Skip to main content
Glama
Leon69924

Sophos XGS MCP Server

by Leon69924

Sophos XGS MCP Server

A read-only Model Context Protocol (MCP) server for the Sophos XGS Firewall XML API. Gives AI assistants like Claude visibility into your firewall configuration without any ability to modify it.

Features

  • 60+ read-only tools covering firewall rules, NAT, VPN, web filtering, network config, routing, DHCP, DNS, IPS, SSL/TLS inspection, and admin settings

  • Read-only by design — only uses <Get> API operations, no <Set> or <Remove>

  • XML injection protection — entity name validation and XML escaping on all inputs

  • Credential isolation — credentials loaded from protected config files, never hardcoded

  • Error sanitization — passwords are stripped from error messages before reaching the MCP client

  • Scoped TLS handling — self-signed cert bypass is scoped per-request, not global

Related MCP server: Technitium MCP Secure

Tools

Category

Tools

Firewall

list_firewall_rules, list_firewall_rule_groups, get_firewall_rule, search_firewall_rules

Network Objects

list_ip_hosts, list_ip_host_groups, list_fqdn_hosts, list_fqdn_host_groups, list_mac_hosts, get_ip_host, search_ip_hosts

Services

list_services, list_service_groups, get_service

Zones & Interfaces

list_zones, list_interfaces, list_vlans, list_interface_aliases, list_lag_interfaces, get_zone, get_interface

NAT

list_nat_rules

VPN

list_sslvpn_policies, list_vpn_ipsec_connections

Web Filtering

list_web_filter_policies, list_url_groups, list_web_filter_exceptions

SSL/TLS Inspection

list_ssl_tls_inspection_rules, get_ssl_tls_inspection_settings, list_decryption_profiles

IPS

list_ips_policies

Routing & SD-WAN

list_static_routes, list_sdwan_policy_routes, list_sdwan_profiles, list_gateway_hosts, list_gateway_configurations

DHCP & DNS

list_dhcp_servers, list_dns_forwarders, list_dns_request_routes, list_dns_host_entries

Users & Admin

list_users, list_admin_profiles, get_admin_settings, get_admin_authen, get_user_activity

System

get_backup_config, get_backup_restore_settings, get_time_settings, get_reports_retention, list_syslog_servers, list_notifications, list_snmpv3_users, get_pim_settings, get_captive_portal

Email

list_smtp_policies

Access Control

list_acl_rules, list_local_service_acl, list_schedules, list_access_time_policies, list_surfing_quota_policies, list_data_transfer_policies

IPv6

list_router_advertisements

Advanced

raw_api_query — query any entity with optional filters

Prerequisites

  • Node.js 18+

  • Sophos XGS Firewall with the XML API enabled (port 4444 by default)

  • An API admin account (a read-only profile is strongly recommended)

Enabling the Sophos XML API

  1. Log into your Sophos XGS web admin

  2. Go to Backup & firmware > API

  3. Enable the API and allow access from the host running the MCP server

Setup

1. Install

git clone https://github.com/Leon69924/sophos-xgs-mcp.git
cd sophos-xgs-mcp
pnpm install
pnpm build

2. Configure credentials

Create the config directory:

mkdir -p ~/.config/sophos-xgs
chmod 700 ~/.config/sophos-xgs

Create ~/.config/sophos-xgs/config.json:

{
  "host": "your-sophos-hostname-or-ip",
  "port": "4444",
  "username": "your-api-user"
}

Create ~/.config/sophos-xgs/credentials with just the password:

echo -n "your-password" > ~/.config/sophos-xgs/credentials
chmod 600 ~/.config/sophos-xgs/config.json ~/.config/sophos-xgs/credentials

Alternatively, use environment variables:

export SOPHOS_HOST=your-sophos-hostname-or-ip
export SOPHOS_PORT=4444
export SOPHOS_USERNAME=your-api-user
export SOPHOS_PASSWORD=your-password

3. Add to your MCP client

For Claude Code, add to ~/.mcp.json:

{
  "mcpServers": {
    "sophos-xgs": {
      "type": "stdio",
      "command": "node",
      "args": ["/path/to/sophos-xgs-mcp/dist/index.js"]
    }
  }
}

Security

  • Read-only — the server only uses <Get> XML API operations

  • No hardcoded credentials — loaded from ~/.config/sophos-xgs/ or environment variables

  • XML injection prevention — entity names are validated against ^[A-Za-z][A-Za-z0-9]*$, all interpolated values are XML-escaped

  • Error sanitization — credentials are stripped from error messages

  • TLS — all connections use HTTPS; self-signed cert bypass is scoped to the Sophos connection only

  • Best practice: Create a dedicated read-only admin profile on your Sophos for API access

License

AGPL-3.0-only — see LICENSE

A
license - permissive license
-
quality - not tested
C
maintenance

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/Leon69924/sophos-xgs-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server