Provides comprehensive management of Palo Alto Networks firewalls through specialized servers for security policy and rule management, system configuration, network objects and address management, and device operations including monitoring, commits, and backups.
Palo Alto Networks MCP Server Suite
A comprehensive suite of Model Context Protocol (MCP) servers for managing Palo Alto Networks firewalls and services through a unified API interface.
Table of Contents
Overview
The Palo Alto Networks MCP Server Suite provides a modular approach to firewall management through specialized servers:
Core Server: Base firewall operations and shared functionality
Policy Server: Security policy and rule management
Config Server: System configuration and settings
Objects Server: Network objects and address management
Device Server: Device operations and monitoring
Architecture
┌─────────────────┐ ┌──────────────────┐
│ Core Server │◄────┤ Policy Server │
│ │ └──────────────────┘
│ (Base Services)│ ┌──────────────────┐
│ │◄────┤ Config Server │
│ │ └──────────────────┘
│ │ ┌──────────────────┐
│ │◄────┤ Objects Server │
│ │ └──────────────────┘
│ │ ┌──────────────────┐
│ │◄────┤ Device Server │
└────────┬────────┘ └──────────────────┘
│
▼
┌─────────────────┐
│ Palo Alto API │
└─────────────────┘
Installation
Installing via Smithery
To install Palo Alto Networks MCP Server Suite for Claude Desktop automatically via Smithery:
npx -y @smithery/cli install @DynamicEndpoints/paloalto-mcp-server --client claude
Manual Installation
Clone the repository:
git clone https://github.com/your-org/paloalto-mcp-servers.git
cd paloalto-mcp-servers
Install dependencies for each server:
# Install core server
cd paloalto-server
npm install
# Install policy server
cd ../paloalto-policy-server
npm install
# Install config server
cd ../paloalto-config-server
npm install
# Install objects server
cd ../paloalto-objects-server
npm install
# Install device server
cd ../paloalto-device-server
npm install
Configure environment variables:
# Create .env files in each server directory
PANOS_API_KEY=your-api-key
PANOS_API_BASE_URL=https://your-firewall.example.com/api
# Optional configurations
PANOS_VERIFY_SSL=true
PANOS_TIMEOUT=30000
PANOS_DEBUG=false
Server Details
Core Server (paloalto-server)
Base server providing shared functionality and core operations.
Key Features
Authentication and session management
API rate limiting and retry logic
Shared utility functions
Error handling framework
Example: Basic Authentication
const result = await useMcpTool("paloalto-server", "verify_credentials", {
api_key: process.env.PANOS_API_KEY
});
console.log(result.content[0].text); // Authentication status
Policy Server (paloalto-policy-server)
Comprehensive policy and rule management.
Available Tools
get_security_rules
// Get all security rules
const rules = await useMcpTool("paloalto-policy", "get_security_rules", {});
// Get rules with filtering
const webRules = await useMcpTool("paloalto-policy", "get_security_rules", {
filter: {
service: ["http", "https"],
action: "allow"
}
});
create_security_rule
// Create a basic security rule
await useMcpTool("paloalto-policy", "create_rule", {
rule_type: "security",
rule_data: {
name: "allow-internal-web",
source: ["internal-network"],
destination: ["web-servers"],
service: ["http", "https"],
action: "allow",
log_setting: "default",
profile_setting: {
group: ["default-protection"]
}
}
});
// Create a more complex rule with zones and applications
await useMcpTool("paloalto-policy", "create_rule", {
rule_type: "security",
rule_data: {
name: "restrict-social-media",
source_zone: ["trust"],
destination_zone: ["untrust"],
source: ["internal-users"],
destination: ["any"],
application: ["facebook-base", "twitter-base"],
service: ["application-default"],
action: "deny",
log_setting: "detailed-logging",
description: "Block social media access"
}
});
update_security_rule
// Update an existing rule
await useMcpTool("paloalto-policy", "update_rule", {
rule_type: "security",
rule_name: "allow-internal-web",
rule_data: {
service: ["http", "https", "ssh"],
description: "Updated to allow SSH access"
}
});
Config Server (paloalto-config-server)
System configuration and settings management.
Example: Network Configuration
// Update DNS settings
await useMcpTool("paloalto-config", "update_network_settings", {
dns_primary: "8.8.8.8",
dns_secondary: "8.8.4.4",
dns_search_domain: "example.com"
});
// Configure interfaces
await useMcpTool("paloalto-config", "configure_interface", {
name: "ethernet1/1",
config: {
mode: "layer3",
ip: ["10.0.1.1/24"],
zone: "trust",
enable: true
}
});
Objects Server (paloalto-objects-server)
Network object and address management.
Example: Address Object Management
// Create address objects
await useMcpTool("paloalto-objects", "create_address_object", {
name: "web-server-1",
type: "ip-netmask",
value: "10.0.1.100/32",
description: "Primary web server",
tags: ["production", "web"]
});
// Create address group
await useMcpTool("paloalto-objects", "create_address_group", {
name: "web-servers",
description: "All web servers",
members: ["web-server-1", "web-server-2"],
tags: ["production", "web"]
});
// Create dynamic address group
await useMcpTool("paloalto-objects", "create_dynamic_address_group", {
name: "active-web-servers",
description: "Web servers currently in use",
filter: "tag.production and tag.web and state.up"
});
Device Server (paloalto-device-server)
Device operations and monitoring.
Example: Device Management
// Get device status
const status = await useMcpTool("paloalto-device", "get_device_status", {});
// Commit changes
await useMcpTool("paloalto-device", "commit_changes", {
description: "Updated security policies",
admins: ["admin1"], // Optional: Specify which admin's changes to commit
});
// Backup configuration
await useMcpTool("paloalto-device", "backup_config", {
filename: "backup-2024-01-20.xml",
include_shared: true
});
Integration Patterns
1. Security Policy Deployment
async function deploySecurityPolicy() {
// 1. Create address objects
await useMcpTool("paloalto-objects", "create_address_object", {
name: "internal-subnet",
type: "ip-netmask",
value: "192.168.1.0/24"
});
// 2. Create security rules
await useMcpTool("paloalto-policy", "create_rule", {
rule_type: "security",
rule_data: {
name: "allow-outbound",
source: ["internal-subnet"],
destination: ["any"],
service: ["web-browsing"],
action: "allow"
}
});
// 3. Verify configuration
const rules = await useMcpTool("paloalto-policy", "get_security_rules", {});
// 4. Commit changes
await useMcpTool("paloalto-device", "commit_changes", {
description: "Deployed new security policy"
});
}
2. High Availability Configuration
async function configureHA() {
// 1. Configure HA interfaces
await useMcpTool("paloalto-config", "configure_ha", {
mode: "active-passive",
group: {
id: 1,
description: "Primary HA Group"
},
interfaces: {
ha1: {
port: "ethernet1/3",
ip: "10.0.0.1/24"
},
ha2: {
port: "ethernet1/4",
ip: "10.0.1.1/24"
}
}
});
// 2. Configure HA policy
await useMcpTool("paloalto-config", "configure_ha_policy", {
preemptive: true,
heartbeat_interval: 2000,
heartbeat_threshold: 3
});
// 3. Commit changes
await useMcpTool("paloalto-device", "commit_changes", {
description: "Configured HA settings"
});
}
Advanced Usage
1. Custom Rule Templates
const ruleTemplate = {
base: {
log_setting: "default",
profile_setting: {
group: ["default-protection"]
}
},
web: {
service: ["web-browsing"],
application: ["web-browsing"],
profile_setting: {
group: ["strict-web-protection"]
}
}
};
async function createRuleFromTemplate(type, customData) {
const template = {...ruleTemplate.base, ...ruleTemplate[type]};
await useMcpTool("paloalto-policy", "create_rule", {
rule_type: "security",
rule_data: {...template, ...customData}
});
}
2. Batch Operations
async function batchCreateObjects(objects) {
const results = [];
for (const obj of objects) {
try {
const result = await useMcpTool("paloalto-objects", "create_address_object", obj);
results.push({status: "success", name: obj.name});
} catch (error) {
results.push({status: "error", name: obj.name, error: error.message});
}
}
return results;
}
Troubleshooting
Common Issues
API Connection Issues
// Test API connectivity
const status = await useMcpTool("paloalto-server", "test_connection", {
timeout: 5000,
verify_ssl: true
});
if (!status.success) {
console.error(`Connection failed: ${status.error}`);
// Check firewall accessibility
// Verify API key permissions
// Validate SSL certificates
}
Rule Conflicts
// Analyze rule conflicts
const analysis = await useMcpTool("paloalto-policy", "analyze_rules", {
rule_type: "security",
checks: ["shadowing", "redundancy", "conflicts"]
});
if (analysis.issues.length > 0) {
console.log("Found rule issues:", analysis.issues);
}
Commit Failures
try {
await useMcpTool("paloalto-device", "commit_changes", {
description: "Policy update"
});
} catch (error) {
if (error.code === "ConfigurationLocked") {
// Handle locked configuration
await useMcpTool("paloalto-device", "release_config_lock", {});
} else if (error.code === "ValidationError") {
// Handle validation errors
console.error("Configuration validation failed:", error.details);
}
}
Contributing
Fork the repository
Create a feature branch
git checkout -b feature/new-feature
Commit your changes
git commit -m "Add new feature"
Push to the branch
git push origin feature/new-feature
Create a Pull Request
License
MIT License - see LICENSE file for details
remote-capable server
The server can be hosted and run remotely because it primarily relies on remote services or has no dependency on the local environment.
Enables comprehensive management of Palo Alto Networks firewalls through a modular suite of servers for security policies, network objects, device operations, and system configuration.