Labsco
paoloamato2 logo

Fortinet MCP Server

β˜… 9

from paoloamato2

A complete Model Context Protocol (MCP) server for Fortinet FortiOS 7.6.6

πŸ”₯πŸ”₯πŸ”₯πŸ”₯βœ“ VerifiedAccount requiredNeeds API keys

FortiOS 7.6.x MCP Server

<p align="center"> <img src="https://img.shields.io/badge/FortiOS-7.6.x-EE3124?style=for-the-badge&logo=fortinet&logoColor=white" alt="FortiOS version"> <img src="https://img.shields.io/badge/MCP-Model_Context_Protocol-5A67D8?style=for-the-badge" alt="MCP"> <img src="https://img.shields.io/badge/Python-3.11%2B-3776AB?style=for-the-badge&logo=python&logoColor=white" alt="Python"> <img src="https://img.shields.io/github/license/paoloamato2/fortinet-mcp-server?style=for-the-badge" alt="License"> <img src="https://img.shields.io/github/stars/paoloamato2/fortinet-mcp-server?style=for-the-badge" alt="Stars"> </p> <p align="center"> <strong>A complete <a href="https://modelcontextprotocol.io">Model Context Protocol (MCP)</a> server for Fortinet FortiOS 7.6.x β€” exposing the entire REST API (1536 endpoints) as typed MCP tools usable from Claude Desktop, Cursor, or any MCP-compatible client.</strong> </p>

Table of Contents


Features

  • 204+ typed MCP tools organized by functional area (system, firewall, VPN, router, user, monitor, log, security, wireless)
  • 5 generic pass-through tools that cover all 1,536 FortiOS API endpoints
  • Async HTTP client with Bearer-token authentication via httpx
  • Full support for CMDB, Monitor, Log, and Service API sections
  • Configurable SSL verification (self-signed certificates supported)
  • Compatible with multi-VDOM environments
  • Runs as stdio (Claude Desktop) or HTTP server (remote/cloud use)

Tool Categories

Module# ToolsDescription
Generic5cmdb_list/get/create/update/delete, monitor_get/action, log_get, service_call β€” cover ALL endpoints
System27Interfaces, DNS, NTP, admins, DHCP, SNMP, certificates, VDOMs, syslog
Firewall32Policies (IPv4/IPv6), addresses, address groups, services, VIPs, IP pools, schedules, sessions
VPN22IPsec Phase 1/2, SSL VPN portals/settings, tunnel up/down, VPN certificates
Router17Static routes, OSPF, BGP, RIP, prefix lists, route maps, SD-WAN health
User18Local users, groups, RADIUS, LDAP, TACACS+, SAML, authenticated sessions
Monitor18ARP, FortiView top talkers, endpoint control, IPS stats, switch controller, config backup
Log18Traffic, event, VPN, user, virus, webfilter, IPS, app-ctrl, DNS logs + log config
Security29IPS, AV, webfilter, app control, DLP, email filter, DNS filter, WAF, ICAP, ssh-filter, ZTNA
Wireless18AP profiles, WTPs, SSIDs (VAPs), Hotspot 2.0, connected clients, rogue APs

Total: 204+ tools


HTTP Mode

To run as a remote HTTP server instead of stdio:

MCP_TRANSPORT=streamable-http MCP_PORT=8000 uv run server.py

Connect via http://localhost:8000/mcp.

This mode is useful for shared team setups or cloud-hosted deployments.


Project Structure

fortinet-mcp-server/
β”œβ”€β”€ server.py              # FastMCP entry point, lifespan, tool registration
β”œβ”€β”€ fortios_client.py      # Async HTTP client (CMDB/Monitor/Log/Service)
β”œβ”€β”€ pyproject.toml         # Project metadata and dependencies
β”œβ”€β”€ .env.example           # Environment variable template
β”œβ”€β”€ README.md              # This file
└── tools/
    β”œβ”€β”€ __init__.py
    β”œβ”€β”€ generic.py         # Generic pass-through tools (all 1536 endpoints)
    β”œβ”€β”€ system.py          # System config + monitoring
    β”œβ”€β”€ firewall.py        # Firewall policies, addresses, VIPs, sessions
    β”œβ”€β”€ vpn.py             # IPsec + SSL VPN config and monitoring
    β”œβ”€β”€ router.py          # Static routes, OSPF, BGP, SD-WAN
    β”œβ”€β”€ user.py            # Local users, groups, RADIUS, LDAP, sessions
    β”œβ”€β”€ monitor.py         # Network monitoring, FortiView, endpoint control
    β”œβ”€β”€ log.py             # Log retrieval and configuration
    β”œβ”€β”€ security.py        # IPS, AV, webfilter, DLP, WAF, ZTNA profiles
    └── wireless.py        # WiFi APs, SSIDs, clients, rogue APs

Security Notes

  • The API token grants the same access level as its associated admin profile. Follow the principle of least privilege β€” create a restricted profile if you only need read access.
  • Set FORTIOS_VERIFY_SSL=true in production and ensure your FortiGate has a valid TLS certificate.
  • The server runs locally over stdio by default β€” it is not exposed over the network unless HTTP mode is enabled.
  • Never commit your .env file or expose your API token in logs, issues, or code.
  • Rotate your API token regularly and revoke it immediately if compromised.