Sophos XGS MCP Server
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Sophos XGS MCP ServerList all firewall rules"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Sophos XGS MCP Server
A read-only Model Context Protocol (MCP) server for the Sophos XGS Firewall XML API. Gives AI assistants like Claude visibility into your firewall configuration without any ability to modify it.
Features
60+ read-only tools covering firewall rules, NAT, VPN, web filtering, network config, routing, DHCP, DNS, IPS, SSL/TLS inspection, and admin settings
Read-only by design — only uses
<Get>API operations, no<Set>or<Remove>XML injection protection — entity name validation and XML escaping on all inputs
Credential isolation — credentials loaded from protected config files, never hardcoded
Error sanitization — passwords are stripped from error messages before reaching the MCP client
Scoped TLS handling — self-signed cert bypass is scoped per-request, not global
Related MCP server: Technitium MCP Secure
Tools
Category | Tools |
Firewall |
|
Network Objects |
|
Services |
|
Zones & Interfaces |
|
NAT |
|
VPN |
|
Web Filtering |
|
SSL/TLS Inspection |
|
IPS |
|
Routing & SD-WAN |
|
DHCP & DNS |
|
Users & Admin |
|
System |
|
| |
Access Control |
|
IPv6 |
|
Advanced |
|
Prerequisites
Node.js 18+
Sophos XGS Firewall with the XML API enabled (port 4444 by default)
An API admin account (a read-only profile is strongly recommended)
Enabling the Sophos XML API
Log into your Sophos XGS web admin
Go to Backup & firmware > API
Enable the API and allow access from the host running the MCP server
Setup
1. Install
git clone https://github.com/Leon69924/sophos-xgs-mcp.git
cd sophos-xgs-mcp
pnpm install
pnpm build2. Configure credentials
Create the config directory:
mkdir -p ~/.config/sophos-xgs
chmod 700 ~/.config/sophos-xgsCreate ~/.config/sophos-xgs/config.json:
{
"host": "your-sophos-hostname-or-ip",
"port": "4444",
"username": "your-api-user"
}Create ~/.config/sophos-xgs/credentials with just the password:
echo -n "your-password" > ~/.config/sophos-xgs/credentials
chmod 600 ~/.config/sophos-xgs/config.json ~/.config/sophos-xgs/credentialsAlternatively, use environment variables:
export SOPHOS_HOST=your-sophos-hostname-or-ip
export SOPHOS_PORT=4444
export SOPHOS_USERNAME=your-api-user
export SOPHOS_PASSWORD=your-password3. Add to your MCP client
For Claude Code, add to ~/.mcp.json:
{
"mcpServers": {
"sophos-xgs": {
"type": "stdio",
"command": "node",
"args": ["/path/to/sophos-xgs-mcp/dist/index.js"]
}
}
}Security
Read-only — the server only uses
<Get>XML API operationsNo hardcoded credentials — loaded from
~/.config/sophos-xgs/or environment variablesXML injection prevention — entity names are validated against
^[A-Za-z][A-Za-z0-9]*$, all interpolated values are XML-escapedError sanitization — credentials are stripped from error messages
TLS — all connections use HTTPS; self-signed cert bypass is scoped to the Sophos connection only
Best practice: Create a dedicated read-only admin profile on your Sophos for API access
License
AGPL-3.0-only — see LICENSE
This server cannot be installed
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Leon69924/sophos-xgs-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server