Skip to main content
Glama

analyze_firewall_rule_overlap

Analyze a candidate firewall rule against an existing ruleset to detect overlaps including duplicates, shadowed rules, and conflicts. Supports vendor-native configs or pre-normalized JSON input.

Instructions

Analyze whether a candidate firewall rule overlaps with an existing ruleset. Detects exact duplicates, shadowed rules, action conflicts, and partial overlaps. Two input modes: (1) vendor-native configs via vendor + ruleset_payload + candidate_rule_payload, or (2) pre-normalized JSON via existing_rules + candidate_rule. Use parse_policy first to inspect parser output before analysis.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
vendorNoVendor identifier. One of: "panos", "asa", "ftd", "ios", "iosxr", "checkpoint", "juniper", "junos", "sros", "fortios". Required for Mode 1 (vendor-native).
os_versionNoOptional OS version string for parser selection.
candidate_ruleNoSingle normalized rule object (same schema as existing_rules elements). Example: {"id": "candidate", "position": 1, "action": "permit", "source_addresses": ["10.20.35.76/32"], "destination_addresses": ["172.16.20.0/24"], "services": [{"protocol": "tcp", "ports": "6379"}]}. Required for Mode 2.
existing_rulesNoArray of normalized rule objects from parse_policy output. Each object: {"id": "rule_1", "position": 1, "action": "permit"|"deny", "source_addresses": ["10.0.0.0/8"], "destination_addresses": ["any"], "services": [{"protocol": "tcp", "ports": "443"}], "source_zones": ["any"], "destination_zones": ["any"], "applications": ["any"]}. Required for Mode 2.
context_objectsNoOptional JSON string with supplemental object definitions (address groups, service objects).
ruleset_payloadNoComplete firewall config in vendor-native text format (e.g. full 'show access-lists' output for IOS). Required for Mode 1.
candidate_positionNoOptional 1-based intended insertion position of the candidate rule.
candidate_rule_payloadNoSingle candidate rule in vendor-native text format (e.g. one ACL line for IOS). Required for Mode 1.

Output Schema

TableJSON Schema
NameRequiredDescriptionDefault

No arguments

Behavior3/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations. Description conveys non-destructive analysis and detection capabilities, but does not explicitly state idempotency or side-effect absence. Output schema exists, reducing need for return value details.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

Three sentences: first states purpose, second lists detections, third explains modes and workflow. No wasted words, front-loaded with essential info.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness4/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Explains prerequisite (use parse_policy) and input modes adequately. Omits mention of optional parameters but schema handles that. Output schema present so return values are covered.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters4/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema coverage is 100%; description adds value by grouping parameters into two modes (vendor-native vs pre-normalized), which aids understanding beyond individual parameter descriptions.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the verb 'analyze' and the resource 'firewall rule overlap', enumerating detection types like duplicates and shadowed rules. It distinguishes from siblings: batch_analyze_overlap is batch, parse_policy is preprocessing.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines4/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

Explicitly recommends using parse_policy before analysis and describes two input modes. Lacks explicit when-not-to-use guidance, but the modes imply appropriate contexts.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/AutomateIP/fwrule-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server