Palo Alto Networks MCP Server Suite

Instructions

Implementation Reference

• src/index.ts:217-245 (handler)

  The main handler for the 'list_resources' tool. Validates input arguments using isListResourcesArgs, verifies the resource_type exists in the specified category's list, makes an API call to `/Objects/${resource_type}` on the Palo Alto firewall, and returns the JSON response as text content.

  case 'list_resources': {
      const rawArgs = request.params.arguments;
      if (!isListResourcesArgs(rawArgs)) {
          throw new McpError(
              ErrorCode.InvalidParams, 
              'Invalid arguments for list_resources'
          );
      }
  
      const { category, resource_type } = rawArgs;
  
      const categoryResources = RESOURCE_CATEGORIES[category];
      if (!categoryResources.includes(resource_type)) {
          throw new McpError(
              ErrorCode.InvalidParams, 
              `Invalid resource type for category ${category}: ${resource_type}`
          );
      }
  
      const response = await this.axiosInstance.get(`/Objects/${resource_type}`);
      return {
          content: [
              {
                  type: 'text',
                  text: JSON.stringify(response.data, null, 2),
              },
          ],
      };
  }

• src/index.ts:79-82 (schema)

  TypeScript interface defining the expected input shape for the list_resources tool arguments.

  interface ListResourcesArgs {
      category: keyof ResourceCategories;
      resource_type: string;
  }

• src/index.ts:141-158 (registration)

  Tool registration in the ListToolsRequestSchema handler, defining name, description, and inputSchema with validation for category (enum from RESOURCE_CATEGORIES keys) and resource_type.

      name: 'list_resources',
      description: 'List resources from a specific category',
      inputSchema: {
          type: 'object',
          properties: {
              category: {
                  type: 'string',
                  enum: Object.keys(RESOURCE_CATEGORIES),
                  description: 'Resource category to list'
              },
              resource_type: {
                  type: 'string',
                  description: 'Specific resource type within the category'
              }
          },
          required: ['category', 'resource_type']
      }
  },

• src/index.ts:84-92 (helper)

  Type guard helper function used to validate that arguments match ListResourcesArgs shape and category is a valid key in RESOURCE_CATEGORIES.

  function isListResourcesArgs(args: unknown): args is ListResourcesArgs {
      if (typeof args !== 'object' || args === null) return false;
      const typedArgs = args as Record<string, unknown>;
      return (
          typeof typedArgs.category === 'string' && 
          typeof typedArgs.resource_type === 'string' &&
          Object.keys(RESOURCE_CATEGORIES).includes(typedArgs.category as string)
      );
  }

• src/index.ts:26-77 (helper)

  Constant defining all available resource categories and their supported resource_types, used for validation in schema enum, arg validation, and handler checks.

  const RESOURCE_CATEGORIES: ResourceCategories = {
      OBJECTS: [
          'Addresses', 'AddressGroups', 'Regions', 'DynamicUserGroups', 
          'Applications', 'ApplicationGroups', 'ApplicationFilters', 
          'Services', 'ServiceGroups', 'Tags', 'GlobalProtectHIPObjects',
          'GlobalProtectHIPProfiles', 'ExternalDynamicLists', 
          'CustomDataPatterns', 'CustomSpywareSignatures', 
          'CustomVulnerabilitySignatures', 'CustomURLCategories',
          'AntivirusSecurityProfiles', 'AntiSpywareSecurityProfiles',
          'VulnerabilityProtectionSecurityProfiles', 
          'URLFilteringSecurityProfiles', 'FileBlockingSecurityProfiles',
          'WildFireAnalysisSecurityProfiles', 'DataFilteringSecurityProfiles',
          'DoSProtectionSecurityProfiles', 'SecurityProfileGroups',
          'LogForwardingProfiles', 'AuthenticationEnforcements', 
          'DecryptionProfiles', 'PacketBrokerProfiles', 
          'SDWANPathQualityProfiles', 'SDWANTrafficDistributionProfiles',
          'SDWANSaasQualityProfiles', 'SDWANErrorCorrection', 'Schedules'
      ],
      POLICIES: [
          'SecurityRules', 'NATRules', 'QoSRules', 
          'PolicyBasedForwardingRules', 'DecryptionRules', 
          'NetworkPacketBrokerRules', 'TunnelInspectionRules', 
          'ApplicationOverrideRules', 'AuthenticationRules', 
          'DoSRules', 'SDWANRules'
      ],
      NETWORK: [
          'EthernetInterfaces', 'AggregateEthernetInterfaces', 
          'VLANInterfaces', 'LoopbackInterfaces', 'TunnelIntefaces', 
          'SDWANInterfaces', 'Zones', 'VLANs', 'VirtualWires', 
          'VirtualRouters', 'IPSecTunnels', 'GRETunnels', 
          'DHCPServers', 'DHCPRelays', 'DNSProxies', 
          'GlobalProtectPortals', 'GlobalProtectGateways', 
          'GlobalProtectGatewayAgentTunnels', 
          'GlobalProtectGatewaySatelliteTunnels', 
          'GlobalProtectGatewayMDMServers', 
          'GlobalProtectClientlessApps', 
          'GlobalProtectClientlessAppGroups', 
          'QoSInterfaces', 'LLDP', 
          'GlobalProtectIPSecCryptoNetworkProfiles', 
          'IKEGatewayNetworkProfiles', 'IKECryptoNetworkProfiles', 
          'MonitorNetworkProfiles', 
          'InterfaceManagementNetworkProfiles', 
          'ZoneProtectionNetworkProfiles', 'QoSNetworkProfiles', 
          'LLDPNetworkProfiles', 'BFDNetworkProfiles', 
          'SDWANInterfaceProfiles'
      ],
      DEVICES: [
          'VirtualSystems', 'SNMPTrapServerProfiles', 
          'SyslogServerProfiles', 'EmailServerProfiles', 
          'HttpServerProfiles', 'LDAPServerProfiles'
      ]
  };