Skip to main content

Local read-only MCP server for Fortigate administration over SSH

Project description

Fortigate MCP

Servidor MCP local para consultar Fortigate por SSH en modo solo lectura.

Pensado para FortiOS 7.4+ y para usarse desde Codex y Claude Desktop mediante transporte stdio.

Seguridad

Este MCP no ejecuta comandos libres. Todas las herramientas son read-only y el comando manual fortigate_run_readonly_command valida una allowlist estricta.

Bloquea tokens como config, edit, set, unset, delete, purge, execute, reboot, shutdown, restore, factoryreset, format y debug.

La seguridad real debe reforzarse tambien en el Fortigate usando un usuario con perfil de solo lectura.

Instalacion

C:\Users\Alberto\AppData\Local\Programs\Python\Python311\python.exe -m venv .venv
.\.venv\Scripts\python.exe -m pip install -r requirements.txt
Copy-Item fortigate.config.example.json fortigate.config.json

Tambien se puede instalar como paquete Python cuando este publicado:

python -m pip install fortigate-readonly-mcp

Desde TestPyPI:

python -m pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple/ fortigate-readonly-mcp

Edita fortigate.config.json:

{
  "fortigate": {
    "host": "192.168.1.1",
    "port": 22,
    "username": "admin",
    "password": "change-me",
    "timeout": 15,
    "banner_timeout": 15,
    "auth_timeout": 15,
    "look_for_keys": false,
    "allow_agent": false,
    "disabled_algorithms": {}
  }
}

fortigate.config.json esta ignorado por Git.

Herramientas MCP

  • fortigate_list_allowed_commands
  • fortigate_get_system_status
  • fortigate_get_interfaces
  • fortigate_get_routes
  • fortigate_get_firewall_policies
  • fortigate_get_ipsec_vpns
  • fortigate_get_ssl_vpn_users
  • fortigate_get_ssl_vpn_lan_connections
  • fortigate_get_auth_attack_summary
  • fortigate_run_audit_readonly
  • fortigate_get_public_exposure
  • fortigate_find_policy_by_ip
  • fortigate_get_interface_health
  • fortigate_get_vpn_overview
  • fortigate_export_readonly_snapshot
  • fortigate_run_readonly_command

Configuracion para Claude Desktop

Anade este servidor en el JSON de Claude Desktop, ajustando la ruta si cambia:

{
  "mcpServers": {
    "fortigate": {
      "command": "C:\\Users\\Alberto\\Documents\\CODEX\\MCP-Fortigate\\.venv\\Scripts\\python.exe",
      "args": [
        "C:\\Users\\Alberto\\Documents\\CODEX\\MCP-Fortigate\\server.py"
      ],
      "env": {
        "FORTIGATE_MCP_CONFIG": "C:\\Users\\Alberto\\Documents\\CODEX\\MCP-Fortigate\\fortigate.config.json"
      }
    }
  }
}

Si lo instalas desde PyPI en vez de ejecutar el server.py del repo, puedes usar el comando fortigate-mcp:

{
  "mcpServers": {
    "fortigate": {
      "command": "fortigate-mcp",
      "env": {
        "FORTIGATE_MCP_CONFIG": "C:\\ruta\\segura\\fortigate.config.json"
      }
    }
  }
}

Configuracion para Codex

Anade este bloque a C:\Users\Alberto\.codex\config.toml:

[mcp_servers.fortigate]
command = 'C:\Users\Alberto\Documents\CODEX\MCP-Fortigate\.venv\Scripts\python.exe'
args = ['C:\Users\Alberto\Documents\CODEX\MCP-Fortigate\server.py']

[mcp_servers.fortigate.env]
FORTIGATE_MCP_CONFIG = 'C:\Users\Alberto\Documents\CODEX\MCP-Fortigate\fortigate.config.json'

Prueba rapida

Validar sintaxis:

.\.venv\Scripts\python.exe -m py_compile server.py

Verificar con MCP Inspector:

npx @modelcontextprotocol/inspector .\.venv\Scripts\python.exe server.py

Publicacion

No guardar tokens de PyPI/TestPyPI en el repositorio. Usar variables de entorno o twine interactivo.

Build local:

.\.venv\Scripts\python.exe -m pip install build twine
.\.venv\Scripts\python.exe -m build
.\.venv\Scripts\python.exe -m twine check dist/*

Subida a TestPyPI:

$env:TWINE_USERNAME='__token__'
$env:TWINE_PASSWORD='<token-testpypi>'
.\.venv\Scripts\python.exe -m twine upload --repository-url https://test.pypi.org/legacy/ dist/*

Subida a PyPI:

$env:TWINE_USERNAME='__token__'
$env:TWINE_PASSWORD='<token-pypi>'
.\.venv\Scripts\python.exe -m twine upload dist/*

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

fortigate_readonly_mcp-0.1.0.tar.gz (20.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

fortigate_readonly_mcp-0.1.0-py3-none-any.whl (20.5 kB view details)

Uploaded Python 3

File details

Details for the file fortigate_readonly_mcp-0.1.0.tar.gz.

File metadata

  • Download URL: fortigate_readonly_mcp-0.1.0.tar.gz
  • Upload date:
  • Size: 20.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.7

File hashes

Hashes for fortigate_readonly_mcp-0.1.0.tar.gz
Algorithm Hash digest
SHA256 4cae469199ae22e3f12a74c4cf4c6cd9c40da82988b9f60ca5a93d70133e747e
MD5 6ce9ece08a44611c663ff0d92f0d07f7
BLAKE2b-256 90c1e32d5ea4a16013e6abfc71047ebdb439c2cb6e40658a30e809069ef8fff6

See more details on using hashes here.

File details

Details for the file fortigate_readonly_mcp-0.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for fortigate_readonly_mcp-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 cd7aba4271704c38e672711e18d259a50268f354a4e4ff3089c04c4abd9997c1
MD5 d6e4b328eccce3d4a706ba609cdfddc3
BLAKE2b-256 8a9695b52c935a988cb65468c3db386943dc73c9ea2552b59475daf5d0cf6da9

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page