Prisma SD-WAN MCP Server

Prisma SD-WAN MCP Server

Enables AI agents to securely access and query Prisma SD-WAN operational data for inventory, health checks, topology analysis, and policy verification through natural language.

Category
Visit Server

README

Prisma SD-WAN MCP Server

License Python Version Status Platform

Disclaimer: This project is a personal work developed independently for educational and open-source purposes. It is not an official product of Palo Alto Networks, Inc. or any of its affiliates. All trademarks, service marks, and company names are the property of their respective owners.

A robust Model Context Protocol (MCP) server for Palo Alto Networks Prisma SD-WAN.

This server bridges the gap between AI agents (like Claude, Gemini, or custom LLMs) and your Prisma SD-WAN fabric. It enables secure, read-only access to operational data, allowing agents to perform tasks like inventory audits, health checks, topology analysis, and policy verification through natural language.

Table of Contents

About

The Prisma SD-WAN MCP Server abstracts the complexity of the Prisma SASE API into clean, semantic tools that AI models can understand and call autonomously. Instead of navigating REST endpoints, pagination, and token management, your AI agent simply asks for what it needs.

Core Design Principles:

  • Safety First ... Designed as a read-only interface. The only write operation is generate_site_config, which produces a local YAML file. No changes are pushed to your Prisma SD-WAN tenant.
  • Simplified Context ... Raw API responses are parsed and trimmed to the fields that matter, keeping LLM context windows lean and focused.
  • Multi-Transport ... Supports Stdio (for Claude Desktop and local clients), SSE (for remote/web agents), and Streamable HTTP.
  • Container Ready ... Ships with a production-ready Dockerfile for consistent deployments.
  • Auto-Reauthentication ... Handles OAuth2 token refresh transparently. Tokens last 15 minutes; the server re-authenticates before they expire.

Features

Category Capabilities
Site Management List all SD-WAN sites, retrieve individual site details and configurations
Element Inventory View ION devices, their status, hardware details, and software versions
Network Topology Retrieve the full SD-WAN topology graph showing site-to-site connectivity
Interfaces Inspect LAN and WAN interfaces per site and element
Routing Query BGP peer configurations and static routes per element
Policy & Security View policy set definitions and security zone assignments
Events & Alarms Query recent events and retrieve active alarms filtered by severity
Applications Browse application definitions used across the fabric
Config Generation Generate validated site configuration YAML files from template data

Prerequisites

  • Python 3.10+
  • A Prisma SASE tenant with API access enabled
  • A Service Account with at least read-only privileges
  • Service Account credentials:
    • Client ID
    • Client Secret
    • TSG ID (Tenant Service Group)

Creating a Service Account

  1. Log in to the Prisma SASE Portal
  2. Navigate to Settings > Identity & Access > Service Accounts
  3. Create a new service account with the Prisma SD-WAN app and a read-only role
  4. Note down the Client ID, Client Secret, and your TSG ID

Installation

From Source

git clone <repo-url>
cd prisma-sdwan
pip install fastmcp prisma-sase python-dotenv pyyaml jsonschema

Using Docker

docker build -t prisma-sdwan-mcp .

Configuration

Environment Variables

Variable Description Required
PAN_CLIENT_ID Service Account Client ID (e.g., name@tsg.iam.panserviceaccount.com) Yes
PAN_CLIENT_SECRET Service Account Client Secret Yes
PAN_TSG_ID Tenant Service Group ID Yes
PAN_REGION API region: americas or europe (default: americas) No

.env File

Create a .env file in the prisma-sdwan/ directory:

PAN_CLIENT_ID=myaccount@1234567890.iam.panserviceaccount.com
PAN_CLIENT_SECRET=abc123-your-secret-here
PAN_TSG_ID=1234567890
PAN_REGION=americas

Security Note: Never commit your .env file to version control. It's already included in .gitignore.

Usage

The server supports three transport modes depending on how your AI client connects.

Stdio Mode (Default)

Best for local integrations like Claude Desktop or CLI-based MCP clients.

python prisma_sdwan_mcp_server.py --transport stdio

SSE Mode

Best for remote or web-based AI agents.

python prisma_sdwan_mcp_server.py --transport sse --host 0.0.0.0 --port 8000

Streamable HTTP Mode

python prisma_sdwan_mcp_server.py --transport streamable-http --host 0.0.0.0 --port 8000

Docker

# Stdio mode (default)
docker run -i --rm \
  -e PAN_CLIENT_ID=myaccount@tsg.iam.panserviceaccount.com \
  -e PAN_CLIENT_SECRET=your-secret \
  -e PAN_TSG_ID=1234567890 \
  prisma-sdwan-mcp --transport stdio

# SSE mode with port mapping
docker run -d --rm \
  -p 8000:8000 \
  -e PAN_CLIENT_ID=myaccount@tsg.iam.panserviceaccount.com \
  -e PAN_CLIENT_SECRET=your-secret \
  -e PAN_TSG_ID=1234567890 \
  prisma-sdwan-mcp --transport sse --host 0.0.0.0 --port 8000

Client Integration

Claude Desktop

Add the following to your Claude Desktop MCP configuration file:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "prisma-sdwan": {
      "command": "python",
      "args": [
        "/absolute/path/to/prisma_sdwan_mcp_server.py",
        "--transport",
        "stdio"
      ],
      "env": {
        "PAN_CLIENT_ID": "myaccount@tsg.iam.panserviceaccount.com",
        "PAN_CLIENT_SECRET": "your-secret",
        "PAN_TSG_ID": "1234567890"
      }
    }
  }
}

With Docker:

{
  "mcpServers": {
    "prisma-sdwan": {
      "command": "docker",
      "args": [
        "run", "-i", "--rm",
        "-e", "PAN_CLIENT_ID",
        "-e", "PAN_CLIENT_SECRET",
        "-e", "PAN_TSG_ID",
        "prisma-sdwan-mcp",
        "--transport", "stdio"
      ],
      "env": {
        "PAN_CLIENT_ID": "myaccount@tsg.iam.panserviceaccount.com",
        "PAN_CLIENT_SECRET": "your-secret",
        "PAN_TSG_ID": "1234567890"
      }
    }
  }
}

Gemini CLI

Add to your settings.json:

{
  "mcpServers": {
    "prisma-sdwan": {
      "command": "python",
      "args": [
        "/absolute/path/to/prisma_sdwan_mcp_server.py",
        "--transport",
        "stdio"
      ],
      "env": {
        "PAN_CLIENT_ID": "myaccount@tsg.iam.panserviceaccount.com",
        "PAN_CLIENT_SECRET": "your-secret",
        "PAN_TSG_ID": "1234567890"
      }
    }
  }
}

OpenCode / Other MCP Clients

Any MCP-compatible client can connect using the stdio transport. Point it at prisma_sdwan_mcp_server.py with the --transport stdio argument and supply the required environment variables.

Available Tools

All tools return JSON-formatted data optimized for LLM consumption.

Tool Name Description Parameters
get_sites List all SD-WAN sites or retrieve a specific site by ID site_id (optional)
get_elements List all ION device elements or a specific element element_id (optional)
get_machines Hardware inventory: chassis serial numbers, models, and machine details machine_id (optional)
get_interfaces LAN and WAN interfaces for a given element at a site site_id, element_id
get_wan_interfaces WAN interface configurations for a site site_id
get_policy_sets SD-WAN policy set definitions (path, QoS, NAT rules) None
get_security_zones Security zone definitions across the fabric None
get_bgp_peers BGP peer configurations for a specific element at a site site_id, element_id
get_static_routes Static route table for an element site_id, element_id
get_element_status Operational status and health of an ION element element_id
get_software_status Software version, upgrade state, and image details element_id
get_app_defs Application definitions used in policy and reporting None
get_topology Full SD-WAN anynet topology graph (nodes, links, and status) None
get_events Recent events across all severity levels (critical, major, minor) limit (optional, default: 20)
get_alarms Active major and critical alarms limit (optional, default: 20)
generate_site_config Generate a validated site configuration YAML file site_id, elements, filename (optional), overwrite (optional)

Example Prompts

Once connected, try asking your AI agent:

  • "Show me all sites in the SD-WAN fabric."
  • "What ION devices are deployed and what software versions are they running?"
  • "Pull the BGP peers for the element at site DC-West."
  • "Are there any critical alarms right now?"
  • "Show me the full network topology."
  • "Generate a site config YAML for site ID 12345."
  • "List all WAN interfaces at the headquarters site."

Architecture

┌──────────────────┐         ┌──────────────────────┐         ┌─────────────────────┐
│   AI Agent       │  MCP    │  Prisma SD-WAN MCP   │  REST   │  Prisma SASE API    │
│  (Claude, etc.)  │◄──────►│  Server               │◄──────►│  api.sase.palo...   │
│                  │  stdio/ │  prisma_sdwan_mcp_    │  HTTPS  │                     │
│                  │  SSE    │  server.py            │         │                     │
└──────────────────┘         └──────────────────────┘         └─────────────────────┘

The server acts as a translation layer:

  1. The AI agent calls an MCP tool (e.g., get_sites)
  2. The server maps that call to the appropriate Prisma SASE REST API endpoint
  3. It handles authentication, pagination, and error recovery automatically
  4. The response is parsed, simplified, and returned as clean JSON

Key Implementation Details:

  • Single-file architecture ... all logic lives in prisma_sdwan_mcp_server.py
  • OAuth2 authentication via prisma_sase SDK with automatic token refresh
  • Auto-reauth on 401/403 responses or token expiry
  • Config validation using JSON Schema (schema.json) for generated YAML files

Troubleshooting

Problem Likely Cause Fix
Connection refused or timeout No internet connectivity to Prisma SASE API Verify you can reach api.sase.paloaltonetworks.com from your host
Authentication failed Incorrect credentials Double-check PAN_CLIENT_ID, PAN_CLIENT_SECRET, and PAN_TSG_ID
403 Forbidden Insufficient permissions Ensure the service account role includes SD-WAN read access
Token expired errors Shouldn't happen (auto-refresh) If persistent, restart the server. Tokens are refreshed every 15 minutes automatically
ModuleNotFoundError: prisma_sase Missing dependency Run pip install prisma-sase
Empty responses Tenant has no data Verify your TSG ID matches a tenant with active SD-WAN sites
Region mismatch Wrong API region Set PAN_REGION=europe if your tenant is in the EU region

Debug Logging

Server logs are written to stderr. To capture them:

python prisma_sdwan_mcp_server.py --transport stdio 2>debug.log

Contributing

Contributions are welcome! Here's how to get started:

  1. Fork the repository
  2. Create a feature branch (git checkout -b feature/my-new-tool)
  3. Follow existing code conventions (single-file architecture, @mcp.tool() pattern)
  4. Test against a live or mock Prisma SASE tenant
  5. Submit a Pull Request with a clear description of your changes

When adding new tools:

  • Place them in prisma_sdwan_mcp_server.py following the @mcp.tool() decorator pattern
  • Return json.dumps(data, indent=2) from every tool
  • Keep responses trimmed to essential fields for LLM context efficiency

License

This project is licensed under the MIT License.

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured