Palo Alto Networks MCP Server Suite
DynamicEndpoints
README
Palo Alto Networks MCP Server Suite
A comprehensive suite of Model Context Protocol (MCP) servers for managing Palo Alto Networks firewalls and services through a unified API interface.
Table of Contents
- Overview
- Architecture
- Installation
- Server Details
- Integration Patterns
- Advanced Usage
- Troubleshooting
- Contributing
Overview
The Palo Alto Networks MCP Server Suite provides a modular approach to firewall management through specialized servers:
- Core Server: Base firewall operations and shared functionality
- Policy Server: Security policy and rule management
- Config Server: System configuration and settings
- Objects Server: Network objects and address management
- Device Server: Device operations and monitoring
Architecture
┌─────────────────┐ ┌──────────────────┐
│ Core Server │◄────┤ Policy Server │
│ │ └──────────────────┘
│ (Base Services)│ ┌──────────────────┐
│ │◄────┤ Config Server │
│ │ └──────────────────┘
│ │ ┌──────────────────┐
│ │◄────┤ Objects Server │
│ │ └──────────────────┘
│ │ ┌──────────────────┐
│ │◄────┤ Device Server │
└────────┬────────┘ └──────────────────┘
│
▼
┌─────────────────┐
│ Palo Alto API │
└─────────────────┘
Installation
Installing via Smithery
To install Palo Alto Networks MCP Server Suite for Claude Desktop automatically via Smithery:
npx -y @smithery/cli install @DynamicEndpoints/paloalto-mcp-server --client claude
Manual Installation
- Clone the repository:
git clone https://github.com/your-org/paloalto-mcp-servers.git
cd paloalto-mcp-servers
- Install dependencies for each server:
# Install core server
cd paloalto-server
npm install
# Install policy server
cd ../paloalto-policy-server
npm install
# Install config server
cd ../paloalto-config-server
npm install
# Install objects server
cd ../paloalto-objects-server
npm install
# Install device server
cd ../paloalto-device-server
npm install
- Configure environment variables:
# Create .env files in each server directory
PANOS_API_KEY=your-api-key
PANOS_API_BASE_URL=https://your-firewall.example.com/api
# Optional configurations
PANOS_VERIFY_SSL=true
PANOS_TIMEOUT=30000
PANOS_DEBUG=false
Server Details
Core Server (paloalto-server)
Base server providing shared functionality and core operations.
Key Features
- Authentication and session management
- API rate limiting and retry logic
- Shared utility functions
- Error handling framework
Example: Basic Authentication
const result = await useMcpTool("paloalto-server", "verify_credentials", {
api_key: process.env.PANOS_API_KEY
});
console.log(result.content[0].text); // Authentication status
Policy Server (paloalto-policy-server)
Comprehensive policy and rule management.
Available Tools
- get_security_rules
// Get all security rules
const rules = await useMcpTool("paloalto-policy", "get_security_rules", {});
// Get rules with filtering
const webRules = await useMcpTool("paloalto-policy", "get_security_rules", {
filter: {
service: ["http", "https"],
action: "allow"
}
});
- create_security_rule
// Create a basic security rule
await useMcpTool("paloalto-policy", "create_rule", {
rule_type: "security",
rule_data: {
name: "allow-internal-web",
source: ["internal-network"],
destination: ["web-servers"],
service: ["http", "https"],
action: "allow",
log_setting: "default",
profile_setting: {
group: ["default-protection"]
}
}
});
// Create a more complex rule with zones and applications
await useMcpTool("paloalto-policy", "create_rule", {
rule_type: "security",
rule_data: {
name: "restrict-social-media",
source_zone: ["trust"],
destination_zone: ["untrust"],
source: ["internal-users"],
destination: ["any"],
application: ["facebook-base", "twitter-base"],
service: ["application-default"],
action: "deny",
log_setting: "detailed-logging",
description: "Block social media access"
}
});
- update_security_rule
// Update an existing rule
await useMcpTool("paloalto-policy", "update_rule", {
rule_type: "security",
rule_name: "allow-internal-web",
rule_data: {
service: ["http", "https", "ssh"],
description: "Updated to allow SSH access"
}
});
Config Server (paloalto-config-server)
System configuration and settings management.
Example: Network Configuration
// Update DNS settings
await useMcpTool("paloalto-config", "update_network_settings", {
dns_primary: "8.8.8.8",
dns_secondary: "8.8.4.4",
dns_search_domain: "example.com"
});
// Configure interfaces
await useMcpTool("paloalto-config", "configure_interface", {
name: "ethernet1/1",
config: {
mode: "layer3",
ip: ["10.0.1.1/24"],
zone: "trust",
enable: true
}
});
Objects Server (paloalto-objects-server)
Network object and address management.
Example: Address Object Management
// Create address objects
await useMcpTool("paloalto-objects", "create_address_object", {
name: "web-server-1",
type: "ip-netmask",
value: "10.0.1.100/32",
description: "Primary web server",
tags: ["production", "web"]
});
// Create address group
await useMcpTool("paloalto-objects", "create_address_group", {
name: "web-servers",
description: "All web servers",
members: ["web-server-1", "web-server-2"],
tags: ["production", "web"]
});
// Create dynamic address group
await useMcpTool("paloalto-objects", "create_dynamic_address_group", {
name: "active-web-servers",
description: "Web servers currently in use",
filter: "tag.production and tag.web and state.up"
});
Device Server (paloalto-device-server)
Device operations and monitoring.
Example: Device Management
// Get device status
const status = await useMcpTool("paloalto-device", "get_device_status", {});
// Commit changes
await useMcpTool("paloalto-device", "commit_changes", {
description: "Updated security policies",
admins: ["admin1"], // Optional: Specify which admin's changes to commit
});
// Backup configuration
await useMcpTool("paloalto-device", "backup_config", {
filename: "backup-2024-01-20.xml",
include_shared: true
});
Integration Patterns
1. Security Policy Deployment
async function deploySecurityPolicy() {
// 1. Create address objects
await useMcpTool("paloalto-objects", "create_address_object", {
name: "internal-subnet",
type: "ip-netmask",
value: "192.168.1.0/24"
});
// 2. Create security rules
await useMcpTool("paloalto-policy", "create_rule", {
rule_type: "security",
rule_data: {
name: "allow-outbound",
source: ["internal-subnet"],
destination: ["any"],
service: ["web-browsing"],
action: "allow"
}
});
// 3. Verify configuration
const rules = await useMcpTool("paloalto-policy", "get_security_rules", {});
// 4. Commit changes
await useMcpTool("paloalto-device", "commit_changes", {
description: "Deployed new security policy"
});
}
2. High Availability Configuration
async function configureHA() {
// 1. Configure HA interfaces
await useMcpTool("paloalto-config", "configure_ha", {
mode: "active-passive",
group: {
id: 1,
description: "Primary HA Group"
},
interfaces: {
ha1: {
port: "ethernet1/3",
ip: "10.0.0.1/24"
},
ha2: {
port: "ethernet1/4",
ip: "10.0.1.1/24"
}
}
});
// 2. Configure HA policy
await useMcpTool("paloalto-config", "configure_ha_policy", {
preemptive: true,
heartbeat_interval: 2000,
heartbeat_threshold: 3
});
// 3. Commit changes
await useMcpTool("paloalto-device", "commit_changes", {
description: "Configured HA settings"
});
}
Advanced Usage
1. Custom Rule Templates
const ruleTemplate = {
base: {
log_setting: "default",
profile_setting: {
group: ["default-protection"]
}
},
web: {
service: ["web-browsing"],
application: ["web-browsing"],
profile_setting: {
group: ["strict-web-protection"]
}
}
};
async function createRuleFromTemplate(type, customData) {
const template = {...ruleTemplate.base, ...ruleTemplate[type]};
await useMcpTool("paloalto-policy", "create_rule", {
rule_type: "security",
rule_data: {...template, ...customData}
});
}
2. Batch Operations
async function batchCreateObjects(objects) {
const results = [];
for (const obj of objects) {
try {
const result = await useMcpTool("paloalto-objects", "create_address_object", obj);
results.push({status: "success", name: obj.name});
} catch (error) {
results.push({status: "error", name: obj.name, error: error.message});
}
}
return results;
}
Troubleshooting
Common Issues
- API Connection Issues
// Test API connectivity
const status = await useMcpTool("paloalto-server", "test_connection", {
timeout: 5000,
verify_ssl: true
});
if (!status.success) {
console.error(`Connection failed: ${status.error}`);
// Check firewall accessibility
// Verify API key permissions
// Validate SSL certificates
}
- Rule Conflicts
// Analyze rule conflicts
const analysis = await useMcpTool("paloalto-policy", "analyze_rules", {
rule_type: "security",
checks: ["shadowing", "redundancy", "conflicts"]
});
if (analysis.issues.length > 0) {
console.log("Found rule issues:", analysis.issues);
}
- Commit Failures
try {
await useMcpTool("paloalto-device", "commit_changes", {
description: "Policy update"
});
} catch (error) {
if (error.code === "ConfigurationLocked") {
// Handle locked configuration
await useMcpTool("paloalto-device", "release_config_lock", {});
} else if (error.code === "ValidationError") {
// Handle validation errors
console.error("Configuration validation failed:", error.details);
}
}
Contributing
- Fork the repository
- Create a feature branch
git checkout -b feature/new-feature
- Commit your changes
git commit -m "Add new feature"
- Push to the branch
git push origin feature/new-feature
- Create a Pull Request
License
MIT License - see LICENSE file for details
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
MCP Package Docs Server
Facilitates LLMs to efficiently access and fetch structured documentation for packages in Go, Python, and NPM, enhancing software development with multi-language support and performance optimization.
Claude Code MCP
An implementation of Claude Code as a Model Context Protocol server that enables using Claude's software engineering capabilities (code generation, editing, reviewing, and file operations) through the standardized MCP interface.
@kazuph/mcp-taskmanager
Model Context Protocol server for Task Management. This allows Claude Desktop (or any MCP client) to manage and execute tasks in a queue-based system.
Linear MCP Server
Enables interaction with Linear's API for managing issues, teams, and projects programmatically through the Model Context Protocol.
mermaid-mcp-server
A Model Context Protocol (MCP) server that converts Mermaid diagrams to PNG images.
Jira-Context-MCP
MCP server to provide Jira Tickets information to AI coding agents like Cursor
Linear MCP Server
A Model Context Protocol server that integrates with Linear's issue tracking system, allowing LLMs to create, update, search, and comment on Linear issues through natural language interactions.
Sequential Thinking MCP Server
This server facilitates structured problem-solving by breaking down complex issues into sequential steps, supporting revisions, and enabling multiple solution paths through full MCP integration.