Skip to main content
Glama
rstierli

FortiManager MCP Server

by rstierli
OverviewSchemaRelated ServersScoreDiscussions
Python
Hybrid

FortiManager MCP Server

CI Python Version License: MIT Version FortiManager

A Model Context Protocol (MCP) server for FortiManager JSON-RPC API. This server enables AI assistants like Claude to interact with FortiManager for centralized firewall policy management, device provisioning, and network configuration.

Note: This is an independent open-source project and is not affiliated with, endorsed by, or supported by Fortinet, Inc. FortiManager is a trademark of Fortinet, Inc.

Disclaimer: This MCP server can create, modify, and delete configurations on FortiManager. Misuse or misconfiguration can impact production networks. Use at your own risk. Always test in a non-production environment first and ensure appropriate ADOM permissions are configured.

Overview

This MCP server provides a comprehensive interface to FortiManager's capabilities, allowing AI assistants to:

  • Create and manage firewall policies and policy packages

  • Configure firewall objects (addresses, services, VIPs)

  • Add, provision, and manage FortiGate devices

  • Execute CLI scripts on managed devices

  • Configure provisioning and SD-WAN templates

  • Monitor tasks and installations

  • Manage ADOMs and workspace locking

Features

Category

Capabilities

Policy Management

Create/update/delete firewall policies, manage policy packages, clone packages

Object Management

Addresses, address groups, services, service groups, search objects

Device Management

Add/delete devices, bulk operations, device status, VDOM management

Script Execution

Create/run CLI scripts, execute on devices/groups, view execution logs

Templates

System templates, CLI template groups, template assignment and validation

SD-WAN

SD-WAN templates, rule configuration, template assignment

System

System status, ADOM management, task monitoring, workspace locking

Requirements

  • Python: 3.12 or higher

  • FortiManager: 7.x with JSON-RPC API access enabled

  • Authentication: API token (recommended) or username/password

  • Network: HTTPS access to FortiManager management interface

Installation

Using uv (Recommended)

# Clone the repository
git clone https://github.com/rstierli/fortimanager-mcp.git
cd fortimanager-mcp

# Create and activate virtual environment
uv venv
source .venv/bin/activate  # On Windows: .venv\Scripts\activate

# Install dependencies
uv sync

Using pip

# Clone the repository
git clone https://github.com/rstierli/fortimanager-mcp.git
cd fortimanager-mcp

# Create virtual environment
python -m venv .venv
source .venv/bin/activate

# Install package
pip install -e .

Using Docker

Pre-built images are available on GitHub Container Registry:

docker pull ghcr.io/rstierli/fortimanager-mcp:latest

Quick start with Docker Compose:

# docker-compose.yml
services:
  fortimanager-mcp:
    image: ghcr.io/rstierli/fortimanager-mcp:latest
    container_name: fortimanager-mcp
    restart: unless-stopped
    ports:
      - "8000:8000"
    env_file:
      - .env
    environment:
      - MCP_SERVER_MODE=http
      - MCP_SERVER_HOST=0.0.0.0
      - MCP_SERVER_PORT=8000
      - FORTIMANAGER_HOST=your-fmg-hostname
      # Keep TLS verification on; import the FortiManager CA for self-signed
      # certs. FORTIMANAGER_VERIFY_SSL=false disables MITM protection.
      - FORTIMANAGER_VERIFY_SSL=true
      - DEFAULT_ADOM=root
      - FMG_TOOL_MODE=full
      - LOG_LEVEL=INFO

Create a .env file for secrets (not tracked in git):

# .env
FORTIMANAGER_API_TOKEN=your-api-token
MCP_AUTH_TOKEN=your-secret-bearer-token  # optional, enables HTTP auth
chmod 600 .env
docker compose up -d

Verify the server is running:

curl http://localhost:8000/health
# {"status": "healthy", "service": "fortimanager-mcp", "fortimanager_connected": true}

Configuration

Environment Variables

Create a .env file from the example:

cp .env.example .env

Edit .env with your FortiManager settings:

# FortiManager Connection (Required)
FORTIMANAGER_HOST=192.168.1.100

# Authentication Option 1: API Token (Recommended)
FORTIMANAGER_API_TOKEN=your-api-token-here

# Authentication Option 2: Username/Password
# FORTIMANAGER_USERNAME=admin
# FORTIMANAGER_PASSWORD=your-password

# SSL Verification — keep this TRUE. For self-signed FortiManager certs,
# import the FortiManager CA into your trust store instead of disabling it
# (see docs/SETUP_GUIDE.md "Trusting the FortiManager CA"). Setting this to
# false disables TLS verification and exposes the connection to MITM attacks.
FORTIMANAGER_VERIFY_SSL=true

# Request Settings
FORTIMANAGER_TIMEOUT=30
FORTIMANAGER_MAX_RETRIES=3

# Logging
LOG_LEVEL=INFO  # DEBUG for troubleshooting

# Tool Loading Mode (important for context window optimization)
FMG_TOOL_MODE=full  # or "dynamic" for ~90% context reduction

# Default ADOM (optional - defaults to "root")
DEFAULT_ADOM=root

# HTTP Authentication (optional, recommended for Docker/HTTP deployments)
# MCP_AUTH_TOKEN=your-secret-token

# MCP Server Settings (for HTTP/Docker mode)
# MCP_SERVER_MODE=http     # "http" for Docker, "stdio" for Claude Desktop, "auto" to detect
# MCP_SERVER_HOST=0.0.0.0  # Bind address (0.0.0.0 for Docker)
# MCP_SERVER_PORT=8000      # Server port

# Allowed Host headers for HTTP/Docker deployments (optional)
# Set to the value clients use in their connection URL — NOT the client's IP.
# The MCP SDK rejects non-localhost Host headers by default for DNS rebinding protection.
# Examples: ["mcp.example.com"], ["10.1.5.62:8000"], or wildcard ["10.1.5.62:*"]
# MCP_ALLOWED_HOSTS=["mcp.example.com"]

# Safety Guardrails (optional - strict by default)
# FMG_SCRIPT_SAFETY=strict    # Block dangerous CLI commands in scripts (factory-reset, reboot, etc.)
# FMG_POLICY_SAFETY=strict    # Block overly permissive policies (srcaddr=all + dstaddr=all + accept)

Tool Loading Modes

FortiManager MCP supports two tool loading modes to optimize context window usage:

Mode

Tools Loaded

Context Usage

Best For

full (default)

All 102 tools

~100%

Large context windows, full functionality

dynamic

4 discovery tools

~10%

Smaller context windows, on-demand loading

Full Mode (default): All 102 tools are loaded at startup. Best when you have sufficient context window and need immediate access to all FortiManager operations.

Dynamic Mode: Only lightweight discovery tools are loaded:

  • find_fortimanager_tool(operation) - Search for tools by keyword

  • list_fortimanager_categories() - List tool categories

  • execute_fortimanager_tool(name, params) - Execute any tool by name

  • health_check() - Server health status

To enable dynamic mode:

FMG_TOOL_MODE=dynamic

Default ADOM

The DEFAULT_ADOM environment variable sets the default Administrative Domain (ADOM) for all FortiManager operations. When a tool is called without specifying an ADOM, this value is used.

DEFAULT_ADOM=root  # default value

This is particularly useful when:

  • Your FortiManager only uses a single ADOM

  • Most of your work is within one specific ADOM

  • You want to avoid repeatedly specifying the ADOM in each tool call

If not set, defaults to root (the global ADOM).

Generating an API Token

  1. Log into FortiManager web interface

  2. Go to System Settings > Admin > Administrators

  3. Edit your admin user or create a new one

  4. Under JSON API Access, click Regenerate or New API Key

  5. Copy the generated token

Running the Server

Standalone Mode

# Using the installed command
fortimanager-mcp

# Or using Python module
python -m fortimanager_mcp

Claude Desktop Integration

Add to your Claude Desktop configuration file:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "fortimanager": {
      "command": "/path/to/fortimanager-mcp/.venv/bin/fortimanager-mcp",
      "env": {
        "FORTIMANAGER_HOST": "your-fmg-hostname",
        "FORTIMANAGER_API_TOKEN": "your-api-token",
        "FORTIMANAGER_VERIFY_SSL": "true",
        "LOG_LEVEL": "INFO"
      }
    }
  }
}

Note: Use the full path to the fortimanager-mcp executable in your virtual environment.

Claude Code Integration

Add to ~/.claude/mcp_servers.json:

{
  "mcpServers": {
    "fortimanager": {
      "command": "/path/to/fortimanager-mcp/.venv/bin/fortimanager-mcp",
      "env": {
        "FORTIMANAGER_HOST": "your-fmg-hostname",
        "FORTIMANAGER_API_TOKEN": "your-api-token",
        "FORTIMANAGER_VERIFY_SSL": "true",
        "DEFAULT_ADOM": "root",
        "LOG_LEVEL": "INFO"
      }
    }
  }
}

Docker Mode

# Start the server
docker compose up -d

# View logs
docker compose logs -f

# Stop the server
docker compose down

HTTP Mode (Remote Access)

When running in HTTP mode (Docker or standalone with MCP_SERVER_MODE=http), MCP clients connect via the Streamable HTTP transport:

Claude Code (~/.claude/mcp_servers.json):

{
  "mcpServers": {
    "fortimanager": {
      "type": "streamable-http",
      "url": "https://your-mcp-host.example.com/mcp",
      "headers": {
        "Authorization": "Bearer your-mcp-auth-token"
      }
    }
  }
}

Claude Desktop (claude_desktop_config.json):

{
  "mcpServers": {
    "fortimanager": {
      "type": "streamable-http",
      "url": "https://your-mcp-host.example.com/mcp",
      "headers": {
        "Authorization": "Bearer your-mcp-auth-token"
      }
    }
  }
}

Production Deployment (Reverse Proxy)

For production deployments behind a TLS-terminating reverse proxy:

MCP Client → HTTPS → Reverse Proxy (Traefik/nginx) → HTTP → MCP Container → FortiManager

Key considerations:

  1. MCP_ALLOWED_HOSTS — The MCP SDK validates the Host header to prevent DNS rebinding attacks. By default only localhost and 127.0.0.1 are accepted. Set this to the value clients put in their connection URL (NOT the client's IP):

    # Reverse-proxy hostname (Traefik/nginx):
MCP_ALLOWED_HOSTS=["mcp.example.com"]
# Direct Docker exposure on IP+port:
MCP_ALLOWED_HOSTS=["10.1.5.62:8000"]
# Port wildcard (any port on the host):
MCP_ALLOWED_HOSTS=["10.1.5.62:*"]

  2. MCP_AUTH_TOKEN — Always set a Bearer token for HTTP deployments:

    MCP_AUTH_TOKEN=$(openssl rand -hex 32)

  3. Secrets management — Keep API tokens and auth tokens in an env_file (.env), not inline in docker-compose.yml.

Example with Traefik:

services:
  fortimanager-mcp:
    image: ghcr.io/rstierli/fortimanager-mcp:latest
    container_name: fortimanager-mcp
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    env_file:
      - .env
    environment:
      - MCP_SERVER_MODE=http
      - MCP_SERVER_HOST=0.0.0.0
      - MCP_SERVER_PORT=8000
      - FORTIMANAGER_HOST=your-fmg-hostname
      # Keep TLS verification on; import the FortiManager CA for self-signed
      # certs. FORTIMANAGER_VERIFY_SSL=false disables MITM protection.
      - FORTIMANAGER_VERIFY_SSL=true
      - MCP_ALLOWED_HOSTS=["mcp.example.com"]
      - DEFAULT_ADOM=root
      - FMG_TOOL_MODE=full
      - LOG_LEVEL=INFO
    networks:
      - frontend
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.fmg-mcp-secure.entrypoints=https"
      - "traefik.http.routers.fmg-mcp-secure.rule=Host(`mcp.example.com`)"
      - "traefik.http.routers.fmg-mcp-secure.tls=true"
      - "traefik.http.services.fmg-mcp.loadbalancer.server.port=8000"
    logging:
      driver: "json-file"
      options:
        max-size: "10m"
        max-file: "3"

networks:
  frontend:
    external: true

Available Tools (102 tools)

System Tools (17 tools)

Tool

Description

get_system_status

Get FortiManager system status and version info

get_ha_status

Get High Availability cluster status

list_adoms

List all Administrative Domains

get_adom

Get specific ADOM details

list_devices

List devices in an ADOM

get_device

Get specific device information

list_device_groups

List device groups in an ADOM

list_tasks

List background tasks

get_task

Get task details by ID

wait_for_task

Wait for a task to complete

list_packages

List policy packages in an ADOM

get_package

Get policy package details

install_package

Install policy package to devices

install_device_settings

Install device settings only

lock_adom

Lock ADOM for editing (workspace mode)

unlock_adom

Unlock ADOM

commit_adom

Commit ADOM changes

Device Management Tools (12 tools)

Tool

Description

list_device_vdoms

List VDOMs for a device

get_device_status

Get device connection and sync status

search_devices

Search devices with filters

add_device

Add a new device to FortiManager

add_model_device

Add offline model device

delete_device

Remove a device from FortiManager

add_devices_bulk

Add multiple devices at once

delete_devices_bulk

Remove multiple devices at once

update_device

Update device metadata

reload_device_list

Refresh device list cache

get_device_realtime_status

Get live device status

get_device_interfaces

Get device interface information

Policy Tools (15 tools)

Tool

Description

create_package

Create a new policy package

delete_package

Delete a policy package

clone_package

Clone an existing package

assign_package

Assign package to devices

list_firewall_policies

List policies in a package

get_firewall_policy

Get policy details

create_firewall_policy

Create a new firewall policy

update_firewall_policy

Update an existing policy

delete_firewall_policy

Delete a firewall policy

delete_firewall_policies_bulk

Bulk delete policies

move_firewall_policy

Reorder policy position

search_firewall_policies

Search policies with filters

get_policy_services

Get policy services with optional group resolution

preview_install

Preview installation changes

get_preview_result

Get preview results

Object Tools (24 tools)

Tool

Description

list_addresses

List firewall address objects

get_address

Get address object details

create_address_subnet

Create subnet address

create_address_host

Create host address

create_address_fqdn

Create FQDN address

create_address_range

Create IP range address

update_address

Update address object

delete_address

Delete address object

list_address_groups

List address groups

get_address_group

Get address group details

create_address_group

Create address group

update_address_group

Update address group

delete_address_group

Delete address group

list_services

List service objects

get_service

Get service details

create_service_tcp_udp

Create TCP/UDP service

create_service_icmp

Create ICMP service

update_service

Update service object

delete_service

Delete service object

list_service_groups

List service groups

get_service_group

Get service group details

create_service_group

Create service group

delete_service_group

Delete service group

search_objects

Search all object types

Script Tools (12 tools)

Tool

Description

list_scripts

List CLI scripts in ADOM

get_script

Get script content and details

create_script

Create a new CLI script

update_script

Update existing script

delete_script

Delete a script

execute_script_on_device

Run script on single device

execute_script_on_devices

Run script on multiple devices

execute_script_on_device_group

Run script on device group

execute_script_on_package

Run script on package/ADOM DB

get_script_log_latest

Get latest execution log

get_script_log_summary

Get execution history

get_script_log_output

Get specific log output

Template Tools (15 tools)

Tool

Description

list_templates

List provisioning templates

get_template

Get template details

list_system_templates

List system templates (devprof)

get_system_template

Get system template details

assign_system_template

Assign template to device

assign_system_template_bulk

Bulk assign system template

unassign_system_template

Remove template assignment

list_cli_template_groups

List CLI template groups

get_cli_template_group

Get CLI template group

create_cli_template_group

Create CLI template group

delete_cli_template_group

Delete CLI template group

list_template_groups

List template groups

get_template_group

Get template group

assign_template_group

Assign template group

validate_template

Validate template against device

SD-WAN Tools (7 tools)

Tool

Description

list_sdwan_templates

List SD-WAN templates

get_sdwan_template

Get SD-WAN template details

create_sdwan_template

Create SD-WAN template

delete_sdwan_template

Delete SD-WAN template

assign_sdwan_template

Assign template to device

assign_sdwan_template_bulk

Bulk assign SD-WAN template

unassign_sdwan_template

Remove template assignment

Usage Examples

Policy Management

"List all firewall policies in the 'default' package"
"Create a new policy to allow HTTP traffic from internal to wan1"
"Move policy 10 before policy 5 in the default package"
"Install the branch-policy package to FGT-01"

Object Management

"Create an address object for the web server at 192.168.10.10"
"List all address groups in the root ADOM"
"Create a service for TCP port 8443"
"Search for all objects containing 'web' in the name"

Device Management

"List all devices in the root ADOM"
"Add a new FortiGate device at 10.0.0.1"
"Get the connection status for FGT-01"
"Show the VDOMs configured on FGT-01"

Script Execution

"List all CLI scripts in the root ADOM"
"Create a backup script that runs 'execute backup config ftp'"
"Execute the backup script on FGT-01"
"Show the latest script execution log for FGT-01"

Template Management

"List all system templates in the ADOM"
"Assign the 'Branch-Template' to FGT-01"
"Show available SD-WAN templates"
"Validate the template against device FGT-01"

System Operations

"What is the FortiManager system status?"
"Lock the root ADOM for editing"
"Show all running tasks"
"Wait for task 123 to complete"

Architecture

fortimanager-mcp/
├── src/fortimanager_mcp/
│   ├── api/
│   │   └── client.py          # FortiManager API client (JSON-RPC)
│   ├── tools/
│   │   ├── system_tools.py    # System, ADOM, task management
│   │   ├── dvm_tools.py       # Device management tools
│   │   ├── policy_tools.py    # Policy and package tools
│   │   ├── object_tools.py    # Address, service objects
│   │   ├── script_tools.py    # CLI script tools
│   │   ├── template_tools.py  # Provisioning templates
│   │   └── sdwan_tools.py     # SD-WAN templates
│   ├── utils/
│   │   ├── config.py          # Configuration management
│   │   └── errors.py          # Error handling
│   └── server.py              # MCP server implementation
├── tests/                     # Test suite (190+ tests)
├── docs/                      # API documentation
├── .env.example               # Example configuration
├── pyproject.toml             # Project configuration
├── Dockerfile                 # Container image definition
└── docker-compose.yml         # Container orchestration

API Reference

The server communicates with FortiManager using the JSON-RPC API over HTTPS. All requests are sent to the /jsonrpc endpoint.

Supported FortiManager Versions

  • FortiManager 7.0.x

  • FortiManager 7.2.x

  • FortiManager 7.4.x

  • FortiManager 7.6.x (primary development target)

Authentication Methods

  1. API Token (Recommended)

    • More secure, no session management

    • Tokens can be revoked without changing passwords

    • Works with FortiManager 7.0+

  2. Username/Password

    • Traditional session-based authentication

    • Session automatically managed by the client

Troubleshooting

Enable Debug Logging

Set LOG_LEVEL=DEBUG in your environment to see detailed API requests and responses:

LOG_LEVEL=DEBUG fortimanager-mcp

Common Issues

Connection Failed

  • Verify FortiManager hostname/IP is correct

  • Check network connectivity and firewall rules

  • Ensure HTTPS port (443) is accessible

Authentication Failed

  • Verify API token or credentials are correct

  • Check if the admin account has API access enabled

  • Ensure the account has sufficient permissions

SSL Certificate Errors

  • For self-signed FortiManager certs, import the FortiManager CA certificate into your trust store and keep FORTIMANAGER_VERIFY_SSL=true (see SETUP_GUIDE.md → "Trusting the FortiManager CA")

  • For production, use valid SSL certificates signed by a trusted CA

  • Last resort only: FORTIMANAGER_VERIFY_SSL=false disables TLS verification and exposes the connection to man-in-the-middle attacks — avoid in production

ADOM Locked

  • Another user may have the ADOM locked

  • Use unlock_adom to release the lock (requires permissions)

  • Check workspace mode settings in FortiManager

MCP Transport Issues

Invalid Host header (HTTP/Docker mode)

Symptom — server logs show:

mcp.server.transport_security - WARNING - Invalid Host header: 10.x.y.z:8000
INFO:     ... "POST /mcp HTTP/1.1" 421 Misdirected Request

Cause: the MCP SDK validates the Host header for DNS rebinding protection. By default only localhost and 127.0.0.1 are accepted. The header value is whatever the client puts in its connection URL — not the client's IP.

Fix: add the URL value (with port, if used) to MCP_ALLOWED_HOSTS:

# If the client connects to http://10.1.5.62:8000/mcp:
MCP_ALLOWED_HOSTS=["10.1.5.62:8000"]
# Or use a port wildcard to allow any port on that host:
MCP_ALLOWED_HOSTS=["10.1.5.62:*"]
# For a reverse-proxy hostname:
MCP_ALLOWED_HOSTS=["mcp.example.com"]

PermissionError: pyvenv.cfg (macOS stdio mode)

Symptom — Claude Desktop MCP logs show:

Fatal Python error: init_import_site: Failed to import the site module
PermissionError: [Errno 1] Operation not permitted: '.../.venv/pyvenv.cfg'

Cause: macOS TCC (Transparency, Consent, Control) blocks Claude Desktop from launching executables from inside ~/Documents, ~/Desktop, or ~/Downloads.

Fix (preferred): move the project out of those folders, recreate the venv, and update Claude Desktop's MCP config to the new path:

mv ~/Documents/mcp ~/mcp
cd ~/mcp/fortimanager-mcp
rm -rf .venv && uv sync
# Then update the "command" path in claude_desktop_config.json

Fix (alternative): grant Claude Desktop Full Disk Access — System Settings → Privacy & Security → Full Disk Access → add Claude. Broader permission; only use if relocation isn't feasible.

Viewing Logs

Claude Desktop MCP Server Logs:

  • macOS: ~/Library/Logs/Claude/mcp-server-fortimanager.log

  • Windows: %APPDATA%\Claude\logs\mcp-server-fortimanager.log

Development

Running Tests

The project includes 190+ tests covering all tool modules, error handling, and validation logic.

# Install dev dependencies
uv sync --all-extras

# Run all unit tests
pytest

# Run with coverage report
pytest --cov=src/fortimanager_mcp --cov-report=html

# Run specific test file
pytest tests/test_policy_tools.py -v

# Run tests with verbose output
pytest -v

Integration Tests

Integration tests require a real FortiManager instance and are not run in CI.

# Set up environment
export FORTIMANAGER_HOST=your-fmg-host
export FORTIMANAGER_API_TOKEN=your-token
# Keep verification on; import the FortiManager CA for self-signed certs.
export FORTIMANAGER_VERIFY_SSL=true

# Run integration tests (requires live FMG)
pytest tests/integration/ -v

Note: Integration tests are verified against FortiManager 7.6.2. Some features may behave differently on older versions.

CI Workflow

The project uses GitHub Actions for continuous integration:

  • Linting: ruff check on all source files

  • Type checking: mypy with strict mode

  • Unit tests: pytest with coverage reporting

  • Python versions: 3.12+

All CI checks must pass before merging pull requests.

Code Quality

# Linting
ruff check src/

# Type checking
mypy src/

# Formatting
ruff format src/

Security Considerations

HTTP Authentication

When running in HTTP mode (Docker), you can secure the MCP endpoint with Bearer token authentication:

# Set in .env or environment
MCP_AUTH_TOKEN=your-secret-token

When configured, all HTTP requests (except /health) must include the Authorization: Bearer <token> header. If not set, the server runs without authentication (backwards compatible).

Environment File Permissions

Protect your .env files containing API tokens:

chmod 600 .env .env.*

Dynamic Tool Dispatch Security

In dynamic mode, the tool dispatcher validates tool names:

  • Rejects private/internal functions (underscore-prefixed names)

  • Validates that resolved attributes are callable

  • Error responses never include request parameters (prevents credential leakage)

Safety Guardrails

The MCP server includes built-in safety checks to prevent accidental damage to managed infrastructure. Both are enabled by default.

Script Content Safety (FMG_SCRIPT_SAFETY)

Blocks dangerous CLI commands in create_script and update_script:

Blocked Command

Risk

execute factory-reset

Wipes device configuration

execute reboot

Causes device outage

execute shutdown

Powers off device

execute format

Formats device disk

execute erase-disk

Erases device disk

Handles FortiOS abbreviations (exec for execute) and case variations.

FMG_SCRIPT_SAFETY=strict    # Default: block dangerous commands
FMG_SCRIPT_SAFETY=disabled  # Allow all commands (use with extreme caution)

Policy Permissiveness Safety (FMG_POLICY_SAFETY)

Blocks overly permissive firewall policies in create_firewall_policy and update_firewall_policy. Detects policies where srcaddr=all + dstaddr=all + action=accept, which allows unrestricted traffic.

FMG_POLICY_SAFETY=strict    # Default: block overly permissive policies
FMG_POLICY_SAFETY=warn      # Allow but include warning in response
FMG_POLICY_SAFETY=disabled  # Allow all policies

General Security

  • API Tokens: Store tokens securely, never commit to version control

  • SSL Verification: Enable SSL verification in production environments

  • Least Privilege: Use FortiManager accounts with minimal required permissions

  • Network Security: Restrict access to FortiManager management interface

  • Workspace Locking: Use ADOM locking to prevent concurrent modifications

  • Credential Sanitization: Device credentials are automatically stripped from API responses

Contributing

Contributions are welcome! Please see CONTRIBUTING.md for guidelines on how to submit bug reports, feature requests, and pull requests.

License

MIT License - See LICENSE file for details.

Acknowledgments

Related Projects

  • fortianalyzer-mcp - MCP server for FortiAnalyzer with 70+ tools

  • pyfmg - FortiManager/FortiAnalyzer Python library

Author

Roland Stierli

This server cannot be installed

A
license - permissive license
-
quality - not tested
B
maintenance

How are these scores calculated?

Maintenance

Maintainers
9dResponse time
3wRelease cycle
7Releases (12mo)
Issues opened vs closed

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/rstierli/fortimanager-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server