Cisco Secure Firewall FMC MCP Connector
MCP server that exposes high-level tooling for Cisco Secure Firewall Management Center (FMC), allowing discovery of FMC profiles and searching access rules by IP, FQDN, or identity indicators.
README
Cisco Secure Firewall FMC MCP Connector
MCP server that exposes high-level tooling for Cisco Secure Firewall Management Center (FMC). Core tools:
list_fmc_profiles– discover configured FMC instances.find_rules_by_ip_or_fqdn– search a specific access policy.find_rules_for_target– resolve an FTD device/HA/cluster to its assigned policies and search them.search_access_rules– FMC-wide searches with indicator + policy filters, including identity indicators (SGT, realm user/group).
1. Configure FMC access
Single FMC (env mode)
Copy .env.example to .env (or export env vars) and fill in at least:
FMC_BASE_URL=https://<fmc-host>
FMC_USERNAME=<api-user>
FMC_PASSWORD=<password>
FMC_VERIFY_SSL=false
Multiple FMCs (profile mode)
Define one env file per FMC under profiles/. Copy profiles/.env.example to a new filename (e.g., profiles/fmc-north-south.env) and fill it:
FMC_PROFILE_ID=fmc-north-south
FMC_PROFILE_DISPLAY_NAME=FMC North-South
FMC_PROFILE_ALIASES=north,north-south,10.0.0.5
FMC_BASE_URL=https://10.0.0.5
FMC_USERNAME=adminapi
FMC_PASSWORD=***
FMC_VERIFY_SSL=false
Point the server at this directory:
FMC_PROFILES_DIR=profiles
FMC_PROFILE_DEFAULT=fmc-north-south
When FMC_PROFILES_DIR is set, the server auto-loads every *.env file in that folder and exposes them via list_fmc_profiles. If it’s unset, the single-FMC env variables are used.
Logging and HTTP tracing
Logging levels can be set in the active profile file (profile mode) or in the root .env (single-FMC mode or Docker env). The default profile’s logging values are applied at startup.
LOG_LEVEL=DEBUG # overall app logging
HTTPX_TRACE=1 # log FMC request URLs and status codes
HTTPX_LOG_LEVEL=WARNING # httpx/httpcore verbosity (default WARNING)
Notes:
- In profile mode, put these in the default profile file (the one named by
FMC_PROFILE_DEFAULT). - In Docker, the root
.env(ordocker-compose.ymlenvironment) must still provide server-level settings likeFMC_PROFILES_DIR,FMC_PROFILE_DEFAULT,MCP_HOST, andMCP_PORT.
2. Run the MCP server
Docker
docker compose up -d --build
The compose file expects your .env in the repo root (or point env_file at a specific profile file). Rebuild after changing requirements.txt or profile files.
Local Python
You can run the server directly without Docker:
python -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
python -m sfw_mcp_fmc.server
Configure transport via .env (default is HTTP on http://0.0.0.0:8000/mcp for local/dev). When exposing it publicly, front it with HTTPS such as https://<host>:8000/mcp. Logs show which FMC profiles loaded.
Note on HTTP bearer auth
Prior README versions described MCP_AUTH_TOKEN, but current FastMCP clients do not enforce it reliably, so the server runs without bearer auth. If you want to continue experimenting with a token-backed flow, you can keep the env var and wire up proxy-level auth or contribute a working implementation in this repo.
3. Manual testing
client/test_client.py is an interactive harness that:
- Calls
list_fmc_profilesto display the available FMCs and lets you select one. - Invokes the tools with your inputs (indicator, target, policy filters).
Run it from your host while the MCP server is up:
python client/test_client.py
4. Automated tests
Unit tests cover configuration parsing, profile discovery, and the rule-search engine (network + identity indicators). Execute locally or inside the container:
pip install -r requirements.txt # once per environment
python -m pytest tests
5. Integrating with LLM agents
Because the server follows the MCP protocol (via FastMCP), any MCP-aware agent platform can consume it:
- Register the MCP endpoint (stdio or HTTP). For HTTP, point to
https://<host>:8000/mcpwhen exposed publicly (usehttp://localhost:8000/mcpfor local/dev). - From the agent, call
list_fmc_profilesto pick an FMC (byidor alias). - Call the other tools with
fmc_profileplus your indicator/filters. - Consume the structured JSON responses to drive subsequent steps (summaries, remediation, follow-up searches).
This enables a single MCP instance to front multiple FMCs for humans or automated agents alike.
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.