Fortinet MCP Server
A complete Model Context Protocol (MCP) server for Fortinet FortiOS 7.6.6
FortiOS 7.6.x MCP Server
A complete Model Context Protocol (MCP) server for Fortinet FortiOS 7.6.x — exposing the entire REST API (1536 endpoints) as typed MCP tools usable from Claude Desktop, Cursor, or any MCP-compatible client.
Table of Contents
- Features
- Tool Categories
- Requirements
- Quick Start
- HTTP Mode
- Usage Examples
- Project Structure
- Security Notes
- Contributing
- License
Features
- 204+ typed MCP tools organized by functional area (system, firewall, VPN, router, user, monitor, log, security, wireless)
- 5 generic pass-through tools that cover all 1,536 FortiOS API endpoints
- Async HTTP client with Bearer-token authentication via
httpx - Full support for CMDB, Monitor, Log, and Service API sections
- Configurable SSL verification (self-signed certificates supported)
- Compatible with multi-VDOM environments
- Runs as stdio (Claude Desktop) or HTTP server (remote/cloud use)
Tool Categories
| Module | # Tools | Description |
|---|---|---|
| Generic | 5 | cmdb_list/get/create/update/delete, monitor_get/action, log_get, service_call — cover ALL endpoints |
| System | 27 | Interfaces, DNS, NTP, admins, DHCP, SNMP, certificates, VDOMs, syslog |
| Firewall | 32 | Policies (IPv4/IPv6), addresses, address groups, services, VIPs, IP pools, schedules, sessions |
| VPN | 22 | IPsec Phase 1/2, SSL VPN portals/settings, tunnel up/down, VPN certificates |
| Router | 17 | Static routes, OSPF, BGP, RIP, prefix lists, route maps, SD-WAN health |
| User | 18 | Local users, groups, RADIUS, LDAP, TACACS+, SAML, authenticated sessions |
| Monitor | 18 | ARP, FortiView top talkers, endpoint control, IPS stats, switch controller, config backup |
| Log | 18 | Traffic, event, VPN, user, virus, webfilter, IPS, app-ctrl, DNS logs + log config |
| Security | 29 | IPS, AV, webfilter, app control, DLP, email filter, DNS filter, WAF, ICAP, ssh-filter, ZTNA |
| Wireless | 18 | AP profiles, WTPs, SSIDs (VAPs), Hotspot 2.0, connected clients, rogue APs |
Total: 204+ tools
Requirements
| Requirement | Version |
|---|---|
| Python | 3.11+ |
| Package manager | uv (recommended) or pip |
| FortiGate | FortiOS 7.6.x |
| Auth | REST API admin account with Bearer token |
Quick Start
1. Create API Token on FortiGate
- Log into your FortiGate Web UI
- Navigate to System > Administrators
- Click Create New > REST API Admin
- Assign an admin profile (
super_adminfor full access, or a restricted profile following least-privilege) - Copy the generated API token — it is shown only once
2. Install dependencies
git clone https://github.com/paoloamato2/fortinet-mcp-server.git
cd fortinet-mcp-server
# Using uv (recommended)
uv sync
# Or using pip
pip install -e .
3. Configure environment
cp .env.example .env
Edit .env:
FORTIOS_HOST=https://192.168.1.1
FORTIOS_API_TOKEN=your-token-here
FORTIOS_VDOM=root
FORTIOS_VERIFY_SSL=false
FORTIOS_TIMEOUT=30
4. Run with MCP Inspector
uv run mcp dev server.py
5. Install in Claude Desktop
uv run mcp install server.py --name "FortiOS"
Or manually add to claude_desktop_config.json:
{
"mcpServers": {
"fortios": {
"command": "uv",
"args": [
"run",
"--directory", "/absolute/path/to/fortinet-mcp-server",
"python", "server.py"
],
"env": {
"FORTIOS_HOST": "https://192.168.1.1",
"FORTIOS_API_TOKEN": "your-api-token",
"FORTIOS_VDOM": "root",
"FORTIOS_VERIFY_SSL": "false"
}
}
}
}
On macOS,
claude_desktop_config.jsonis at~/Library/Application Support/Claude/claude_desktop_config.json.
On Windows, it is at%APPDATA%\Claude\claude_desktop_config.json.
HTTP Mode
To run as a remote HTTP server instead of stdio:
MCP_TRANSPORT=streamable-http MCP_PORT=8000 uv run server.py
Connect via http://localhost:8000/mcp.
This mode is useful for shared team setups or cloud-hosted deployments.
Usage Examples
Via Claude Desktop
Once installed, you can ask Claude natural-language questions such as:
- "Show me all firewall policies that deny traffic"
- "Which IPsec tunnels are currently down?"
- "List all interfaces with their IP addresses"
- "Which route would be used to reach 8.8.8.8?"
- "Show the top 20 traffic sources in FortiView"
- "Are there any failed admin login attempts in the logs?"
Direct Tool Invocations
# List firewall policies filtered by action
firewall_policy_list(filter_action="deny")
# Get system status
system_status()
# Check IPsec VPN tunnels
monitor_vpn_ipsec()
# Query forward traffic logs for a specific source IP
log_traffic_forward(srcip="10.10.1.100", rows=50)
# Generic: list any CMDB resource (full API coverage)
cmdb_list("casb/profile")
cmdb_list("wireless-controller.hotspot20/hs-profile")
# Generic: get any monitor data
monitor_get("registration/forticloud")
Project Structure
fortinet-mcp-server/
├── server.py # FastMCP entry point, lifespan, tool registration
├── fortios_client.py # Async HTTP client (CMDB/Monitor/Log/Service)
├── pyproject.toml # Project metadata and dependencies
├── .env.example # Environment variable template
├── README.md # This file
└── tools/
├── __init__.py
├── generic.py # Generic pass-through tools (all 1536 endpoints)
├── system.py # System config + monitoring
├── firewall.py # Firewall policies, addresses, VIPs, sessions
├── vpn.py # IPsec + SSL VPN config and monitoring
├── router.py # Static routes, OSPF, BGP, SD-WAN
├── user.py # Local users, groups, RADIUS, LDAP, sessions
├── monitor.py # Network monitoring, FortiView, endpoint control
├── log.py # Log retrieval and configuration
├── security.py # IPS, AV, webfilter, DLP, WAF, ZTNA profiles
└── wireless.py # WiFi APs, SSIDs, clients, rogue APs
Security Notes
- The API token grants the same access level as its associated admin profile. Follow the principle of least privilege — create a restricted profile if you only need read access.
- Set
FORTIOS_VERIFY_SSL=truein production and ensure your FortiGate has a valid TLS certificate. - The server runs locally over stdio by default — it is not exposed over the network unless HTTP mode is enabled.
- Never commit your
.envfile or expose your API token in logs, issues, or code. - Rotate your API token regularly and revoke it immediately if compromised.
Contributing
Contributions are welcome! Please read CONTRIBUTING.md before submitting a pull request.
- Bug reports and feature requests → open an issue
- Security vulnerabilities → see SECURITY.md
- Code of conduct → CODE_OF_CONDUCT.md
License
This project is licensed under the MIT License — see LICENSE for details.
Disclaimer: This project is not affiliated with or endorsed by Fortinet, Inc. FortiOS and FortiGate are trademarks of Fortinet, Inc.
Máy chủ liên quan
Bitcoin MCP Server
MCP server dedicated to the Bitcoin ecosystem for traders, analysts, developers, and more.
News MCP
Provides access to news articles from a PostgreSQL database and offers a tool to summarize them using the OpenAI API.
Meridian Edge
Real-time prediction market consensus data aggregated from multiple regulated prediction markets. 5 MCP tools for consensus probabilities, divergence opportunities, market signals, active markets, and settlements. Free tier: 100 calls/day, no credit card.
Cotrader
AI-powered stock screener for 11,000+ US stocks. Screen using natural language and detect chart patterns via MCP.
Aegis-SSH-MCP
Secure Zero-Trust SSH Gateway for AI Agents. A Go-based Model Context Protocol (MCP) server featuring runtime Regex Command Firewalls and multi-host isolation.
CSRD Sustainability Reporting MCP
EU Corporate Sustainability Reporting Directive compliance — ESRS data points, double materiality assessments, audit trails, and XBRL-ready outputs for ESG reporting.
AI Incident Reporting MCP
AI incident detection, classification, and regulatory reporting — covers EU AI Act Article 62, NIST AI RMF, and OECD frameworks
BlazeMeter MCP Server
MCP Server for AI-driven BlazeMeter performance testing
GiveReady
Search 41,000+ verified nonprofits across 29 cause areas, submit enrichments back to thin profiles, and donate via x402 USDC with zero platform fees.
DORA-NIS2 Crosswalk MCP
Maps controls between EU DORA and NIS2 frameworks — identifies overlapping requirements, generates unified compliance matrices, and reduces duplicate audit effort for financial and critical infrastructure entities.