npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2025 – Pkg Stats / Ryan Hefner

@mseep/paloalto-server

v0.1.0

Published

MCP server for Palo Alto firewall management

Downloads

6

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

skydeckaiskydeckai

Keywords

mseepmcp-server

Readme

Palo Alto Networks MCP Server Suite

smithery badge

A comprehensive suite of Model Context Protocol (MCP) servers for managing Palo Alto Networks firewalls and services through a unified API interface.

Table of Contents

Overview

The Palo Alto Networks MCP Server Suite provides a modular approach to firewall management through specialized servers:

  • Core Server: Base firewall operations and shared functionality
  • Policy Server: Security policy and rule management
  • Config Server: System configuration and settings
  • Objects Server: Network objects and address management
  • Device Server: Device operations and monitoring

Architecture

┌─────────────────┐     ┌──────────────────┐
│    Core Server  │◄────┤  Policy Server   │
│                 │     └──────────────────┘
│  (Base Services)│     ┌──────────────────┐
│                 │◄────┤  Config Server   │
│                 │     └──────────────────┘
│                 │     ┌──────────────────┐
│                 │◄────┤  Objects Server  │
│                 │     └──────────────────┘
│                 │     ┌──────────────────┐
│                 │◄────┤  Device Server   │
└────────┬────────┘     └──────────────────┘
         │
         ▼
┌─────────────────┐
│  Palo Alto API  │
└─────────────────┘

Installation

Installing via Smithery

To install Palo Alto Networks MCP Server Suite for Claude Desktop automatically via Smithery:

npx -y @smithery/cli install @DynamicEndpoints/paloalto-mcp-server --client claude

Manual Installation

  1. Clone the repository:
git clone https://github.com/your-org/paloalto-mcp-servers.git
cd paloalto-mcp-servers
  1. Install dependencies for each server:
# Install core server
cd paloalto-server
npm install

# Install policy server
cd ../paloalto-policy-server
npm install

# Install config server
cd ../paloalto-config-server
npm install

# Install objects server
cd ../paloalto-objects-server
npm install

# Install device server
cd ../paloalto-device-server
npm install
  1. Configure environment variables:
# Create .env files in each server directory
PANOS_API_KEY=your-api-key
PANOS_API_BASE_URL=https://your-firewall.example.com/api

# Optional configurations
PANOS_VERIFY_SSL=true
PANOS_TIMEOUT=30000
PANOS_DEBUG=false

Server Details

Core Server (paloalto-server)

Base server providing shared functionality and core operations.

Key Features

  • Authentication and session management
  • API rate limiting and retry logic
  • Shared utility functions
  • Error handling framework

Example: Basic Authentication

const result = await useMcpTool("paloalto-server", "verify_credentials", {
  api_key: process.env.PANOS_API_KEY
});

console.log(result.content[0].text); // Authentication status

Policy Server (paloalto-policy-server)

Comprehensive policy and rule management.

Available Tools

  1. get_security_rules
// Get all security rules
const rules = await useMcpTool("paloalto-policy", "get_security_rules", {});

// Get rules with filtering
const webRules = await useMcpTool("paloalto-policy", "get_security_rules", {
  filter: {
    service: ["http", "https"],
    action: "allow"
  }
});
  1. create_security_rule
// Create a basic security rule
await useMcpTool("paloalto-policy", "create_rule", {
  rule_type: "security",
  rule_data: {
    name: "allow-internal-web",
    source: ["internal-network"],
    destination: ["web-servers"],
    service: ["http", "https"],
    action: "allow",
    log_setting: "default",
    profile_setting: {
      group: ["default-protection"]
    }
  }
});

// Create a more complex rule with zones and applications
await useMcpTool("paloalto-policy", "create_rule", {
  rule_type: "security",
  rule_data: {
    name: "restrict-social-media",
    source_zone: ["trust"],
    destination_zone: ["untrust"],
    source: ["internal-users"],
    destination: ["any"],
    application: ["facebook-base", "twitter-base"],
    service: ["application-default"],
    action: "deny",
    log_setting: "detailed-logging",
    description: "Block social media access"
  }
});
  1. update_security_rule
// Update an existing rule
await useMcpTool("paloalto-policy", "update_rule", {
  rule_type: "security",
  rule_name: "allow-internal-web",
  rule_data: {
    service: ["http", "https", "ssh"],
    description: "Updated to allow SSH access"
  }
});

Config Server (paloalto-config-server)

System configuration and settings management.

Example: Network Configuration

// Update DNS settings
await useMcpTool("paloalto-config", "update_network_settings", {
  dns_primary: "8.8.8.8",
  dns_secondary: "8.8.4.4",
  dns_search_domain: "example.com"
});

// Configure interfaces
await useMcpTool("paloalto-config", "configure_interface", {
  name: "ethernet1/1",
  config: {
    mode: "layer3",
    ip: ["10.0.1.1/24"],
    zone: "trust",
    enable: true
  }
});

Objects Server (paloalto-objects-server)

Network object and address management.

Example: Address Object Management

// Create address objects
await useMcpTool("paloalto-objects", "create_address_object", {
  name: "web-server-1",
  type: "ip-netmask",
  value: "10.0.1.100/32",
  description: "Primary web server",
  tags: ["production", "web"]
});

// Create address group
await useMcpTool("paloalto-objects", "create_address_group", {
  name: "web-servers",
  description: "All web servers",
  members: ["web-server-1", "web-server-2"],
  tags: ["production", "web"]
});

// Create dynamic address group
await useMcpTool("paloalto-objects", "create_dynamic_address_group", {
  name: "active-web-servers",
  description: "Web servers currently in use",
  filter: "tag.production and tag.web and state.up"
});

Device Server (paloalto-device-server)

Device operations and monitoring.

Example: Device Management

// Get device status
const status = await useMcpTool("paloalto-device", "get_device_status", {});

// Commit changes
await useMcpTool("paloalto-device", "commit_changes", {
  description: "Updated security policies",
  admins: ["admin1"], // Optional: Specify which admin's changes to commit
});

// Backup configuration
await useMcpTool("paloalto-device", "backup_config", {
  filename: "backup-2024-01-20.xml",
  include_shared: true
});

Integration Patterns

1. Security Policy Deployment

async function deploySecurityPolicy() {
  // 1. Create address objects
  await useMcpTool("paloalto-objects", "create_address_object", {
    name: "internal-subnet",
    type: "ip-netmask",
    value: "192.168.1.0/24"
  });

  // 2. Create security rules
  await useMcpTool("paloalto-policy", "create_rule", {
    rule_type: "security",
    rule_data: {
      name: "allow-outbound",
      source: ["internal-subnet"],
      destination: ["any"],
      service: ["web-browsing"],
      action: "allow"
    }
  });

  // 3. Verify configuration
  const rules = await useMcpTool("paloalto-policy", "get_security_rules", {});
  
  // 4. Commit changes
  await useMcpTool("paloalto-device", "commit_changes", {
    description: "Deployed new security policy"
  });
}

2. High Availability Configuration

async function configureHA() {
  // 1. Configure HA interfaces
  await useMcpTool("paloalto-config", "configure_ha", {
    mode: "active-passive",
    group: {
      id: 1,
      description: "Primary HA Group"
    },
    interfaces: {
      ha1: {
        port: "ethernet1/3",
        ip: "10.0.0.1/24"
      },
      ha2: {
        port: "ethernet1/4",
        ip: "10.0.1.1/24"
      }
    }
  });

  // 2. Configure HA policy
  await useMcpTool("paloalto-config", "configure_ha_policy", {
    preemptive: true,
    heartbeat_interval: 2000,
    heartbeat_threshold: 3
  });

  // 3. Commit changes
  await useMcpTool("paloalto-device", "commit_changes", {
    description: "Configured HA settings"
  });
}

Advanced Usage

1. Custom Rule Templates

const ruleTemplate = {
  base: {
    log_setting: "default",
    profile_setting: {
      group: ["default-protection"]
    }
  },
  web: {
    service: ["web-browsing"],
    application: ["web-browsing"],
    profile_setting: {
      group: ["strict-web-protection"]
    }
  }
};

async function createRuleFromTemplate(type, customData) {
  const template = {...ruleTemplate.base, ...ruleTemplate[type]};
  await useMcpTool("paloalto-policy", "create_rule", {
    rule_type: "security",
    rule_data: {...template, ...customData}
  });
}

2. Batch Operations

async function batchCreateObjects(objects) {
  const results = [];
  for (const obj of objects) {
    try {
      const result = await useMcpTool("paloalto-objects", "create_address_object", obj);
      results.push({status: "success", name: obj.name});
    } catch (error) {
      results.push({status: "error", name: obj.name, error: error.message});
    }
  }
  return results;
}

Troubleshooting

Common Issues

  1. API Connection Issues
// Test API connectivity
const status = await useMcpTool("paloalto-server", "test_connection", {
  timeout: 5000,
  verify_ssl: true
});

if (!status.success) {
  console.error(`Connection failed: ${status.error}`);
  // Check firewall accessibility
  // Verify API key permissions
  // Validate SSL certificates
}
  1. Rule Conflicts
// Analyze rule conflicts
const analysis = await useMcpTool("paloalto-policy", "analyze_rules", {
  rule_type: "security",
  checks: ["shadowing", "redundancy", "conflicts"]
});

if (analysis.issues.length > 0) {
  console.log("Found rule issues:", analysis.issues);
}
  1. Commit Failures
try {
  await useMcpTool("paloalto-device", "commit_changes", {
    description: "Policy update"
  });
} catch (error) {
  if (error.code === "ConfigurationLocked") {
    // Handle locked configuration
    await useMcpTool("paloalto-device", "release_config_lock", {});
  } else if (error.code === "ValidationError") {
    // Handle validation errors
    console.error("Configuration validation failed:", error.details);
  }
}

Contributing

  1. Fork the repository
  2. Create a feature branch
git checkout -b feature/new-feature
  1. Commit your changes
git commit -m "Add new feature"
  1. Push to the branch
git push origin feature/new-feature
  1. Create a Pull Request

License

MIT License - see LICENSE file for details