Fortinet MCP Server
A complete Model Context Protocol (MCP) server for Fortinet FortiOS 7.6.6
FortiOS 7.6.x MCP Server
A complete Model Context Protocol (MCP) server for Fortinet FortiOS 7.6.x — exposing the entire REST API (1536 endpoints) as typed MCP tools usable from Claude Desktop, Cursor, or any MCP-compatible client.
Table of Contents
- Features
- Tool Categories
- Requirements
- Quick Start
- HTTP Mode
- Usage Examples
- Project Structure
- Security Notes
- Contributing
- License
Features
- 204+ typed MCP tools organized by functional area (system, firewall, VPN, router, user, monitor, log, security, wireless)
- 5 generic pass-through tools that cover all 1,536 FortiOS API endpoints
- Async HTTP client with Bearer-token authentication via
httpx - Full support for CMDB, Monitor, Log, and Service API sections
- Configurable SSL verification (self-signed certificates supported)
- Compatible with multi-VDOM environments
- Runs as stdio (Claude Desktop) or HTTP server (remote/cloud use)
Tool Categories
| Module | # Tools | Description |
|---|---|---|
| Generic | 5 | cmdb_list/get/create/update/delete, monitor_get/action, log_get, service_call — cover ALL endpoints |
| System | 27 | Interfaces, DNS, NTP, admins, DHCP, SNMP, certificates, VDOMs, syslog |
| Firewall | 32 | Policies (IPv4/IPv6), addresses, address groups, services, VIPs, IP pools, schedules, sessions |
| VPN | 22 | IPsec Phase 1/2, SSL VPN portals/settings, tunnel up/down, VPN certificates |
| Router | 17 | Static routes, OSPF, BGP, RIP, prefix lists, route maps, SD-WAN health |
| User | 18 | Local users, groups, RADIUS, LDAP, TACACS+, SAML, authenticated sessions |
| Monitor | 18 | ARP, FortiView top talkers, endpoint control, IPS stats, switch controller, config backup |
| Log | 18 | Traffic, event, VPN, user, virus, webfilter, IPS, app-ctrl, DNS logs + log config |
| Security | 29 | IPS, AV, webfilter, app control, DLP, email filter, DNS filter, WAF, ICAP, ssh-filter, ZTNA |
| Wireless | 18 | AP profiles, WTPs, SSIDs (VAPs), Hotspot 2.0, connected clients, rogue APs |
Total: 204+ tools
Requirements
| Requirement | Version |
|---|---|
| Python | 3.11+ |
| Package manager | uv (recommended) or pip |
| FortiGate | FortiOS 7.6.x |
| Auth | REST API admin account with Bearer token |
Quick Start
1. Create API Token on FortiGate
- Log into your FortiGate Web UI
- Navigate to System > Administrators
- Click Create New > REST API Admin
- Assign an admin profile (
super_adminfor full access, or a restricted profile following least-privilege) - Copy the generated API token — it is shown only once
2. Install dependencies
git clone https://github.com/paoloamato2/fortinet-mcp-server.git
cd fortinet-mcp-server
# Using uv (recommended)
uv sync
# Or using pip
pip install -e .
3. Configure environment
cp .env.example .env
Edit .env:
FORTIOS_HOST=https://192.168.1.1
FORTIOS_API_TOKEN=your-token-here
FORTIOS_VDOM=root
FORTIOS_VERIFY_SSL=false
FORTIOS_TIMEOUT=30
4. Run with MCP Inspector
uv run mcp dev server.py
5. Install in Claude Desktop
uv run mcp install server.py --name "FortiOS"
Or manually add to claude_desktop_config.json:
{
"mcpServers": {
"fortios": {
"command": "uv",
"args": [
"run",
"--directory", "/absolute/path/to/fortinet-mcp-server",
"python", "server.py"
],
"env": {
"FORTIOS_HOST": "https://192.168.1.1",
"FORTIOS_API_TOKEN": "your-api-token",
"FORTIOS_VDOM": "root",
"FORTIOS_VERIFY_SSL": "false"
}
}
}
}
On macOS,
claude_desktop_config.jsonis at~/Library/Application Support/Claude/claude_desktop_config.json.
On Windows, it is at%APPDATA%\Claude\claude_desktop_config.json.
HTTP Mode
To run as a remote HTTP server instead of stdio:
MCP_TRANSPORT=streamable-http MCP_PORT=8000 uv run server.py
Connect via http://localhost:8000/mcp.
This mode is useful for shared team setups or cloud-hosted deployments.
Usage Examples
Via Claude Desktop
Once installed, you can ask Claude natural-language questions such as:
- "Show me all firewall policies that deny traffic"
- "Which IPsec tunnels are currently down?"
- "List all interfaces with their IP addresses"
- "Which route would be used to reach 8.8.8.8?"
- "Show the top 20 traffic sources in FortiView"
- "Are there any failed admin login attempts in the logs?"
Direct Tool Invocations
# List firewall policies filtered by action
firewall_policy_list(filter_action="deny")
# Get system status
system_status()
# Check IPsec VPN tunnels
monitor_vpn_ipsec()
# Query forward traffic logs for a specific source IP
log_traffic_forward(srcip="10.10.1.100", rows=50)
# Generic: list any CMDB resource (full API coverage)
cmdb_list("casb/profile")
cmdb_list("wireless-controller.hotspot20/hs-profile")
# Generic: get any monitor data
monitor_get("registration/forticloud")
Project Structure
fortinet-mcp-server/
├── server.py # FastMCP entry point, lifespan, tool registration
├── fortios_client.py # Async HTTP client (CMDB/Monitor/Log/Service)
├── pyproject.toml # Project metadata and dependencies
├── .env.example # Environment variable template
├── README.md # This file
└── tools/
├── __init__.py
├── generic.py # Generic pass-through tools (all 1536 endpoints)
├── system.py # System config + monitoring
├── firewall.py # Firewall policies, addresses, VIPs, sessions
├── vpn.py # IPsec + SSL VPN config and monitoring
├── router.py # Static routes, OSPF, BGP, SD-WAN
├── user.py # Local users, groups, RADIUS, LDAP, sessions
├── monitor.py # Network monitoring, FortiView, endpoint control
├── log.py # Log retrieval and configuration
├── security.py # IPS, AV, webfilter, DLP, WAF, ZTNA profiles
└── wireless.py # WiFi APs, SSIDs, clients, rogue APs
Security Notes
- The API token grants the same access level as its associated admin profile. Follow the principle of least privilege — create a restricted profile if you only need read access.
- Set
FORTIOS_VERIFY_SSL=truein production and ensure your FortiGate has a valid TLS certificate. - The server runs locally over stdio by default — it is not exposed over the network unless HTTP mode is enabled.
- Never commit your
.envfile or expose your API token in logs, issues, or code. - Rotate your API token regularly and revoke it immediately if compromised.
Contributing
Contributions are welcome! Please read CONTRIBUTING.md before submitting a pull request.
- Bug reports and feature requests → open an issue
- Security vulnerabilities → see SECURITY.md
- Code of conduct → CODE_OF_CONDUCT.md
License
This project is licensed under the MIT License — see LICENSE for details.
Disclaimer: This project is not affiliated with or endorsed by Fortinet, Inc. FortiOS and FortiGate are trademarks of Fortinet, Inc.
Related Servers
Rami Levy
An MCP server for interacting with the Rami Levy online grocery store API.
Funding Rate MCP
Hyperliquid perpetual funding rate scanner. Scans 229 markets for extreme hourly rates — a known, published-in-advance edge for collecting funding payments.
DORA-NIS2 Crosswalk MCP
Maps controls between EU DORA and NIS2 frameworks — identifies overlapping requirements, generates unified compliance matrices, and reduces duplicate audit effort for financial and critical infrastructure entities.
Servicialo
Open protocol for professional service delivery. AI agents can discover, schedule, verify and settle professional services.
Twitter (X) Ads MCP
Connect Twitter (X) Ads to Claude or ChatGPT via Two Minute Reports MCP to track engagements, retweets, CPC, CPM, etc across multiple campaigns.
Emailens Mcp
MCP server for email compatibility analysis. Analyze, preview, diff, and fix HTML emails across 15 email clients — plus capture real screenshots and create shareable links with an optional API key.
isleep
An MCP server that lets AI agents sleep for a specified duration.
WeGene Assistant
Analyze your WeGene genetic testing report using large language models.
SpeedOf.Me Speed Test MCP
Official SpeedOf.Me server for AI agents - accurate speed tests via 129 global edge servers with analytics dashboard.
Factory Insight Service
Analyzes manufacturing production capacity, including evaluations, equipment, processes, and factory distribution to assess enterprise strength.