Skip to main content
Glama

Fastly NGWAF MCP Server

by purpleax

Fastly NGWAF MCP Server

A comprehensive Model Context Protocol (MCP) server that provides seamless integration with the Fastly NGWAF (Next-Gen Web Application Firewall) API. This server enables AI assistants like Claude to manage web application security through natural language interactions.

Features

🛡️ Complete WAF Management

  • Create, read, update, and delete security rules
  • Manage IP allow/block lists
  • Configure rate limiting and alerts
  • Monitor security events and analytics

🏢 Multi-tenancy Support

  • Corporation and site-level management
  • Context-aware operations
  • Bulk operations across multiple sites

🤖 AI-Friendly Interface

  • Natural language rule creation
  • Intelligent threat pattern detection
  • Automated security policy suggestions

Installation

Prerequisites

  • Node.js 18+
  • Fastly NGWAF account with API access
  • MCP-compatible AI assistant (Claude Desktop, etc.)

Setup

  1. Clone the repository
git clone https://github.com/yourusername/FastlyMCP.git cd FastlyMCP
  1. Install dependencies
npm install
  1. Configure environment variables (optional)
# Create .env file FASTLY_NGWAF_EMAIL=your-email@example.com FASTLY_NGWAF_TOKEN=your-api-token FASTLY_NGWAF_DEFAULT_CORP=your-corp-name FASTLY_NGWAF_DEFAULT_SITE=your-site-name
  1. Start the server
npm start

Configuration

Claude Desktop Integration

Add this to your Claude Desktop configuration file:

Windows: %APPDATA%\Claude\claude_desktop_config.json macOS: ~/Library/Application Support/Claude/claude_desktop_config.json

{ "mcpServers": { "fastly-ngwaf": { "command": "node", "args": ["path/to/FastlyMCP/server.js"], "env": { "FASTLY_NGWAF_EMAIL": "your-email@example.com", "FASTLY_NGWAF_TOKEN": "your-api-token" } } } }

AI-Powered Interactions

Natural Language: "Create a rule to block SQL injection attacks on my website"

AI Response: The assistant will automatically:

  1. Detect the intent (create security rule)
  2. Identify the threat type (SQL injection)
  3. Generate appropriate rule conditions
  4. Apply the rule to your configured site

Available Tools

Authentication & Setup

  • set_credentials - Configure API credentials
  • test_connection - Validate API connectivity
  • set_context - Set default corp/site context
  • discover_environment - Explore available resources

Rule Management

  • list_corp_rules / list_site_rules - List security rules
  • create_corp_rule / create_site_rule - Create new rules
  • delete_corp_rule / delete_site_rule - Remove rules

Security Monitoring

  • list_events - View security events
  • search_requests - Search request logs
  • get_suspicious_ips - Identify threat sources
  • expire_event - Manually unblock IPs

IP List Management

  • manage_whitelist - Allow/block IP addresses
  • manage_blacklist - Block malicious IPs
  • manage_lists - Custom IP/country/string lists

Analytics & Reporting

  • get_analytics - Security metrics and trends
  • get_corp_overview - High-level attack summary
  • manage_alerts - Configure monitoring alerts

Advanced Features

  • manage_cloudwaf - CloudWAF instance management
  • manage_users - User access control

Common Use Cases

🚨 Incident Response

"An IP address 1.2.3.4 is attacking my site, block it immediately"

  • AI automatically identifies the threat
  • Adds IP to blacklist with appropriate duration
  • Confirms blocking is active

🛡️ Proactive Security

"Set up protection against the latest OWASP top 10 vulnerabilities"

  • Creates comprehensive rule sets
  • Configures appropriate thresholds
  • Sets up monitoring alerts

📊 Security Analytics

"Show me attack trends from the past month and suggest improvements"

  • Analyzes historical attack data
  • Identifies patterns and threat sources
  • Recommends rule optimizations

🔧 Bulk Management

"Apply the same security rules from site A to sites B, C, and D"

  • Exports existing rule configurations
  • Adapts rules for different sites
  • Bulk applies with verification

API Reference

The server exposes the complete Fastly NGWAF API through intuitive MCP tools. Each tool maps to specific API endpoints while handling authentication, context resolution, and error management automatically.

Rate Limiting

The server respects Fastly API rate limits and implements appropriate retry logic.

Development

Project Structure

FastlyMCP/ ├── server.js # Main MCP server implementation ├── package.json # Dependencies and scripts ├── README.md # This documentation └── .env.example # Environment variable template

Testing

# Test API connectivity npm start # In another terminal/AI session: # test_connection()

Troubleshooting

Common Issues

Authentication Failed

  • Verify email and API token are correct
  • Ensure token has appropriate permissions
  • Check Fastly account status

Context Errors

  • Set default corporation: set_context({ corpName: "your-corp" })
  • Verify corp/site names exist: discover_environment()

Permission Denied

  • Check user role has necessary permissions
  • Verify site access in Fastly dashboard

Debug Mode

Enable verbose logging by setting environment variable:

DEBUG=fastly-ngwaf npm start

Security Considerations

  • Store API credentials securely (environment variables or secure credential managers)
  • Use principle of least privilege for API tokens
  • Regularly rotate API credentials
  • Monitor for unauthorized API usage
  • Keep dependencies updated

License

MIT License - see LICENSE file for details.

Support

Changelog

v1.0.0

  • Initial release with complete NGWAF API coverage
  • MCP server implementation
  • Rule management (CRUD operations)
  • IP list management
  • Analytics and monitoring
  • CloudWAF support
  • User management features
Install Server
A
security – no known vulnerabilities
A
license - permissive license
A
quality - confirmed to work

remote-capable server

The server can be hosted and run remotely because it primarily relies on remote services or has no dependency on the local environment.

Provides seamless integration with Fastly's Next-Gen Web Application Firewall API, enabling AI assistants to manage web application security through natural language interactions.

  1. Features
    1. Installation
      1. Prerequisites
      2. Setup
    2. Configuration
      1. Claude Desktop Integration
      2. AI-Powered Interactions
    3. Available Tools
      1. Authentication & Setup
      2. Rule Management
      3. Security Monitoring
      4. IP List Management
      5. Analytics & Reporting
      6. Advanced Features
    4. Common Use Cases
      1. 🚨 Incident Response
      2. 🛡️ Proactive Security
      3. 📊 Security Analytics
      4. 🔧 Bulk Management
    5. API Reference
      1. Rate Limiting
    6. Development
      1. Project Structure
      2. Testing
    7. Troubleshooting
      1. Common Issues
      2. Debug Mode
    8. Security Considerations
      1. License
        1. Support
          1. Changelog
            1. v1.0.0

          Related MCP Servers

          • -
            security
            A
            license
            -
            quality
            Enables AI assistants to interact with WordPress sites through the REST API. Supports multiple WordPress sites with secure authentication, enabling content management, post operations, and site configuration through natural language.
            Last updated -
            18
            MIT License
          • -
            security
            A
            license
            -
            quality
            A modular, extensible FastAPI-based platform that aggregates multiple AI tools and microservices into a unified interface with standardized I/O formats, perfect for frontend integration or LLM system orchestration.
            Last updated -
            1
            Python
            MIT License
          • A
            security
            A
            license
            A
            quality
            Enables AI assistants to interact with Fastly's CDN API through the Model Context Protocol, allowing secure management of CDN services, caching, security settings, and performance monitoring without exposing API keys.
            Last updated -
            2
            3
            JavaScript
            MIT License
          • A
            security
            A
            license
            A
            quality
            A secure server that enables AI agents to access 2FA codes and passwords from the Authenticator App, allowing them to assist with automated login processes while maintaining security.
            Last updated -
            3
            175
            2
            TypeScript
            MIT License
            • Apple
            • Linux

          View all related MCP servers

          MCP directory API

          We provide all the information about MCP servers via our MCP API.

          curl -X GET 'https://glama.ai/api/mcp/v1/servers/purpleax/FastlyMCP'

          If you have feedback or need assistance with the MCP directory API, please join our Discord server