scm-mcp
scm-mcp
A Model Context Protocol (MCP) server for Palo Alto Networks Strata Cloud Manager (SCM). Exposes 149 tools covering the full SCM configuration lifecycle — policy objects, security rules, NAT, profiles, decryption, QoS, and more — so you can manage firewall configuration through natural language in Claude Code or Claude Desktop.
Features
149 tools across 9 functional areas
Multi-tenant (multi-TSG) support — target different tenants per tool call with named aliases
Full CRUD for all supported resource types
Zero infrastructure — runs as a local stdio process, no server to maintain
Built on the pan-scm-sdk which handles OAuth2 token lifecycle, pagination, and Pydantic validation automatically
Tool Coverage
Area | Tools | Resources |
Setup | 12 | Folders, Snippets |
Objects | 45 | Addresses, Address Groups, Services, Service Groups, Tags, Log Forwarding Profiles, HTTP Server Profiles, Syslog Server Profiles |
Policy Objects | 24 | Applications, Application Groups, Application Filters, Schedules, External Dynamic Lists |
Security | 26 | Security Rules, Security Zones, Decryption Rules, Authentication Rules |
Network | 17 | NAT Rules, PBF Rules, QoS Rules |
Profiles | 24 | Anti-Spyware, WildFire, Vulnerability, URL Access, URL Categories, DNS Security, Decryption, File Blocking, Zone Protection |
Operations | 4 | Commit, Job Status, List Jobs, List TSG Profiles |
Total | 149 |
Requirements
Python 3.12+
A Palo Alto Networks SCM tenant with a service account
Installation
1. Clone and install
git clone https://github.com/your-username/scm-mcp.git
cd scm-mcp
python -m venv .venv
source .venv/bin/activate # Windows: .venv\Scripts\activate
pip install -e .2. Configure credentials
cp .env.example .envEdit .env with your SCM service account credentials:
SCM_CLIENT_ID=your_client_id_here
SCM_CLIENT_SECRET=your_client_secret_here
SCM_TSG_ID=your_default_tsg_id_here
# Optional: named aliases for multi-tenant use
# SCM_TSG_PROD=prod_tsg_id_here
# SCM_TSG_LAB=lab_tsg_id_hereWhere to find credentials: SCM portal → Settings → Service Accounts → Create. The TSG ID appears in the tenant URL:
https://stratacloudmanager.paloaltonetworks.com/tenants/<TSG_ID>/.
3. Register with Claude Code
claude mcp add scm -- /path/to/scm-mcp/.venv/bin/python -m src.serverOr add to .claude/settings.json manually:
{
"mcpServers": {
"scm": {
"command": "/path/to/scm-mcp/.venv/bin/python",
"args": ["-m", "src.server"],
"cwd": "/path/to/scm-mcp"
}
}
}4. Register with Claude Desktop
Add to ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):
{
"mcpServers": {
"scm": {
"command": "/path/to/scm-mcp/.venv/bin/python",
"args": ["-m", "src.server"],
"cwd": "/path/to/scm-mcp",
"env": {
"SCM_CLIENT_ID": "your_client_id",
"SCM_CLIENT_SECRET": "your_client_secret",
"SCM_TSG_ID": "your_tsg_id"
}
}
}
}Multi-Tenant Usage
Every tool accepts an optional tsg_id parameter. When omitted, the default SCM_TSG_ID is used.
Named aliases — define them in .env:
SCM_TSG_PROD=1234567890
SCM_TSG_LAB=9876543210Then pass the alias name to any tool:
# List which TSGs are configured
scm_list_tsg_profiles()
# Query the PROD tenant
scm_list_addresses(folder="All", tsg_id="PROD")
# Copy an object between tenants
scm_get_address(address_id="<uuid>", tsg_id="PROD")
scm_create_address(name="web-servers", folder="Texas", ip_netmask="10.0.1.0/24", tsg_id="LAB")You can also pass a raw TSG ID string directly if no alias is configured.
Project Structure
scm-mcp/
├── src/
│ ├── server.py # MCP server entry point and tool registration
│ ├── client.py # Per-TSG Scm client factory with alias resolution
│ ├── utils.py # Serialization (Pydantic → dict) and error handling
│ └── tools/
│ ├── setup.py # Folders, Snippets
│ ├── objects.py # Addresses, Address Groups, Services, Service Groups,
│ │ # Tags, Log/HTTP/Syslog Server Profiles
│ ├── policy_objects.py# Applications, App Groups, App Filters,
│ │ # Schedules, External Dynamic Lists
│ ├── security.py # Security Rules, Security Zones,
│ │ # Decryption Rules, Authentication Rules
│ ├── network.py # NAT Rules, PBF Rules, QoS Rules
│ ├── profiles.py # Anti-Spyware, WildFire, Vulnerability, URL Access,
│ │ # URL Categories, DNS Security, Decryption,
│ │ # File Blocking, Zone Protection Profiles
│ └── operations.py # Commit, Job Status, List Jobs, List TSG Profiles
├── .env.example # Credential template (commit this)
├── .env # Real credentials (gitignored)
├── pyproject.toml # Project metadata and dependencies
└── README.mdExample Prompts
Once the MCP server is connected, you can use natural language in Claude Code:
Show me all security rules in the Texas folder.
Create an address object for our web server farm: 10.10.1.0/24 in the Texas folder, tagged "web-tier".
Copy all address objects from the PROD tenant into the LAB tenant under the same folder.
Create a security rule allowing HTTPS from the trust zone to the DMZ zone for the web-servers address group. Use the best-practice security profile group.
What external dynamic lists are configured and when do they refresh?
Commit the changes in the Texas and California folders with description "Q2 policy update".Tool Reference
Operations
Tool | Description |
| List configured TSG profiles and their aliases |
| Commit staged changes and push to devices |
| Poll an async commit job for completion |
| List recent SCM jobs |
Setup
Tool | Description |
| List all folders |
| Get folder by UUID |
| Create a folder |
| Rename or redescribe a folder |
| Delete a folder |
| List all snippets |
| Get snippet by UUID |
| Create a snippet |
| Update a snippet |
| Delete a snippet |
| Associate a snippet with a folder |
| Remove snippet-folder association |
Objects
Tool | Description |
| List address objects |
| Get address by UUID |
| Create an address (IP/CIDR, range, wildcard, or FQDN) |
| Update an address |
| Delete an address |
| List address groups |
| Get address group by UUID |
| Create a static or dynamic address group |
| Update an address group |
| Delete an address group |
| List service objects |
| Get service by UUID |
| Create a TCP/UDP service |
| Update a service |
| Delete a service |
| List service groups |
| Get service group by UUID |
| Create a service group |
| Update a service group |
| Delete a service group |
| List tags |
| Get tag by UUID |
| Create a tag |
| Update a tag |
| Delete a tag |
| List log forwarding profiles |
| Get log forwarding profile by UUID |
| Create a log forwarding profile |
| Delete a log forwarding profile |
| List HTTP server profiles |
| Get HTTP server profile by UUID |
| Create an HTTP server profile |
| Delete an HTTP server profile |
| List syslog server profiles |
| Get syslog server profile by UUID |
| Create a syslog server profile |
| Delete a syslog server profile |
Policy Objects
Tool | Description |
| List application objects |
| Get application by UUID |
| Create a custom application |
| Update a custom application |
| Delete a custom application |
| List application groups |
| Get application group by UUID |
| Create an application group |
| Update an application group |
| Delete an application group |
| List application filters |
| Get application filter by UUID |
| Create a dynamic application filter |
| Delete an application filter |
| List schedule objects |
| Get schedule by UUID |
| Create a recurring or one-time schedule |
| Update a schedule |
| Delete a schedule |
| List external dynamic lists (EDLs) |
| Get EDL by UUID |
| Create an IP/URL/domain EDL |
| Update an EDL |
| Delete an EDL |
Security
Tool | Description |
| List security policy rules |
| Get security rule by UUID |
| Create a security rule |
| Update a security rule |
| Delete a security rule |
| Reorder a rule (top/bottom/before/after) |
| List security zones |
| Get security zone by UUID |
| Create a security zone |
| Update a security zone |
| Delete a security zone |
| List decryption policy rules |
| Get decryption rule by UUID |
| Create a decrypt/no-decrypt rule |
| Update a decryption rule |
| Delete a decryption rule |
| List authentication policy rules |
| Get authentication rule by UUID |
| Create an authentication rule |
| Update an authentication rule |
| Delete an authentication rule |
Network
Tool | Description |
| List NAT rules |
| Get NAT rule by UUID |
| Create a NAT rule (IPv4, NAT64, NPTv6) |
| Update a NAT rule |
| Delete a NAT rule |
| List policy-based forwarding rules |
| Get PBF rule by UUID |
| Create a PBF rule |
| Update a PBF rule |
| Delete a PBF rule |
| List QoS policy rules |
| Get QoS rule by UUID |
| Create a QoS rule |
| Update a QoS rule |
| Delete a QoS rule |
Security Profiles
Tool | Description |
| List anti-spyware profiles |
| Get anti-spyware profile by UUID |
| Create an anti-spyware profile |
| Delete an anti-spyware profile |
| List WildFire antivirus profiles |
| Get WildFire profile by UUID |
| Create a WildFire profile |
| Delete a WildFire profile |
| List vulnerability protection profiles |
| Get vulnerability profile by UUID |
| Create a vulnerability protection profile |
| Delete a vulnerability protection profile |
| List URL access (filtering) profiles |
| Get URL access profile by UUID |
| Create a URL access profile |
| Delete a URL access profile |
| List custom URL categories |
| Get URL category by UUID |
| Create a custom URL category |
| Delete a custom URL category |
| List DNS security profiles |
| Get DNS security profile by UUID |
| Create a DNS security profile |
| Delete a DNS security profile |
| List SSL/TLS decryption profiles |
| Get decryption profile by UUID |
| Create a decryption profile |
| Delete a decryption profile |
| List file blocking profiles |
| Get file blocking profile by UUID |
| Create a file blocking profile |
| Delete a file blocking profile |
| List zone protection profiles |
| Get zone protection profile by UUID |
| Create a zone protection profile |
| Delete a zone protection profile |
Environment Variables
Variable | Required | Description |
| Yes | OAuth2 client ID from the SCM service account |
| Yes | OAuth2 client secret from the SCM service account |
| Yes | Default Tenant Service Group ID |
| No | Named TSG alias — pass |
Authentication
SCM uses OAuth2 client credentials flow. Tokens have a 15-minute TTL and are automatically refreshed by the underlying pan-scm-sdk. No token management is required.
Service accounts are created in the SCM portal under Settings > Identity & Access > Service Accounts. The account needs appropriate role permissions for the resources you intend to manage.
Contributing
Issues and pull requests welcome. This project is built on pan-scm-sdk — if you need a resource type that isn't covered here, check whether the SDK supports it first.
License
MIT
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/ReverseThrottle/scm-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server