MCP server that exposes high-level tooling for Cisco Secure Firewall Management Center (FMC). Core tools:
list_fmc_profiles– discover configured FMC instances.find_rules_by_ip_or_fqdn– search a specific access policy.find_rules_for_target– resolve an FTD device/HA/cluster to its assigned policies and search them.search_access_rules– FMC-wide searches with indicator + policy filters, including identity indicators (SGT, realm user/group).
Copy .env.example to .env (or export env vars) and fill in at least:
FMC_BASE_URL=https://<fmc-host>
FMC_USERNAME=<api-user>
FMC_PASSWORD=<password>
FMC_VERIFY_SSL=false
Define one env file per FMC under profiles/. Copy profiles/.env.example to a new filename (e.g., profiles/fmc-north-south.env) and fill it:
FMC_PROFILE_ID=fmc-north-south
FMC_PROFILE_DISPLAY_NAME=FMC North-South
FMC_PROFILE_ALIASES=north,north-south,10.0.0.5
FMC_BASE_URL=https://10.0.0.5
FMC_USERNAME=adminapi
FMC_PASSWORD=***
FMC_VERIFY_SSL=false
Point the server at this directory:
FMC_PROFILES_DIR=profiles
FMC_PROFILE_DEFAULT=fmc-north-south
When FMC_PROFILES_DIR is set, the server auto-loads every *.env file in that folder and exposes them via list_fmc_profiles. If it’s unset, the single-FMC env variables are used.
Logging levels can be set in the active profile file (profile mode) or in the root .env (single-FMC mode or Docker env). The default profile’s logging values are applied at startup.
LOG_LEVEL=DEBUG # overall app logging
HTTPX_TRACE=1 # log FMC request URLs and status codes
HTTPX_LOG_LEVEL=WARNING # httpx/httpcore verbosity (default WARNING)
Notes:
- In profile mode, put these in the default profile file (the one named by
FMC_PROFILE_DEFAULT). - In Docker, the root
.env(ordocker-compose.ymlenvironment) must still provide server-level settings likeFMC_PROFILES_DIR,FMC_PROFILE_DEFAULT,MCP_HOST, andMCP_PORT.
docker compose up -d --buildThe compose file expects your .env in the repo root (or point env_file at a specific profile file). Rebuild after changing requirements.txt or profile files.
You can run the server directly without Docker:
python -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
python -m sfw_mcp_fmc.serverConfigure transport via .env (default is HTTP on http://0.0.0.0:8000/mcp for local/dev). When exposing it publicly, front it with HTTPS such as https://<host>:8000/mcp. Logs show which FMC profiles loaded.
Prior README versions described MCP_AUTH_TOKEN, but current FastMCP clients do not enforce it reliably, so the server runs without bearer auth. If you want to continue experimenting with a token-backed flow, you can keep the env var and wire up proxy-level auth or contribute a working implementation in this repo.
client/test_client.py is an interactive harness that:
- Calls
list_fmc_profilesto display the available FMCs and lets you select one. - Invokes the tools with your inputs (indicator, target, policy filters).
Run it from your host while the MCP server is up:
python client/test_client.pyUnit tests cover configuration parsing, profile discovery, and the rule-search engine (network + identity indicators). Execute locally or inside the container:
pip install -r requirements.txt # once per environment
python -m pytest testsBecause the server follows the MCP protocol (via FastMCP), any MCP-aware agent platform can consume it:
- Register the MCP endpoint (stdio or HTTP). For HTTP, point to
https://<host>:8000/mcpwhen exposed publicly (usehttp://localhost:8000/mcpfor local/dev). - From the agent, call
list_fmc_profilesto pick an FMC (byidor alias). - Call the other tools with
fmc_profileplus your indicator/filters. - Consume the structured JSON responses to drive subsequent steps (summaries, remediation, follow-up searches).
This enables a single MCP instance to front multiple FMCs for humans or automated agents alike.