Fortinet MCP Server
A complete Model Context Protocol (MCP) server for Fortinet FortiOS 7.6.6
FortiOS 7.6.x MCP Server
A complete Model Context Protocol (MCP) server for Fortinet FortiOS 7.6.x — exposing the entire REST API (1536 endpoints) as typed MCP tools usable from Claude Desktop, Cursor, or any MCP-compatible client.
Table of Contents
- Features
- Tool Categories
- Requirements
- Quick Start
- HTTP Mode
- Usage Examples
- Project Structure
- Security Notes
- Contributing
- License
Features
- 204+ typed MCP tools organized by functional area (system, firewall, VPN, router, user, monitor, log, security, wireless)
- 5 generic pass-through tools that cover all 1,536 FortiOS API endpoints
- Async HTTP client with Bearer-token authentication via
httpx - Full support for CMDB, Monitor, Log, and Service API sections
- Configurable SSL verification (self-signed certificates supported)
- Compatible with multi-VDOM environments
- Runs as stdio (Claude Desktop) or HTTP server (remote/cloud use)
Tool Categories
| Module | # Tools | Description |
|---|---|---|
| Generic | 5 | cmdb_list/get/create/update/delete, monitor_get/action, log_get, service_call — cover ALL endpoints |
| System | 27 | Interfaces, DNS, NTP, admins, DHCP, SNMP, certificates, VDOMs, syslog |
| Firewall | 32 | Policies (IPv4/IPv6), addresses, address groups, services, VIPs, IP pools, schedules, sessions |
| VPN | 22 | IPsec Phase 1/2, SSL VPN portals/settings, tunnel up/down, VPN certificates |
| Router | 17 | Static routes, OSPF, BGP, RIP, prefix lists, route maps, SD-WAN health |
| User | 18 | Local users, groups, RADIUS, LDAP, TACACS+, SAML, authenticated sessions |
| Monitor | 18 | ARP, FortiView top talkers, endpoint control, IPS stats, switch controller, config backup |
| Log | 18 | Traffic, event, VPN, user, virus, webfilter, IPS, app-ctrl, DNS logs + log config |
| Security | 29 | IPS, AV, webfilter, app control, DLP, email filter, DNS filter, WAF, ICAP, ssh-filter, ZTNA |
| Wireless | 18 | AP profiles, WTPs, SSIDs (VAPs), Hotspot 2.0, connected clients, rogue APs |
Total: 204+ tools
Requirements
| Requirement | Version |
|---|---|
| Python | 3.11+ |
| Package manager | uv (recommended) or pip |
| FortiGate | FortiOS 7.6.x |
| Auth | REST API admin account with Bearer token |
Quick Start
1. Create API Token on FortiGate
- Log into your FortiGate Web UI
- Navigate to System > Administrators
- Click Create New > REST API Admin
- Assign an admin profile (
super_adminfor full access, or a restricted profile following least-privilege) - Copy the generated API token — it is shown only once
2. Install dependencies
git clone https://github.com/paoloamato2/fortinet-mcp-server.git
cd fortinet-mcp-server
# Using uv (recommended)
uv sync
# Or using pip
pip install -e .
3. Configure environment
cp .env.example .env
Edit .env:
FORTIOS_HOST=https://192.168.1.1
FORTIOS_API_TOKEN=your-token-here
FORTIOS_VDOM=root
FORTIOS_VERIFY_SSL=false
FORTIOS_TIMEOUT=30
4. Run with MCP Inspector
uv run mcp dev server.py
5. Install in Claude Desktop
uv run mcp install server.py --name "FortiOS"
Or manually add to claude_desktop_config.json:
{
"mcpServers": {
"fortios": {
"command": "uv",
"args": [
"run",
"--directory", "/absolute/path/to/fortinet-mcp-server",
"python", "server.py"
],
"env": {
"FORTIOS_HOST": "https://192.168.1.1",
"FORTIOS_API_TOKEN": "your-api-token",
"FORTIOS_VDOM": "root",
"FORTIOS_VERIFY_SSL": "false"
}
}
}
}
On macOS,
claude_desktop_config.jsonis at~/Library/Application Support/Claude/claude_desktop_config.json.
On Windows, it is at%APPDATA%\Claude\claude_desktop_config.json.
HTTP Mode
To run as a remote HTTP server instead of stdio:
MCP_TRANSPORT=streamable-http MCP_PORT=8000 uv run server.py
Connect via http://localhost:8000/mcp.
This mode is useful for shared team setups or cloud-hosted deployments.
Usage Examples
Via Claude Desktop
Once installed, you can ask Claude natural-language questions such as:
- "Show me all firewall policies that deny traffic"
- "Which IPsec tunnels are currently down?"
- "List all interfaces with their IP addresses"
- "Which route would be used to reach 8.8.8.8?"
- "Show the top 20 traffic sources in FortiView"
- "Are there any failed admin login attempts in the logs?"
Direct Tool Invocations
# List firewall policies filtered by action
firewall_policy_list(filter_action="deny")
# Get system status
system_status()
# Check IPsec VPN tunnels
monitor_vpn_ipsec()
# Query forward traffic logs for a specific source IP
log_traffic_forward(srcip="10.10.1.100", rows=50)
# Generic: list any CMDB resource (full API coverage)
cmdb_list("casb/profile")
cmdb_list("wireless-controller.hotspot20/hs-profile")
# Generic: get any monitor data
monitor_get("registration/forticloud")
Project Structure
fortinet-mcp-server/
├── server.py # FastMCP entry point, lifespan, tool registration
├── fortios_client.py # Async HTTP client (CMDB/Monitor/Log/Service)
├── pyproject.toml # Project metadata and dependencies
├── .env.example # Environment variable template
├── README.md # This file
└── tools/
├── __init__.py
├── generic.py # Generic pass-through tools (all 1536 endpoints)
├── system.py # System config + monitoring
├── firewall.py # Firewall policies, addresses, VIPs, sessions
├── vpn.py # IPsec + SSL VPN config and monitoring
├── router.py # Static routes, OSPF, BGP, SD-WAN
├── user.py # Local users, groups, RADIUS, LDAP, sessions
├── monitor.py # Network monitoring, FortiView, endpoint control
├── log.py # Log retrieval and configuration
├── security.py # IPS, AV, webfilter, DLP, WAF, ZTNA profiles
└── wireless.py # WiFi APs, SSIDs, clients, rogue APs
Security Notes
- The API token grants the same access level as its associated admin profile. Follow the principle of least privilege — create a restricted profile if you only need read access.
- Set
FORTIOS_VERIFY_SSL=truein production and ensure your FortiGate has a valid TLS certificate. - The server runs locally over stdio by default — it is not exposed over the network unless HTTP mode is enabled.
- Never commit your
.envfile or expose your API token in logs, issues, or code. - Rotate your API token regularly and revoke it immediately if compromised.
Contributing
Contributions are welcome! Please read CONTRIBUTING.md before submitting a pull request.
- Bug reports and feature requests → open an issue
- Security vulnerabilities → see SECURITY.md
- Code of conduct → CODE_OF_CONDUCT.md
License
This project is licensed under the MIT License — see LICENSE for details.
Disclaimer: This project is not affiliated with or endorsed by Fortinet, Inc. FortiOS and FortiGate are trademarks of Fortinet, Inc.
相关服务器
OWASP Agentic Security MCP
OWASP agentic AI security — prompt injection detection, tool poisoning prevention, agent trust boundaries by MEOK AI Labs
Sequential Ethical Thinking
A tool for structured, step-by-step ethical reasoning using multiple moral frameworks for transparent deliberation.
Fast Mobile MCP
High-performance mobile automation architecture with a thin MCP gateway and dedicated Go workers for Android and iOS.
OpenRegistry
Unmodified government company registry data — 27 national registries, live. Cross-border UBO / beneficial owner chain walker for KYC, AML, due diligence. 27 tools + 10 MCP prompt workflows.
GetHumanDesign
Calculate your human design chart and ask AI how you're designed to make decisions, build relationships, and find your path.
dd-agents
M&A due diligence with 14 MCP tools for interactive chat — citation verification, cross-contract search, entity resolution, and sandboxed Excel/Word document generation across 9 specialist agent domains.
reachy-mini-mcp
Control the Reachy Mini robot (or simulator) from Claude, ChatGPT, or any MCP-compatible client.
Texas Holdem MCP Server
A Texas Hold'em poker game server with an MCP API, built using Node.js and TypeScript.
ShareThis AI
Connect your ShareThis account to manage properties and configure tools.
Wordle MCP - Go
Fetches daily Wordle solutions using the official Wordle API.