
Fortinet MCP Server
β 9from paoloamato2
A complete Model Context Protocol (MCP) server for Fortinet FortiOS 7.6.6
FortiOS 7.6.x MCP Server
<p align="center"> <img src="https://img.shields.io/badge/FortiOS-7.6.x-EE3124?style=for-the-badge&logo=fortinet&logoColor=white" alt="FortiOS version"> <img src="https://img.shields.io/badge/MCP-Model_Context_Protocol-5A67D8?style=for-the-badge" alt="MCP"> <img src="https://img.shields.io/badge/Python-3.11%2B-3776AB?style=for-the-badge&logo=python&logoColor=white" alt="Python"> <img src="https://img.shields.io/github/license/paoloamato2/fortinet-mcp-server?style=for-the-badge" alt="License"> <img src="https://img.shields.io/github/stars/paoloamato2/fortinet-mcp-server?style=for-the-badge" alt="Stars"> </p> <p align="center"> <strong>A complete <a href="https://modelcontextprotocol.io">Model Context Protocol (MCP)</a> server for Fortinet FortiOS 7.6.x β exposing the entire REST API (1536 endpoints) as typed MCP tools usable from Claude Desktop, Cursor, or any MCP-compatible client.</strong> </p>Table of Contents
- Features
- Tool Categories
- Requirements
- Quick Start
- HTTP Mode
- Usage Examples
- Project Structure
- Security Notes
- Contributing
- License
Features
- 204+ typed MCP tools organized by functional area (system, firewall, VPN, router, user, monitor, log, security, wireless)
- 5 generic pass-through tools that cover all 1,536 FortiOS API endpoints
- Async HTTP client with Bearer-token authentication via
httpx - Full support for CMDB, Monitor, Log, and Service API sections
- Configurable SSL verification (self-signed certificates supported)
- Compatible with multi-VDOM environments
- Runs as stdio (Claude Desktop) or HTTP server (remote/cloud use)
Tool Categories
| Module | # Tools | Description |
|---|---|---|
| Generic | 5 | cmdb_list/get/create/update/delete, monitor_get/action, log_get, service_call β cover ALL endpoints |
| System | 27 | Interfaces, DNS, NTP, admins, DHCP, SNMP, certificates, VDOMs, syslog |
| Firewall | 32 | Policies (IPv4/IPv6), addresses, address groups, services, VIPs, IP pools, schedules, sessions |
| VPN | 22 | IPsec Phase 1/2, SSL VPN portals/settings, tunnel up/down, VPN certificates |
| Router | 17 | Static routes, OSPF, BGP, RIP, prefix lists, route maps, SD-WAN health |
| User | 18 | Local users, groups, RADIUS, LDAP, TACACS+, SAML, authenticated sessions |
| Monitor | 18 | ARP, FortiView top talkers, endpoint control, IPS stats, switch controller, config backup |
| Log | 18 | Traffic, event, VPN, user, virus, webfilter, IPS, app-ctrl, DNS logs + log config |
| Security | 29 | IPS, AV, webfilter, app control, DLP, email filter, DNS filter, WAF, ICAP, ssh-filter, ZTNA |
| Wireless | 18 | AP profiles, WTPs, SSIDs (VAPs), Hotspot 2.0, connected clients, rogue APs |
Total: 204+ tools
HTTP Mode
To run as a remote HTTP server instead of stdio:
MCP_TRANSPORT=streamable-http MCP_PORT=8000 uv run server.pyConnect via http://localhost:8000/mcp.
This mode is useful for shared team setups or cloud-hosted deployments.
Project Structure
fortinet-mcp-server/
βββ server.py # FastMCP entry point, lifespan, tool registration
βββ fortios_client.py # Async HTTP client (CMDB/Monitor/Log/Service)
βββ pyproject.toml # Project metadata and dependencies
βββ .env.example # Environment variable template
βββ README.md # This file
βββ tools/
βββ __init__.py
βββ generic.py # Generic pass-through tools (all 1536 endpoints)
βββ system.py # System config + monitoring
βββ firewall.py # Firewall policies, addresses, VIPs, sessions
βββ vpn.py # IPsec + SSL VPN config and monitoring
βββ router.py # Static routes, OSPF, BGP, SD-WAN
βββ user.py # Local users, groups, RADIUS, LDAP, sessions
βββ monitor.py # Network monitoring, FortiView, endpoint control
βββ log.py # Log retrieval and configuration
βββ security.py # IPS, AV, webfilter, DLP, WAF, ZTNA profiles
βββ wireless.py # WiFi APs, SSIDs, clients, rogue APsSecurity Notes
- The API token grants the same access level as its associated admin profile. Follow the principle of least privilege β create a restricted profile if you only need read access.
- Set
FORTIOS_VERIFY_SSL=truein production and ensure your FortiGate has a valid TLS certificate. - The server runs locally over stdio by default β it is not exposed over the network unless HTTP mode is enabled.
- Never commit your
.envfile or expose your API token in logs, issues, or code. - Rotate your API token regularly and revoke it immediately if compromised.
git clone https://github.com/paoloamato2/fortinet-mcp-server.git
cd fortinet-mcp-server
# Using uv (recommended)
uv sync
# Or using pip
pip install -e .Before it works, you'll need: FORTIOS_HOSTFORTIOS_API_TOKENFORTIOS_VDOMFORTIOS_VERIFY_SSL
Requirements
| Requirement | Version |
|---|---|
| Python | 3.11+ |
| Package manager | uv (recommended) or pip |
| FortiGate | FortiOS 7.6.x |
| Auth | REST API admin account with Bearer token |
Quick Start
1. Create API Token on FortiGate
- Log into your FortiGate Web UI
- Navigate to System > Administrators
- Click Create New > REST API Admin
- Assign an admin profile (
super_adminfor full access, or a restricted profile following least-privilege) - Copy the generated API token β it is shown only once
2. Install dependencies
git clone https://github.com/paoloamato2/fortinet-mcp-server.git
cd fortinet-mcp-server
# Using uv (recommended)
uv sync
# Or using pip
pip install -e .3. Configure environment
cp .env.example .envEdit .env:
FORTIOS_HOST=https://192.168.1.1
FORTIOS_API_TOKEN=your-token-here
FORTIOS_VDOM=root
FORTIOS_VERIFY_SSL=false
FORTIOS_TIMEOUT=304. Run with MCP Inspector
uv run mcp dev server.py5. Install in Claude Desktop
uv run mcp install server.py --name "FortiOS"Or manually add to claude_desktop_config.json:
{
"mcpServers": {
"fortios": {
"command": "uv",
"args": [
"run",
"--directory", "/absolute/path/to/fortinet-mcp-server",
"python", "server.py"
],
"env": {
"FORTIOS_HOST": "https://192.168.1.1",
"FORTIOS_API_TOKEN": "your-api-token",
"FORTIOS_VDOM": "root",
"FORTIOS_VERIFY_SSL": "false"
}
}
}
}On macOS,
claude_desktop_config.jsonis at~/Library/Application Support/Claude/claude_desktop_config.json.
On Windows, it is at%APPDATA%\Claude\claude_desktop_config.json.
Usage Examples
Via Claude Desktop
Once installed, you can ask Claude natural-language questions such as:
- "Show me all firewall policies that deny traffic"
- "Which IPsec tunnels are currently down?"
- "List all interfaces with their IP addresses"
- "Which route would be used to reach 8.8.8.8?"
- "Show the top 20 traffic sources in FortiView"
- "Are there any failed admin login attempts in the logs?"
Direct Tool Invocations
# List firewall policies filtered by action
firewall_policy_list(filter_action="deny")
# Get system status
system_status()
# Check IPsec VPN tunnels
monitor_vpn_ipsec()
# Query forward traffic logs for a specific source IP
log_traffic_forward(srcip="10.10.1.100", rows=50)
# Generic: list any CMDB resource (full API coverage)
cmdb_list("casb/profile")
cmdb_list("wireless-controller.hotspot20/hs-profile")
# Generic: get any monitor data
monitor_get("registration/forticloud")No common issues documented yet. If you hit a problem, the repository's GitHub Issues page is the best place to look.
Licensed under MITβ you can use, modify, and redistribute it under that license's terms.
License
This project is licensed under the MIT License β see LICENSE for details.
Disclaimer: This project is not affiliated with or endorsed by Fortinet, Inc. FortiOS and FortiGate are trademarks of Fortinet, Inc.