
Mist Edge ID used to connect to cloud |
port_type |
string |
Type of client i.e wired, wireless |
device_mac |
string |
Switch MAC Address |
ip |
string |
IP addressed assigned to client |
port_id |
string |
Port ID for the device |
usermac_label |
list |
labels derived from usermac entry |
text |
string |
partial / full MAC address, username, device_mac or ap |
nas_ip |
string |
IP address of NAS device |
sort |
string |
sort options, ‘-‘ prefix represents DESC order, default is wcid in ASC order |
ingress_vlan |
string |
vendor specific Vlan ID in radius requests |
{
"start": 1512572151,
"end": 1513176951,
"limit": 10,
"total": 1,
"results": [
{
"type": "NAC_CLIENT_PERMIT",
"nacrule_id": "32f27e7d-ff26-4a9b-b3d1-ff9bcb264c62",
"nacrule_matched": true,
"dryrun_nacrule_id": "32f27e7d-ff26-4a9b-b3d1-ff9bcb264012",
"dryrun_nacrule_matched": true,
"auth_type": "eap-ttls",
"vlan": "750",
"vlan_source": "nactag",
"nas_vendor": "juniper-mist",
"bssid": "5c5b355fafcc",
"idp_id": "912ef72e-2239-4996-b81e-469e87a27cd6",
"idp_role": [
"itsuperusers",
"vip"
],
"usermac_label": [
"bldg5",
"printer"
],
"resp_attrs": [
"Tunnel-Type=VLAN",
"Tunnel-Medium-Type=IEEE-802",
"Tunnel-Private-Group-Id=750",
"User-Name=anonymous"
],
"ssid": "##mist_nac",
"idp_username": "user@deaflyz.net",
"username": "user@deaflyz.net",
"timestamp": 1691512031.358188,
"org_id": "27547ac2-d114-4e04-beb1-f3f1e6e81ec6",
"site_id": "441a1214-6928-442a-8e92-e1d34b8ec6a6",
"random_mac": False,
"ap": "5c5b35513227",
"mac": "ac3eb179e535"
}
]
}
GET /api/v1/orgs/:org_id/nac_clients/events/count?distinct=type
| Name | Type | Description |
|---|---|---|
distinct |
string |
type / nacrule_id / dryrun_nacrule_id / auth_type / vlan / nas_vendor / username / ap / mac / ssid |
{
"start": 1513276353,
"end": 1513362753,
"limit": 3,
"total": 3,
"results": [
{
"count": 80,
"type": "NAC_CLIENT_PERMIT"
},
{
"count": 36,
"type": "NAC_CLIENT_CERT_CHECK_SUCCESS"
},
{
"count": 19,
"type": "NAC_CLIENT_DENY"
}
]
}
GET /api/v1/orgs/:org_id/nac_clients/search
| Name | Type | Description |
|---|---|---|
nacrule_id |
string |
NAC Policy Rule ID, if matched |
nacrule_matched |
bool |
If NAC Policy Rule Matched |
auth_type |
string |
authentication type, e.g. “eap-tls”, “peap-tls”, “eap-ttls”, “eap-teap”, “mab”, “device-auth” |
vlan |
string |
Vlan name or ID assigned to the client |
nas_vendor |
string |
vendor of NAS device |
nas_ip |
string |
IP address of NAS device |
idp_id |
string |
SSO ID, if present and used |
ssid |
string |
SSID |
username |
string |
Username presented by the client |
timestamp |
long |
start time, in epoch |
org_id |
string |
org id |
site_id |
string |
site id if assigned, null if not assigned |
ap |
string |
AP MAC connected to by client |
mac |
string |
MAC address |
device_mac |
string |
Switch MAC Address |
status |
string |
Connection status of client i.e “permitted”, “denied, “session_started”, “session_ended” |
type |
string |
Client type i.e. “wireless”, “wired” etc. |
mdm_compliance |
string |
MDM compliancy of client i.e “compliant”, “not compliant” |
mdm_managed |
bool |
Filters NAC clients that are managed by MDM providers |
mdm_provider |
string |
MDM provider of client’s organisation eg “intune”, “jamf” |
edr_status |
string |
EDR Status of client i.e “sentinelone_healthy”, “sentinelone_infected”, “crowdstrike_low”, “crowdstrike_medium”, “crowdstrike_high”, “crowdstrike_critical”, “crowdstrike_informational” |
edr_managed |
bool |
Filters NAC clients that are integrated with EDR providers |
edr_provider |
string |
EDR provider of client’s organisation eg “sentinelone”, “crowdstrike” |
mxedge_id |
string |
ID of Mist Edge that the client is connected through |
nacrule_name |
string |
NAC Policy Rule Name matched |
text |
string |
partial / full MAC address, last_username, device_mac, nas_ip or last_ap |
sort |
string |
sort options, ‘-‘ prefix represents DESC order, default is wcid in ASC order |
usermac_label |
string |
Labels derived from usermac entry |
mfg |
string |
Manufacturer of the client’s device |
family |
string |
Family of the client’s device |
model |
string |
Model of the client’s device |
os |
string |
Operating system of the client’s device |
hostname |
string |
Hostname of the client’s device |
{
"start": 1512572151,
"end": 1513176951,
"limit": 10,
"total": 2,
"results": [
{
"ap": ["5c5b35bf16bb", "d4dc090041b4"],
"auth_type": "eap-tls",
"cert_cn": ["werqwerty"],
"cert_issuer": ["/DC=com/DC=onmicrosoft/DC=Juniper461/CN=Juniper461-CA"],
"idp_id": "a13df686-dc39-4bdd-920f-89a412444c06",
"idp_role": ["Employee"],
"ip": ["10.7.51.74"],
"last_ap": "d4dc090041b4",
"last_cert_cn": "werqwerty",
"last_cert_expiry": 1725373986,
"last_cert_issuer": "/DC=com/DC=onmicrosoft/DC=Juniper461/CN=Juniper461-CA",
"last_ip": "10.7.51.74",
"last_nacrule_id": "558d6c97-d3c2-43e7-941d-244603ef5ce6",
"last_nacrule_name": "mdm_complaince",
"last_nas_vendor": "juniper-mist",
"last_ssid": "mdm_test",
"last_status": "permitted",
"nacrule_id": ["558d6c97-d3c2-43e7-941d-244603ef5ce6"],
"nacrule_matched": true,
"nacrule_name": ["mdm_complaince"],
"nas_vendor": ["juniper-mist"],
"nas_ip": "10.206.96.100",
"mac": "ac3eb179e535",
"org_id": "9301bff6-8992-49d6-b1ea-907ee81bb5fb",
"random_mac": true,
"site_id": "13d69fb2-5456-43a1-90c4-89513487dde2",
"ssid": ["mdm_test"],
"timestamp": 1694689718.612,
"type": "wireless",
"usermac_label": [
"non-compliant",
"building26",
"floor52"
],
"last_mfg": "Apple, Inc.",
"last_family": "Phone/Tablet/Wearable",
"last_model": "iPhone 16 Pro",
"last_os": "iOS 18.1",
"last_hostname": "Apple iPhone Work",
"edr_status": "sentinelone_healthy",
"edr_provider": "sentinelone",
"edr_managed": true
},
{
"auth_type": "mab",
"group": "employee",
"type": "wired",
"last_status": "session_started",
"device_mac": "0c599c646778",
"gbp_tag": "3005",
"last_nacrule_id": "85abd6a3-c4a4-497d-a568-2765046e0dba",
"last_nacrule_name": "Allowed Printers",
"last_nas_vendor": "juniper-mist",
"last_port_id": "ge-0/0/1.0",
"last_username": "CanonPrinter1",
"last_vlan": "750",
"nacrule_id": [
"85abd6a3-c4a4-497d-a568-2765046e0dba"
],
"nacrule_matched": true,
"nacrule_name": [
"Allowed Printers"
],
"nas_vendor": [
"juniper-mist"
],
"org_id": "9301bff6-8992-49d6-b1ea-907ee81bb5fb",
"port_id": [
"ge-0/0/1.0"
],
"random_mac": false,
"site_id": "441a1214-6928-442a-8e92-e1d34b8ec6a6",
"site_ids": [
"441a1214-6928-442a-8e92-e1d34b8ec6a6"
],
"username": [
"CanonPrinter1",
"6c3c7c7573e7"
],
"vlan": [
"750",
"751"
],
"vlan_source": "usermac",
"timestamp": 1721641794.344
}
]
}
GET /api/v1/orgs/:org_id/nac_clients/count?distinct=type
| Name | Type | Description |
|---|---|---|
distinct |
string |
type / auth_type / nacrule_matched / mxedge_id / ssid / status / username / nacrule_id / nas_vendor / vlan / mdm_compliance / mdm_provider / idp_id / nacrule_name / device_mac / ap / usermac_label / mdm_managed / mfg / model / os / family / hostname / nas_ip / edr_provider / edr_status / edr_managed |
{
"start": 1513276353,
"end": 1513362753,
"limit": 3,
"total": 2,
"results": [
{
"count": 10,
"type": "wired"
},
{
"count": 15,
"type": "wireless"
}
]
}
GET /api/v1/orgs/:org_id/vars/search?var=*
| Name | Type | Description |
|---|---|---|
site_id |
string |
site id |
deviceprofile_id |
string |
device profile id |
mac |
string |
device mac address |
var |
string |
var search |
src |
string |
var source: site/deviceprofile/device |
{
"results": [
{
"timestamp": 1695638195.57287,
"src": "site",
"org_id": "0c160b7f-1027-4cd1-923b-744534c4b070",
"var": "mvp",
"site_id": "1519f016-4e41-47c0-a396-cce4d04bac0b"
}
],
"start": 1693949379,
"end": 1693952979,
"limit": 10,
"total": 1
}
GET /api/v1/orgs/:org_id/vars/count?distinct=var
| Name | Type | Description |
|---|---|---|
distinct |
string |
site_id / deviceprofile_id / src / var / mac, default is site_id |
{
"results": [
{
"var": "hello",
"count": 2
},
{
"var": "dns_1",
"count": 1
},
{
"var": "dns_2",
"count": 1
},
{
"var": "mvp",
"count": 1
},
{
"var": "some_var",
"count": 1
},
{
"var": "wife5",
"count": 1
}
],
"start": 1695667663,
"end": 1695671263,
"limit": 10,
"distinct": "var",
"total": 12
}
The Import NAC Org CRL File endpoint allows users to manually upload a Certificate Revocation List (CRL) file in either PEM or DER format. This is a multipart POST request. We support one file upload per issuer, and re-uploads for the same issuer will overwrite the existing file.
POST /api/v1/orgs/:org_id/setting/mist_nac_crls
A multi-part POST
"file": a PEM or DER formatted CRL file
"json": a JSON string with "name" field for CRL file issuer (optional)
Response when the file upload is successful Status 200 OK
{
"id": "a1ca26f3-44dd-4833-9a7b-97bbb2ab5230",
"created_time": 1698099079,
"modified_time": 1698099079,
"name": "SampleCertificateSigner",
"url": "http://url/to/crl_file.crl"
}
Response when the file parameter is missing in the request. Status 400 Bad Request
{
"detail": "No file provided in the request"
}
Response when the file provided is not a valid PEM or DER formatted CRL. Status 400 Bad Request
{
"detail": "Invalid CRL file"
}
Response when the content type is not multipart/form-data. Status 400 Bad Request
{
"detail": "The request needs to be of multipart format"
}
| Name | Type | Description |
|---|---|---|
id |
string |
Unique ID for the uploaded CRL file, used to reference the file |
created_time |
long |
Epoch time when the file was first uploaded |
modified_time |
long |
Epoch time when the file was last modified (if re-uploaded) |
name |
string |
Issuer name for the CRL file |
url |
string |
URL to download the uploaded CRL file |
Returns all uploaded CRL file IDs with names for the orgI
GET /api/v1/orgs/:org_id/setting/mist_nac_crls
{
"results": [
{
"id": "a1ca26f3-44dd-4833-9a7b-97bbb2ab5230",
"created_time": 1698099079,
"modified_time": 1698099079,
"name": "SampleCertificateSigner",
"url": "http://url/to/crl_file"
},
{
"id": "b6cab019-1167-4377-b44d-ec86c28fcb84",
"created_time": 1698099179,
"modified_time": 1698099379,
"name": "TestCertificateSigner",
"url": "http://url/to/crl_file"
}
]
}
| Name | Type | Description |
|---|---|---|
id |
string |
ID for file upload, used to identify file even for deletion |
created_time |
long |
Time at which the file was first uploaded, in epoch |
modified_time |
long |
Time at which the file was last updated, in epoch |
name |
string |
Name for the CRL file issuer if set |
url |
string |
Download URL for the CRL file |
Delete NAC Org CRL file is a DELETE request to delete CRL file identified by its ID (ID assigned on file upload/creation)
DELETE /api/v1/orgs/:org_id/setting/mist_nac_crls/:id
Status: 200 Successful
Status: > 400 Unsuccessful
POST /api/v1/orgs/:org_id/usermacs
Status 200 OK
{
"mac": "921b638445cd",
"labels": ["byod", "flr1"],
"vlan": "30",
"notes": "mac address refers to Canon printers",
"name": "Printer2",
"radius_group": "VIP"
}
This API is always paginated. Search with mac and labels absent together returns all usermacs for the org.
GET /api/v1/orgs/:org_id/usermacs/search?limit=100&page=1
| Name | Type | Description |
|---|---|---|
mac |
string |
optional, partial/full MAC address |
labels |
list |
optional, array of strings of labels |
Status 200 OK
{
"limit": 100,
"page": 1,
"results": [
{
"id": "111cafd2-ba1b-5169-bfcb-9cdf1d473ddb",
"mac": "921b638445cd",
"labels": ["flor1", "bld4"],
"vlan": "30",
"notes": "mac address refers to Canon printers",
"name": "Printer2",
"radius_group": "VIP"
}
]
}
GET /api/v1/:org_id/usermacs/:usermac_id
Status 200 OK
{
"id": "111cafd2-ba1b-5169-bfcb-9cdf1d473ddb",
"mac": "921b638445cd",
"labels": ["flor1", "bld4"],
"vlan": "5",
"notes": "mac address refers to Canon printers",
"name": "Printer2",
"radius_group": "VIP"
}
DELETE /api/v1/orgs/:org_id/usermacs/:usermac_id
Status 200 OK
This API accepts a list of usermac_id
POST /api/v1/orgs/:org_id/usermacs/delete
{
"usermac_ids": ["1041c16c-ca87-4d3f-bb94-b97c5819fc09", "a016cc8e-5893-418a-acaa-4d7c1af6ac0f"]
}
Status 200 OK
PUT /api/v1/orgs/:org_id/usermacs
[
{
"id": "1041c16c-ca87-4d3f-bb94-b97c5819fc09", // id required
"mac": "921b638445cd",
"labels": ["label1"],
"vlan": "vlan-1"
},
{
"id": "a016cc8e-5893-418a-acaa-4d7c1af6ac0f",
"mac": "721b638445ef",
"labels": ["label2", "label3"],
"notes": "mac address refers to Canon printers"
},
{
"id": "2feacc8e-5893-418a-acaa-4d7c1afd01fe",
"mac": "1b600048345ef",
"labels": ["label4"],
}
]
Status 200 OK
{
"updated": ["1041c16c-ca87-4d3f-bb94-b97c5819fc09", "a016cc8e-5893-418a-acaa-4d7c1af6ac0f"],
"errors": ["2feacc8e-5893-418a-acaa-4d7c1afd01fe - invalid id"]
}
POST /api/v1/orgs/:org_id/usermacs/import
[
{
"mac": "921b638445cd",
"labels": ["label1"],
"vlan": "vlan-1"
},
{
"mac": "721b638445ef",
"labels": ["label2", "label3"],
"notes": "mac address refers to Canon printers"
},
{
"mac": "721b638445ee",
"labels": ["label4"],
"name": "Printer2",
"radius_group": "VIP"
},
{
"mac": "921b638445ce",
"labels": ["label5", "label6", "label7"]
},
{
"mac": "921b638445cf",
"vlan": "vlan-100"
}
]
"file": .csv file
mac,labels,vlan,notes,name,radius_group
921b638445cd,"bldg1,flor1",vlan-100
721b638445ef,"bldg2,flor2",vlan-101,Canon Printers
721b638445ee,"bldg3,flor3",vlan-102,Printer2,VIP
921b638445ce,"bldg4,flor4",vlan-103
921b638445cf,"bldg5,flor5",vlan-104
Status 200 OK
{
"added": ["921b638445cd"],
"updated": ["721b638445ef", "721b638445ee"],
"errors": ["921b638445ce - mac invalid", "921b638445cf - mac already provided"]
}
SDK Invites can be generated for (and belongs to) an Org. They can be generated by an Admin of an Org and can be revoked at anytime.
/api/v1/orgs/:org_id/marvisinvites
{
"name": "Handhelds",
// possible chicken-egg.
"proxy": ?
"telemetry": {
"enabled": true,
// NOTE: some stats are not collected when it's not connected to Mist infrastructure
}
// enable zebra integration, requires connection to Mist AP
"zebra": {
"enabled": true,
"port": 5060,
},
"critical_url_monitoring": {
"enabled": true,
// up to 5 monitors can be defined
"monitors: [
{
// currently only http and https are supported
"url": "http://50.1.3.5:8080",
"vlan_id": 3, // default is 1
},
...
]
},
"synthetic_test": {
"enabled": true
}
}
{
"id": "3a14098f-b995-7552-b0a4-b8ee39b337a6",
"name": "Handhelds",
# in MDM, add `--enrollment_url <enrollment_url>` to the install command
"enrollment_url": "marvisclient://api.mist.com/path/to/url"
}
GET /api/v1/orgs/:org_id/stats/marvisclients/search
GET /api/v1/orgs/:org_id/stats/marvisclients/count
GET /api/v1/orgs/:org_id/marvisclients/events/search
GET /api/v1/orgs/:org_id/marvisclients/events/count
POST /api/v1/orgs/:org_id/marvisclients/:marvisclient_id/:cmd
DELETE /api/v1/orgs/:org_id/marvisclients/:marvisclient_id
Marvis Dashboards UI settings
GET /api/v1/orgs/:org_id/uisettings?purpose=marvisdashboard
POST /api/v1/orgs/:org_id/uisettings
GET /api/v1/orgs/:org_id/uisettings/:dashboard_id
PUT /api/v1/orgs/:org_id/uisettings/:dashboard_id
DELETE /api/v1/orgs/:org_id/uisettings/:dashboard_id
POST /api/v1/orgs/:org_id/uisettings
{
"name": "AP Stats",
"isCustomDataboard": True,
"tiles": [
{
"position": {
"colSpan": 2,
"rowSpan": 1,
"col": 1,
"row": 1
},
"id": "3eef7c83-3d33-417a-a729-4772d4a1013a",
"isAutoTitle": True,
"nl_query": "List top 10 APs by bandwidth",
"name": "List top 10 APs by bandwidth",
"description": "User typed tile descr",
}
],
"description": "AP related stats",
"purpose": "marvisdashboard"
}
{
"name": "AP Stats",
"isCustomDataboard": true,
"tiles": [
{
"position": {
"colSpan": 2,
"rowSpan": 1,
"col": 1,
"row": 1
},
"id": "3eef7c83-3d33-417a-a729-4772d4a1013a",
"isAutoTitle": true,
"nl_query": "List top 10 APs by bandwidth",
"name": "List top 10 APs by bandwidth",
"description": "User typed tile descr"
}
],
"description": "AP related stats",
"id": "9a702097-0dd3-48af-909b-2be4ff94d139",
"for_site": false,
"site_id": "00000000-0000-0000-0000-000000000000",
"org_id": "2818e386-8dec-2562-9ede-5b8a0fbbdc71",
"created_time": 1749083436,
"modified_time": 1749083436,
"purpose": "marvisdashboard"
}
PSK Portal is used to onboard Wireless Clients with PSK (by QR Code or URL) NAC Portals are for onboard Wireless and Wired client with 802.1X
After a NAC portal is created, a URL is generated and can be given to the users (e.g. hosted on a web page “Get Access to Campus Wireless”) The user will use SSO to signin and download a Mist APP (via an App-Installation URL) that will get installed and used to provision certificates.
/api/v1/orgs/:org_id/nacportals
{
"name": "CorpWifi"
"type": "marvis_client", // marvis_client / guest_portal / guest_admin
"access_type": "wireless", // wireless (Default), wireless+wired
// for wireless
"eap_type": "wpa2", // wpa2 (Default), wpa3
"ssid": "Corp",
"sso": {
"issuer": "https://app.onelogin.com/saml/metadata/138130"
"idp_cert": "-----BEGIN CERTIFICATE-----\nMIIFZjCCA06gAwIBAgIIP61/1qm/uDowDQYJKoZIhvcNAQELBQE\n-----END CERTIFICATE-----",
"idp_sign_algo": "sha256",
"idp_sso_url": "https://yourorg.onelogin.com/trust/saml2/http-post/sso/138130",
"nameid_format": "email",
// optional
// if it's desired to inject a role into Cert's Subject (so it can be used later on in policy)
"use_sso_role_for_cert": true,
// as an IDP usually associates multiple groups/roles to an user, how should the role to be determined
"sso_role_matching": [
{
"match": "Student",
"assigned": "user"
}
]
},
"cert_expire_time": 365, // days
// features to enable
// NOTE: should be very low volume
"enable_telemetry": true, // model, version, fingering, events (connecting, disconnect, roaming), which ap
"notify_expiry": true, // optional, phase 2,
"expiry_notification_time": 2, // optional, unit days
// UI customization
"bg_image_url": ...
"thumbnail_url": ...
"template_url": ...
"tos": ...
}
GET /api/v1/orgs/:org_id/nacportals/:nacportal_id/saml_metadata
GET /api/v1/orgs/:org_id/nacportals/:nacportal_id/saml_metadata.xml
GET /api/v1/orgs/:org_id/nacportals/:nacportal_id/saml_failures
{
"results": [
{
"timestamp": 1431382121,
"detail": "Role attribute missing",
"saml_assertion_xml": "<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:nam..."
}
]
}
{
// type = guest_portal
"type": "guest_portal",
"portal": {
"auth": "none", // none / multi / external
// auth = none
// the user is presented with a terms of servic and can click and continue
// auth = multi
// we're supporting any combinations of
// - social logins: facebook / google / amazon / microsoft / azure
// - sponsor
// - sms: supported provider: twi
// - email:
// - sso:
// - userpass: pre created guest list
// where each can be separatedly enabled via xxx_enabled, see [Guest Portal in WLAN](Site#guest-portal) for detailed definitions
// commmon to auth = none / multi
"forward": true,
"forward_url": "http://abc.com/promotions",
"expire": 1440,
"privacy": false,
// auth = external, will generate the following
"external_portal_url": "https://portal.mycompany.com"
// common to all auth type
"portal_allowed_subnets": [
"63.5.3.0/24"
],
"portal_allowed_hostnames": [
"snapchat.com",
"ibm.com"
],
"portal_denied_hostnames": [
"msg.snapchat.com"
],
// disconnect the client (to workaround client-side issues with reauth)
"force_reconnect": false
},
// when sso_enabled=true, the following will be generated (which needs to be configured in your IDP )
"portal_sso_url": "https://guest-mistnac.mist.com/callback/be22bba7-8e22-e1cf-5185-b880816fe2cf/acs",
// auth = external, the following will be generated (to authorize an user externally)
"portal_authorize_url": "https://guest-mistnac.mist.com/callback/be22bba7-8e22-e1cf-5185-b880816fe2cf/authorize",
"portal_authorize_jwt_secret": "EIfPMOykI3lMlDdNPub2WcbqT6dNOtWwmYHAd6bY"
}
{
"name": "Portal Admin"
"type": "guest_admin",
"sso": {
"issuer": "https://app.onelogin.com/saml/metadata/138130"
"idp_cert": "-----BEGIN CERTIFICATE-----\nMIIFZjCCA06gAwIBAgIIP61/1qm/uDowDQYJKoZIhvcNAQELBQE\n-----END CERTIFICATE-----",
"idp_sign_algo": "sha256",
"idp_sso_url": "https://yourorg.onelogin.com/app/trial-4521682_captiveportal1_1/exkq77es12mURtlnd697/sso/saml",
"nameid_format": "email",
"idp_metadata_url": "https://yourorg.onelogin.com/app/exkq77es12mURtlnd697/sso/saml/metadata"
// optional
"forced_role": "desired", // ignore any Role attributes and use this instead
"default_role": "guest" // use this role if Role attribute not returned (when forced_role is not defined)
},
// when type=guest_admin, the following url will be generated (which needs to be configured in your IDP )
"portal_sso_url": "https://guest-mistnac.mist.com/admin/51908ea7-dea7-4581-a578-f7320c4d5216/saml/acs",
// UI customization
// this is generated and admin should use this to login
"ui_url": "https://guest-mistnac.mist.com/admin/51908ea7-dea7-4581-a578-f7320c4d5216/login"
}
In the guest portal flow, context such as SSID, guest MAC, AP MAC is required to unique identify the guest, if it’s already authorized (e.g. roam to another AP), and used to instruct the AP to stop redirecting/blocking the user traffic
Guest Device (or CNA in MacOS/iOS term) will be redirected to, e.g. “
| Name | Type | Description |
|---|---|---|
ap_mac |
string |
AP’s MAC address |
ap_name |
string |
AP’s Name (or MAC) |
site_name |
string |
Site Name |
device_mac |
string |
Device’s MAC Address (the device that blocks the traffic) |
ssid |
string |
for wireless |
wlan_id |
string |
for wireless |
port_name |
string |
for wired (e.g. eth0, ge-0/0/13) |
Once the guest has gone through your portal flow, autorize them by redirect the user to
GET https://url_generated_by_portal_authorize_url?jwt=<signature>
The
import jwt
secret = "EIfPMOykI3lMlDdNPub2WcbqT6dNOtWwmYHAd6bY" # from portal_authorize_jwt_secret above
payload = {
# for wireless
"ap_mac": "5c5b35001234",
"wlan_id": "be22bba7-8e22-e1cf-5185-b880816fe2cf", # only for _wireless_ captive portal
"client_mac": "d58f6bb4c9d8",
# for wired
"device_mac": "5c5b35001234",
"port_name": "eth0", # only for _wired_ captive portal"
"client_mac": "d58f6bb4c9d8",
# common
# how long should we authorize this session
"minutes": 480,
"expires": 1768587994, # alternatively
# instead of the original URL the user is trying to go to, redirect the user to this URL
"forward": "http://www.mist.com",
# for testing: if authorize_only=true and authorization is successful, 200 OK will be returned instead of 302 Redirect the user to the `forward` URL
"authorize_only": False
}
encoded_jwt = jwt.encode(payload, secret, algorithm='HS256')
GET /api/v1/orgs/:org_id/events/search
PUT /api/v1/orgs/:org_id/nacportals/:nacportal_id/portal_template
{
"poweredBy": false,
"color": "#1074bc",
"logo": null,
"alignment": "center"
}
| Name | Type | Description |
|---|---|---|
poweredBy |
boolean |
whether to hide “Powered by Juniper Mist” and email footers, default is false |
color |
string |
“#1074bc” |
logo |
string |
custom logo custom logo with “data:image/png;base64,” format. default null, uses Juniper Mist Logo. |
alignment |
string |
defines alignment on portal. “center” is default. |
Upload background image for NACPortal
POST /api/v1/orgs/:org_id/nacportals/:nacportal_id/portal_image
A multi-part POST
"json": a JSON string describing the upload
"file": a binary file
Delete background image for NACPortal
DELETE /api/v1/orgs/:org_id/nacportals/:nacportal_id/portal_image
If image is not uploaded or is deleted, NACPortal will use default image.
Mist SCEP can be enabled and be used when NAC Portal is enabled.
GET /api/v1/orgs/:org_id/setting/mist_scep
{
// if unconfigured
"enabled": false,
// if configured
"enabled": true,
"cert_providers": ["jamf"],
"jamf_scep_url": "https://scep.mistsys.com/api/v1/incoming/intune/:org_id/scep",
"jamf_webhook_url": "https://scep.mistsys.com/api/v1/webhook/jamf/:org_id/scep",
"jamf_access_token": "1Z4QqEnCt05Jjt3TV5LgPJ4V_WL_RWnJ7dqVMLYHj81="
// optionally, if suspended
"suspended": true
}
PUT /api/v1/orgs/:org_id/setting/mist_scep
{
"cert_providers": ["jamf", "intune", "byod"],
// optionally, to suspend/unsuspend
"suspended": true
}
{
// if unconfigured
"enabled": false,
// if configured
"enabled": true,
"cert_providers": ["jamf"],
"jamf_scep_url": "https://scep.mistsys.com/api/v1/incoming/intune/:org_id/scep",
"jamf_webhook_url": "https://scep.mistsys.com/api/v1/webhook/jamf/:org_id/scep",
"jamf_access_token": "1Z4QqEnCt05Jjt3TV5LgPJ4V_WL_RWnJ7dqVMLYHj81="
// optionally, if suspended
"suspended": true
}
DELETE /api/v1/orgs/:org_id/setting/mist_scep
GET /api/v1/orgs/:org_id/mist_scep/client_certs?common_name=john@corp.com
| Name | Type | Description |
|---|---|---|
common_name |
string |
common_name obtained from NAC Portal |
serial_number |
string |
serial number of the certificate |
device_id |
string |
device_id |
{
"results": [
{
"common_name": "john@corp.com",
"cert_provider": "jamf",
"serial_number": "13 00 13 03 23 EE D5 84 01",
"device_id": "b069b358-4c97-5319-1f8c-7c5ca64d6ab1",
"created_time": 1431382121,
"expire_time": 1718921115
}
]
}
POST /api/v1/orgs/:org_id/mist_scep/client_certs/revoke
{
"serial_numbers": [ "13 00 13 03 23 EE D5 84 01" ]
}
WS /api-ws/v1/stream
{
"subscribe": "/orgs/:org_id/insights/summary"
}
NOTE: stats are streamed out as they’re available - i.e. expect partial stats
{
"event": "data",
"channel": "/orgs/67970e46-4e12-11e6-9188-0242ac110007/insights/summary",
"data": {
"sle_summary_wireless": 0.90, // SLE score for wireless
"sle_summary_wired": 0.93, // SLE score for wired
"sle_summary_wan": 0.91, // SLE score for WAN
"timestamp": 1737004147, // epoch time
"num_sites": 2350, // total sites in the org
"num_degraded_sites": 31, // count of sites having SLE scores < expected
"num_aps": 2669, // APs claimed
"num_disconnected_aps": 75, // APs not considered connected
"num_switches": 2669, // switches claimed
"num_disconnected_switches": 75, // switches not considered connected
"num_gateways": 2669, // gateways claimed
"num_disconnected_gateways": 75, // gateways not considered connected
"num_mxedges": 2669, // mxedges claimed
"num_disconnected_mxedges": 75, // mxedges not considered connected
"num_active_wan_tunnels": 125, // total number of active wan tunnels
"num_inactive_wan_tunnels": 25, // total number of inactive wan tunnels
"num_mxtunnels": 5262, // total number of active mxtunnels
"num_inactive_mxtunnels": 35, // total number of inactive mxtunnels
// count of recent clients
"num_clients": 12616, // wireless clients count
"num_wired_clients": 3126, // wired clients count
"num_wan_clients": 16600, // WAN clients count
"num_nac_clients": 4347, // NAC clients count
// count of authentication
"num_client_auth": 6013, // authenticated wireless clients
"num_wired_client_auth": 1013, // authenticated wired clients
"num_nac_client_auth": 1355, // authenticated NAC clients
//Alerts
"num_marvis_alerts": 100, // Marvis alerts
"num_infra_alerts": 58, // Infrastructure alerts
"num_security_alerts": 10, // Security alerts
//Events
"num_device_events": 150, // org summary critical device events
"num_client_events": 200 // org summary client failure event
}
}
```
# Client Fingerprint
## Get Client Fingerprint Types
GET /api/v1/const/fingerprint_types
### Response
{ “family”: [“Access Point”, “Audio/Imaging/Video Equipment”, “Datacenter Appliance”,…], “mfg”: [“100fio Networks Technology llc”, “10NET COMMUNICATIONS/DCA”,…], “model”: [“AP12-US”, “iPhone 11”,”Playstation 3”,…], “os”: [“Android 14”, “Windows*”,…] }
## Search Client Fingerprints
GET /api/v1/orgs/:org_id/insights/fingerprints/search
### Request
Name|Type| Description
----|----|------------
`family` | `string` | Device Category of the client device
`model` | `string` | Model name of the client device
`mfg` | `string` | Manufacturer name of the client device
`os` | `string` | Operating System name and version of the client device
`os_type` | `string` | Operating system name of the client device
`client_type` | `string` | Whether client is wired or wireless
`mac`| `string` | MAC address of the client device
`sort`|`string`| sort options, '-' prefix represents DESC order, default is wcid in ASC order
### Response
{ “start”: 1735678650, “end”: 1735678700, “limit”: 10,
"total": 2,
"results": [
{
"random_mac": true,
"family": "Apple",
"mfg": "Apple, Inc.",
"model": "Unknown",
"os": "iOS 18.1.1",
"os_type": "iOS",
"mac": "d420b080516e",
"site_id": "441a1214-6928-442a-8e92-e1d34b8ec6a6",
"org_id": "bb2fb165-0931-49c7-a1b8-9b5814326b7d",
"timestamp": 1735678662.58
},
{
"random_mac": false,
"family": "EX Series Switch",
"mfg": "Juniper Networks, Inc.",
"model": "ex4100-f-12p",
"os": "JUNOS 22.3R1.12",
"os_type": "JUNOS",
"mac": "d420b080516d",
"site_id": "441a1214-6928-442a-8e92-e1d34b8ec6a6",
"org_id": "b6bc08f3-60a3-402b-8f0d-caf9132a1e9a",
"timestamp": 1735669092.932
}
]
}
## Count by Distinct Attributes of Client Fingerprints
GET /api/v1/orgs/:org_id/insights/fingerprints/count?distinct=family
### Request
Name|Type| Description
----|----|------------
`distinct`|`string`| family, model, mfg, os, os_type
### Response
{ “start”: 1735678650, “end”: 1735678700, “limit”: 10, “total”: 3, “results”: [ { “family”: “Access Point”, “count”: 25 }, { “family”: “Phone/Tablet/Wearable”, “count”: 25 }, { “family”: “Surveillance Camera”, “count”: 6 } ] }
## Get system level changes per org
GET /api/v1/orgs/:org_id/events/system/search?start=1431384000&end=1431298000&limit=1000
## Query
Name|Type| Description
----|----|------------
`start`|`long`| start time, in epoch,
`end`|`long`| start time, default is now()
`limit`|`long`| number of events
### Response
{ “end”: 1741312800, “start”: 1741309200, “total”: 3, “limit”: 1000, “results”: [ { “change_cat”: “admin_action”, “metadata”: “{"wlan_id":"None","admin_name":"API Automation api_automation@mistsys.com","desc":"Delete WLAN "Automation Test""}”, “org_id”: “268e599f-5379-473f-b18b-4384e9b3f244”, “scope”: “org”, “site_id”: “dc47920f-52d5-499c-af72-dcd646764f84”, “timestamp”: 1741309621, “type”: “delete-wlan” }, { “change_cat”: “admin_action”, “metadata”: “{"wlan_id":"3855dc19-63fb-4490-b113-0176dc1cc8f4","admin_name":"API Automation api_automation@mistsys.com","desc":"Add WLAN "Automation Test""}”, “org_id”: “268e599f-5379-473f-b18b-4384e9b3f244”, “scope”: “org”, “site_id”: “dc47920f-52d5-499c-af72-dcd646764f84”, “timestamp”: 1741309601, “type”: “add-wlan” }, { “change_cat”: “admin_action”, “metadata”: “{"template_id":"7e49acf4-6841-4e56-ad7d-68d0801cbba8","admin_name":"API Automation api_automation@mistsys.com","desc":"Add Template "Automation template""}”, “org_id”: “268e599f-5379-473f-b18b-4384e9b3f244”, “scope”: “org”, “timestamp”: 1741309280, “type”: “add-template” } ] }
## Get system change events count per org
GET /api/v1/orgs/:org_id/events/system/count?start=1431384000&end=1431298000&limit=1000&distinct=type
## Query
Name| Type | Description
----|----------|------------
`start`| `long` | start time, in epoch,
`end`| `long` | start time, default is now()
`limit`| `long` | number of events
`distinct`| `string` | field to group by the records
### Response
{
“distinct”: “type”,
“end”: 1741312800,
“limit”: 1000,
“start”: 1741309200,
“total”: 5,
“results”: [
{
“count”: 193,
“type”: “add-wlan”
},
{
“count”: 132,
“type”: “delete-wlan”
},
{
“count”: 64,
“type”: “update-template”
},
{
“count”: 62,
“type”: “add-template”
},
{
“count”: 61,
“type”: “delete-template”
}
]
}
## Update site setting
POST /api/v1/orgs/:org_id/sites/update_setting
### Request
{ “sites”: { “4ac1dcf4-9d8b-7211-65c4-057819f0862b”: { // site settings to be udpated } } }
### Response
{ ‘results’: [ { ‘1916d52a-4a90-11e5-8b45-1258369c38a9’: ‘updated’ }, { ‘4ac1dcf4-9d8b-7211-65c4-057819f0862b’: ‘not found’ } ] } ```