Provides read-only access to Cisco Firepower Management Center (FMC), allowing users to query firewall configurations, search for network objects by IP, and monitor device deployment status.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Cisco FMC MCP ServerFind the network object associated with IP 10.1.10.50"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
MCP Server for Cisco FMC
A read-only Model Context Protocol (MCP) server for Cisco Firepower Management Center (FMC) 7.4.x.
This server allows LLMs like Claude to query your firewall configuration, search for network objects, and check deployment status—all through natural language.
Features
Read-Only Access: Safe exploration of FMC configuration without modification risk
Rate Limiting: Built-in token bucket rate limiter (120 req/min, 10 concurrent connections)
Automatic Token Refresh: Handles FMC's 30-minute token expiration and 3-refresh limit
Transparent Pagination: Automatically fetches all pages from large datasets
MCP Resources
Resource | Description |
| FMC server version and system information |
| List of all managed firewall devices |
| All network objects (IPs, subnets) |
| Devices with pending changes |
MCP Tools
Tool | Description |
| Find network objects containing a specific IP |
| Check if devices are in sync |
Installation
Prerequisites
Python 3.10+
uv (recommended) or pip
Access to a Cisco FMC 7.4.x instance
Using uv (Recommended)
# Clone the repository
git clone https://github.com/your-org/fmc-mcp.git
cd fmc-mcp
# Install dependencies
uv syncUsing pip
pip install -e .Configuration
Copy the example configuration:
cp .env.example .envEdit
.envwith your FMC credentials:
FMC_HOST=fmc.example.com
FMC_USERNAME=api_user
FMC_PASSWORD=your_password_hereConfiguration Options
Variable | Required | Default | Description |
| Yes | - | FMC hostname or IP |
| Yes | - | API username |
| Yes | - | API password |
| No |
| SSL certificate verification |
| No | auto | Domain UUID (auto-discovered) |
| No |
| Request timeout in seconds |
Usage
Running the Server
# Using uv
uv run python -m fmc_mcp
# Or using the CLI entry point
uv run mcp-server-fmcTesting Connection
uv run python -c "from fmc_mcp.client import FMCClient; import asyncio; asyncio.run(FMCClient().test_connection())"Claude Desktop Integration
Add to your Claude Desktop configuration (claude_desktop_config.json):
{
"mcpServers": {
"fmc": {
"command": "uv",
"args": ["run", "--directory", "/path/to/fmc-mcp", "python", "-m", "fmc_mcp"]
}
}
}Then restart Claude Desktop and try:
"What version is my FMC running?"
"List all firewall devices"
"Find the network object for IP 10.10.10.5"
"Are there any pending deployments?"
MCP Inspector Testing
# Install MCP Inspector
npx @anthropic/mcp-inspector
# Run the server
uv run python -m fmc_mcpDevelopment
Running Tests
# Run all tests
uv run pytest -v
# Run with coverage
uv run pytest --cov=src/fmc_mcp --cov-report=term-missingCode Quality
# Linting
uv run ruff check src/ tests/
# Type checking
uv run mypy src/API Rate Limits
The FMC API has strict rate limits that this server respects:
Limit | Value | How We Handle It |
Requests per minute | 120 | Token bucket rate limiter |
Concurrent connections | 10 | Connection semaphore |
Token lifetime | 30 min | Auto-refresh on 401 |
Max token refreshes | 3 | Full re-authentication after 3 |
The server logs warnings when approaching rate limits:
WARNINGwhen token bucket drops below 20%ERRORon 429 (rate limited) responses
Security Notes
Read-Only: This server only performs GET requests
SSL: Disabled by default for lab environments; enable in production
Credentials: Store in
.env, never commit to version controlAPI User: Create a dedicated read-only API user in FMC
License
Apache 2.0