home / mcp / firewall governance mcp server

Firewall Governance MCP Server

Provides CMDB asset queries, firewall object details, and policy audit capabilities via MCP clients.

Installation

Add the following to your MCP client configuration file.

Configuration

{
  "mcpServers": {
    "1182872360-firewall-mcp": {
      "command": "uv",
      "args": [
        "run",
        "mcp_server.py"
      ],
      "env": {
        "CMDB_APP_ID": "c9a37...",
        "CMDB_SERVER": "http://10.1.4.100",
        "FW_HOSTNAME": "10.1.2.150",
        "FW_PASSWORD": "your_password",
        "FW_USERNAME": "admin",
        "CMDB_VIEW_ID": "f0410...",
        "CMDB_APP_SECRET": "3d22e..."
      }
    }
  }
}

You can query firewall assets, inspect firewall objects, and audit firewall policies through an MCP client. This server combines CMDB asset lookup with Panorama/NGFW policy auditing, enabling you to drive policy governance from any MCP-compatible client in a secure, scalable way.

How to use

Connect your MCP client to the Firewall Governance MCP Server to perform three core actions: asset lookup, object details, and policy audits. Use the provided tools to search CMDB assets by keyword, fetch firewall object summaries by IP, and retrieve policies that match given source and optional destination IPs. The tools return structured results that you can feed into your governance workflows, reports, or automation routines.

How to install

# 进入工作目录
cd ai_agents/firewall_governance/firewall-mcp

# 1. 配置环境变量（示例值，请替换为你的实际值）
export FW_HOSTNAME="10.1.2.150"
export FW_USERNAME="admin"
export FW_PASSWORD="your_password"
# CMDB 变量请按需要设置
export CMDB_SERVER="http://10.1.4.100"
export CMDB_APP_ID="c9a37..."
export CMDB_APP_SECRET="3d22e..."
export CMDB_VIEW_ID="f0410..."

# 2. 启动服务（本地开发/调试模式）
uv run mcp_server.py

# 方式二：内网无源码分发，需要先构建后在运行机执行
# 构建阶段（构建产物在 dist/ 目录）
uv pip install build
uv run -m build
# 运行阶段（在目标机器执行）
export FW_HOSTNAME="10.1.2.150"
export FW_PASSWORD="xxx"
export CMDB_SERVER="http://10.1.4.100"
export CMDB_APP_ID="YOUR_APP_ID"
export CMDB_APP_SECRET="YOUR_APP_SECRET"
export CMDB_VIEW_ID="YOUR_VIEW_ID"

uvx --from ./dist/firewall_governance_mcp-0.1.0-py3-none-any.whl firewall-mcp

{
  "mcpServers": {
    "firewall-governance": {
      "command": "uvx",
      "args": [
        "--from",
        "git+ssh://[email protected]/script/ae/mcp-server.git#subdirectory=firewall-mcp",
        "firewall-mcp"
      ],
      "env": {
        "FW_HOSTNAME": "10.1.2.150",
        "FW_USERNAME": "admin",
        "FW_PASSWORD": "your_password",
        "CMDB_SERVER": "http://10.1.4.100",
        "CMDB_APP_ID": "YOUR_APP_ID",
        "CMDB_APP_SECRET": "YOUR_APP_SECRET"
      }
    }
  }
}

Additional sections

Security and operational considerations: keep firewall credentials and CMDB secrets in protected environment variables. Use least privilege for the firewall administrator account and rotate credentials periodically. Monitor MCP logs for authentication attempts and audit results. Ensure network access between the MCP server, CMDB, and firewall management interfaces is restricted to trusted networks.

Notes on usage patterns: for asset lookups, combine keyword searches with filters like owner, data center, or description to narrow results. When auditing policies, provide source IPs and optionally destination IPs to retrieve matching rules along with their actions, services, and Shadow state.

Available tools

search_cmdb_asset

Asset lookup by keyword (system name/IP/abbreviation) returning assets with IP, Owner, DC, and description.

get_firewall_object

Object perspective by target IP returning firewall object details (Name, Zone, Tags).

search_firewall_policy

Policy audit by source IP and optional destination IP returning matching rules with Action, Service, and Shadow state.