npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

panw-scm-mcp

v0.1.8

Published

Unofficial MCP server for Palo Alto Networks Strata Cloud Manager operations.

Downloads

1,097

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

ethanzhiethanzhi

Keywords

mcpstrata-cloud-managerpalo-alto-networksscmnetwork-automation

Readme

panw-scm-mcp

Unofficial MCP server for Palo Alto Networks Strata Cloud Manager operations.

This server exposes Strata Cloud Manager configuration and operations workflows to MCP clients through structured tools. It is designed for npx usage and reads credentials from environment variables.

Status

This is an early operational foundation. It covers the baseline configuration and operations surface:

  • Resource catalog for objects, security, network, deployment, setup, identity, and mobile-agent domains
  • Generic list/get/apply/delete tools for supported SCM resources
  • YAML load and YAML backup tools
  • Commit and job monitoring tools
  • Device operations
  • Local configuration version listing and download
  • Incident search and detail lookup
  • Dry-run and explicit confirmation guards for destructive actions
  • Agent operations enhancements: reference search, security policy analysis, backup diffing, incident summarization, and safe change planning

Advanced agent workflows such as reference analysis, policy diffing, and remediation reasoning are intentionally left for later enhancement.

Install and Run

npx panw-scm-mcp

For local development:

npm install
npm run build
node dist/index.js

Environment Variables

Required:

export SCM_CLIENT_ID="your-client-id"
export SCM_CLIENT_SECRET="your-client-secret"
export SCM_TSG_ID="your-tsg-id"

Optional:

export SCM_REGION="americas"
export SCM_API_BASE_URL="https://api.strata.paloaltonetworks.com"
export SCM_INSIGHTS_BASE_URL="https://api.sase.paloaltonetworks.com"
export SCM_INSIGHTS_REGION="americas"
export SCM_ADEM_BASE_URL="https://api.sase.paloaltonetworks.com"
export SCM_ADEM_REGION="americas"
export SCM_ADEM_SUBTENANT=""
export SCM_TOKEN_URL="https://auth.apps.paloaltonetworks.com/oauth2/access_token"
export SCM_SEND_REGION_HEADER="false"
export SCM_DRY_RUN="false"
export SCM_REQUEST_TIMEOUT_MS="30000"
export SCM_LOG_LEVEL="info"

Most SCM configuration APIs must not include x-panw-region. Keep SCM_SEND_REGION_HEADER=false unless you are calling a service that explicitly requires the region header.

Insights and ADEM APIs require PANW SASE region codes: americas, au, ca, de, europe, in, jp, sg, or uk. Common aliases such as singapore, southeast-asia, japan, and united-kingdom are normalized automatically.

Legacy variable names SCM_SCM_CLIENT_ID, SCM_SCM_CLIENT_SECRET, and SCM_SCM_TSG_ID are also accepted.

The aliases PANW_SCM_CLIENT_ID, PANW_SCM_CLIENT_SECRET, PANW_SCM_TSG_ID, PANW_MGMT_CLIENT_ID, PANW_MGMT_CLIENT_SECRET, and PANW_MGMT_TSG_ID are accepted for environments that already use those naming conventions.

MCP Client Config

Example:

{
  "mcpServers": {
    "panw-scm": {
      "command": "npx",
      "args": ["panw-scm-mcp"],
      "env": {
        "SCM_CLIENT_ID": "your-client-id",
        "SCM_CLIENT_SECRET": "your-client-secret",
        "SCM_TSG_ID": "your-tsg-id",
        "SCM_REGION": "americas"
      }
    }
  }
}

Tools

Core:

  • scm_auth_test
  • scm_resource_catalog
  • scm_list_resource
  • scm_get_resource
  • scm_apply_resource
  • scm_delete_resource
  • scm_backup_resource
  • scm_load_yaml
  • scm_find_references
  • scm_analyze_security_policy
  • scm_compare_resource_backup
  • scm_build_change_plan
  • scm_summarize_incidents

Operations:

  • scm_commit
  • scm_list_insights_alerts
  • scm_list_insights_applications
  • scm_list_insights_mobile_users
  • scm_list_insights_locations
  • scm_list_insights_remote_networks
  • scm_list_insights_service_connections
  • scm_list_insights_tunnels
  • scm_get_adem_agent_score
  • scm_get_adem_agent_metrics
  • scm_get_adem_agent_properties
  • scm_get_adem_application_score
  • scm_adem_query
  • scm_list_jobs
  • scm_get_job
  • scm_device_operation
  • scm_list_local_config_versions
  • scm_download_local_config
  • scm_list_incidents
  • scm_show_incident

Examples

List address objects in a folder:

{
  "domain": "objects",
  "resource": "address",
  "folder": "Shared",
  "limit": 100
}

Create or update an address object with dry run:

{
  "domain": "objects",
  "resource": "address",
  "folder": "Shared",
  "dryRun": true,
  "data": {
    "name": "webserver-1",
    "ip_netmask": "10.1.1.10/32",
    "description": "Managed through MCP"
  }
}

Delete requires explicit confirmation unless dry-run is enabled:

{
  "domain": "objects",
  "resource": "address",
  "folder": "Shared",
  "name": "webserver-1",
  "confirm": true
}

Commit also requires explicit confirmation unless dry-run is enabled:

{
  "folders": ["Shared"],
  "description": "Commit changes from MCP",
  "confirm": true
}

Find where an object is referenced before deleting it:

{
  "target": "webserver-1",
  "scope": {
    "folder": "Shared"
  }
}

Analyze security policy hygiene:

{
  "folder": "Shared",
  "limit": 500
}

Compare current resources to a YAML backup:

{
  "domain": "objects",
  "resource": "address",
  "folder": "Shared",
  "baselineYaml": "data:\n  - name: webserver-1\n    ip_netmask: 10.1.1.10/32\n"
}

Build a preflight change plan:

{
  "intent": "Replace an obsolete address object and push the candidate config",
  "operations": [
    {
      "tool": "scm_find_references",
      "arguments": {
        "target": "old-webserver",
        "scope": {
          "folder": "Shared"
        }
      },
      "reason": "Confirm the object is not still used by policy"
    },
    {
      "tool": "scm_delete_resource",
      "arguments": {
        "domain": "objects",
        "resource": "address",
        "folder": "Shared",
        "name": "old-webserver",
        "dryRun": true
      },
      "risk": "Deleting shared objects can break rules that reference them"
    }
  ]
}

Notes

This project is not an official Palo Alto Networks product.

The SCM API surface changes over time. If a tenant uses a different path for a specific SCM service, update the resource catalog or set SCM_API_BASE_URL for the target API gateway.