Supports remote access to the MCP server via Cloudflare Tunnel, enabling secure connections to the Firewalla management interface
Provides network management tools for Firewalla devices including device monitoring, network traffic analysis, security alert management, and firewall rule administration
Firewalla MCP Server
A production-ready Model Context Protocol (MCP) server for Firewalla network management, designed to work seamlessly with Claude Desktop and other MCP-compatible clients.
✨ Features
🔒 Enterprise Security - Firewalla API keys never exposed to clients
🚀 Multi-Transport Support - stdio, SSE, and HTTP transports
📊 Comprehensive Monitoring - Device, network, and security analytics
🛡️ Built-in Protection - Rate limiting, input validation, audit logging
🐳 Docker-Ready - Production-grade containerized deployment
🔄 Resilient Architecture - Circuit breakers, retry logic, intelligent caching
🎯 14 Powerful Tools - Complete Firewalla management capabilities
🛠️ Available Tools
📱 Device Monitoring (3 tools)
get_devices
- List all network devices with status and basic infoget_device_details
- Detailed device information including bandwidth usagesearch_devices
- Search devices by name, IP, MAC, or vendor
🌐 Network Analysis (3 tools)
analyze_network_flows
- Analyze traffic flows with filtering and statisticsget_bandwidth_statistics
- Bandwidth usage stats for devices or entire networkget_network_statistics
- Comprehensive network health and top talkers
🔐 Security Monitoring (4 tools)
get_alarms
- Retrieve security alerts with severity and category filteringget_alarm_details
- Detailed information about specific security eventsarchive_alarm
- Mark security alerts as reviewedget_alarm_statistics
- Statistical analysis of security events
⚙️ Rule Management (4 tools)
list_firewall_rules
- List all firewall rules with status and conditionsget_rule_details
- Detailed rule information including hit statisticspause_rule
- Temporarily disable rules with duration and reasonresume_rule
- Re-enable paused firewall rules
🚀 Quick Start
Automated Setup (Recommended)
The setup script will:
✅ Check prerequisites
✅ Create and configure environment files
✅ Build Docker image
✅ Generate Claude Desktop configuration
✅ Start the server
Manual Setup
Prerequisites
Docker and Docker Compose
Firewalla MSP account with API token
Claude Desktop (or other MCP client)
(Optional) Cloudflare Tunnel for remote access
Installation Steps
Clone and Setup
Configure Environment Edit
.env
with your Firewalla credentials:
Deploy with Docker Compose
Verify Deployment
🔧 Claude Desktop Configuration
Local Docker (Recommended)
Remote Access via Cloudflare Tunnel
Local HTTP (Alternative)
🏗️ Architecture
Security Architecture
API Key Isolation - Firewalla credentials stored securely in Docker
Request Validation - Comprehensive input sanitization and validation
Rate Limiting - Per-client request throttling
Audit Logging - Complete request/response audit trail
Circuit Breakers - Automatic failover when Firewalla API is unavailable
Performance Features
Intelligent Caching - Multi-tier caching with TTL
Connection Pooling - Optimized HTTP client with retry logic
Resource Management - Memory-efficient data processing
Health Monitoring - Built-in health checks and metrics
📁 Configuration Reference
Environment Variables
Variable | Required | Default | Description |
| ✅ | - | Your Firewalla MSP API token |
| ✅ | - | Your MSP domain URL |
| ❌ | 3000 | Server port |
| ❌ | sse | Transport method (stdio/sse/http) |
| ❌ | info | Logging level (debug/info/warn/error) |
| ❌ | true | Enable response caching |
| ❌ | 100 | Max requests per window |
Docker Deployment Options
Production (docker-compose)
Development (with hot reload)
Standalone Docker
🔍 Monitoring & Troubleshooting
Health Checks
Common Issues
Authentication Errors
Verify
FIREWALLA_API_TOKEN
is correctCheck
FIREWALLA_MSP_DOMAIN
formatEnsure API token has proper permissions
Connection Issues
Check Docker container is running
Verify port 3000 is accessible
Check Cloudflare Tunnel configuration (if using)
Performance Issues
Monitor cache hit rates in logs
Check circuit breaker status
Verify adequate system resources
🔒 Security Considerations
API Key Management
Store Firewalla API tokens in environment variables only
Never commit API keys to version control
Rotate API keys regularly (recommended: 90 days)
Use separate tokens for different environments
Network Security
Deploy behind Cloudflare Tunnel for production
Use HTTPS/TLS for all communications
Implement IP allowlisting if required
Monitor audit logs regularly
Access Control
Enable API key authentication for non-Claude Desktop clients
Use role-based permissions where applicable
Monitor unusual usage patterns
Implement automatic lockouts for suspicious activity
🤝 Multi-Client Support
Works with various MCP clients:
Claude Desktop - Primary target with optimized integration
Continue IDE - VS Code extension support
Custom MCP Clients - HTTP/SSE API available
🧪 Testing
Test Categories
Unit Tests - Core utilities, middleware, and individual components
Integration Tests - API client, caching, and service integration
MCP Tool Tests - All 14 Firewalla management tools
Security Tests - Input validation, sanitization, and vulnerability checks
Performance Tests - Load testing and performance benchmarks
Running Tests
Test Coverage Targets
Unit Tests: 90% line coverage
Integration Tests: 80% path coverage
Critical Paths: 100% coverage (authentication, validation, security)
Quality Gates
All commits must pass:
✅ Linting (ESLint)
✅ Type checking (TypeScript)
✅ Unit tests (90%+ coverage)
✅ Security audit (npm audit)
✅ Code formatting (Prettier)
📝 Development
Local Development
Building
Testing Strategy
See TESTING_PLAN.md for comprehensive testing documentation.
Contributing
Fork the repository
Create a feature branch
Make your changes
Add tests (maintain coverage targets)
Run pre-commit checks
Submit a pull request
Code Quality Standards
TypeScript strict mode enabled
ESLint with strict configuration
Prettier for consistent formatting
Jest for testing with high coverage
Security-first development practices
📊 Performance Metrics
Response Time - Sub-100ms for cached requests
Throughput - 1000+ requests per minute
Uptime - 99.9% with automatic recovery
Cache Hit Rate - 70-90% for typical workloads
📜 License
MIT License - see LICENSE file for details
🆘 Support
Issues - GitHub Issues
Documentation - Built-in API documentation
Logs - Comprehensive audit trail and error logging
Built with ❤️ for the Firewalla community
This server cannot be installed
hybrid server
The server is able to function both locally and remotely, depending on the configuration or use case.
A production-ready server that connects Claude Desktop to Firewalla network management capabilities, allowing users to monitor devices, analyze network traffic, manage security alerts, and configure firewall rules through natural language.
Related MCP Servers
- AsecurityAlicenseAqualityLets you use Claude Desktop, or any MCP Client, to use natural language to accomplish things on your Cloudflare account.Last updated -21,2162,968Apache 2.0
- AsecurityAlicenseAqualityA server that integrates with Claude Desktop to enable real-time web research capabilities, allowing users to search Google, extract webpage content, and capture screenshots directly from conversations.Last updated -310,312MIT License
- AsecurityAlicenseAqualityA server that lets Claude desktop app execute terminal commands on your computer and edit files through Model Context Protocol, featuring command execution, process management, and advanced file operations.Last updated -1922,6015MIT License
- AsecurityAlicenseAqualityA server that enables managing OPNSense firewalls through natural language interactions with Claude Desktop, supporting VLAN management, firewall rules configuration, and network interface queries.Last updated -64621MIT License