@teamnetwork-nz/sonicwall-api-mcp-server
v0.5.1
Published
MCP server for SonicWall NSA appliance API — logs, CRUD objects, rules, NAT, GeoIP
Maintainers
Readme
SonicWall NSA MCP Server
A Model Context Protocol server that provides full read/write access to SonicWall NSA series appliances via the SonicOS REST API.
Features
- Log analysis — retrieve, filter, and search event logs and threat/IPS events
- Address objects & groups — CRUD for IPv4, IPv6, FQDN, and MAC address objects and their groups
- Service objects & groups — CRUD for protocol/port service definitions
- Access rules — create, update, enable/disable, and delete firewall access rules (IPv4 & IPv6)
- NAT policies — full CRUD for inbound/outbound NAT rules
- Security policies — CRUD for zone-based security policies
- Network discovery — list zones, interfaces, schedules, and route policies (read-only)
- GeoIP lookup — identify the country/botnet classification of an IP address
- Config management — view and commit (or discard) staged changes
The SonicOS REST API is configuration-focused. Connection/flow ("traffic") logs and GeoIP policy objects are not exposed as REST endpoints and therefore have no tools.
Supports SonicOS 6.5.x, 7.x, and 8.x with automatic version detection.
Quick Start
Prerequisites
- A SonicWall NSA appliance running SonicOS 6.5, 7.x, or 8.x
- SonicOS API enabled: Device › Settings › Administration › SonicOS API — toggle SonicOS API on, and ensure RFC-2617 HTTP Basic Access authentication is also enabled (the MCP server uses Basic auth to obtain a session token, falling back to RFC-7616 Digest if Basic is disabled)
- For npm install: Node.js ≥ 18 and uv
- For Python install: Python ≥ 3.11
Install
Via npx (recommended — no Python setup required):
npx @teamnetwork-nz/sonicwall-api-mcp-serverThe npm package is a thin launcher that calls
uvx sonicwall-mcp-serverunder the hood. Only uv needs to be installed — no Python environment setup required.
Via pip / uv (Python):
pip install sonicwall-mcp-server
# or
uv pip install sonicwall-mcp-serverEnvironment variables
| Variable | Required | Default | Description |
|----------|----------|---------|-------------|
| SONICWALL_HOST | Yes | — | Appliance IP or hostname |
| SONICWALL_USERNAME | Yes | — | Admin username |
| SONICWALL_PASSWORD | Yes | — | Admin password |
| SONICWALL_PORT | No | 443 | HTTPS management port |
| SONICWALL_SSL_VERIFY | No | true | Set false for self-signed certificates |
| SONICWALL_READ_ONLY | No | true | Set false to allow write operations |
| SONICWALL_DEVICES_FILE | No | — | Path to JSON file for multi-device config |
| SONICWALL_REQUEST_TIMEOUT | No | 30.0 | Per-request timeout in seconds |
Copy .env.example to .env for local development.
Claude Desktop / Claude Code Integration
Add to your MCP config (claude_desktop_config.json or .claude/settings.json):
Using npx (easiest):
{
"mcpServers": {
"sonicwall": {
"command": "npx",
"args": ["-y", "@teamnetwork-nz/sonicwall-api-mcp-server"],
"env": {
"SONICWALL_HOST": "192.168.168.168",
"SONICWALL_USERNAME": "admin",
"SONICWALL_PASSWORD": "your_password",
"SONICWALL_SSL_VERIFY": "false",
"SONICWALL_READ_ONLY": "false"
}
}
}
}Using uvx directly:
{
"mcpServers": {
"sonicwall": {
"command": "uvx",
"args": ["sonicwall-mcp-server"],
"env": {
"SONICWALL_HOST": "192.168.168.168",
"SONICWALL_USERNAME": "admin",
"SONICWALL_PASSWORD": "your_password",
"SONICWALL_SSL_VERIFY": "false",
"SONICWALL_READ_ONLY": "false"
}
}
}
}Using the installed Python CLI:
{
"mcpServers": {
"sonicwall": {
"command": "sonicwall-mcp",
"env": {
"SONICWALL_HOST": "192.168.168.168",
"SONICWALL_USERNAME": "admin",
"SONICWALL_PASSWORD": "your_password",
"SONICWALL_SSL_VERIFY": "false",
"SONICWALL_READ_ONLY": "false"
}
}
}
}Multi-device setup
To manage multiple appliances, set SONICWALL_DEVICES_FILE to a JSON file:
[
{
"name": "site-a",
"host": "10.0.1.1",
"username": "admin",
"password": "secret",
"ssl_verify": false,
"read_only": false
},
{
"name": "site-b",
"host": "10.0.2.1",
"username": "admin",
"password": "secret",
"ssl_verify": false,
"read_only": true
}
]Pass device="site-b" to any tool to target a specific appliance; omit it to use the first device.
Development
uv venv && source .venv/bin/activate
uv pip install -e ".[dev]"
pytest tests/ -v # unit tests (no appliance needed)
mcp dev src/sonicwall_mcp/server.py # interactive MCP inspectorAgent guidance
The server supplies MCP instructions that are automatically delivered to the calling agent at session start. These cover:
- Staged configuration — always
commit_configafter a related set of changes, ordiscard_configto abandon - Datetime handling — log timestamps use the appliance's local timezone; no UTC conversion needed
- Log tool selection — when to use
get_event_logsvsget_traffic_logsvsget_threat_logsvssearch_logs - Object and rule management — recommended workflow for creating address objects and firewall rules
- Concurrent sessions — SonicOS limit of one active API session per appliance
No special prompting is required — the agent receives these guidelines automatically.
Important Notes
- SonicOS allows only one concurrent API session per appliance. Ensure no other admin sessions are active when using this server.
- All configuration changes (create/update/delete) are staged and do not take effect until you call
commit_config. Usediscard_configto abandon staged changes. - Enable the SonicOS API in the appliance web UI: DEVICE > Settings > Administration > SonicOS API.
