Local read-only MCP server for Fortigate administration over SSH
Project description
Fortigate MCP
Servidor MCP local para consultar Fortigate por SSH en modo solo lectura.
Pensado para FortiOS 7.4+ y para usarse desde Codex y Claude Desktop mediante transporte stdio.
Seguridad
Este MCP no ejecuta comandos libres. Todas las herramientas son read-only y el comando manual fortigate_run_readonly_command valida una allowlist estricta.
Bloquea tokens como config, edit, set, unset, delete, purge, execute, reboot, shutdown, restore, factoryreset, format y debug.
La seguridad real debe reforzarse tambien en el Fortigate usando un usuario con perfil de solo lectura.
Instalacion
C:\Users\Alberto\AppData\Local\Programs\Python\Python311\python.exe -m venv .venv
.\.venv\Scripts\python.exe -m pip install -r requirements.txt
Copy-Item fortigate.config.example.json fortigate.config.json
Tambien se puede instalar como paquete Python cuando este publicado:
python -m pip install fortigate-readonly-mcp
Desde TestPyPI:
python -m pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple/ fortigate-readonly-mcp
Edita fortigate.config.json:
{
"fortigate": {
"host": "192.168.1.1",
"port": 22,
"username": "admin",
"password": "change-me",
"timeout": 15,
"banner_timeout": 15,
"auth_timeout": 15,
"look_for_keys": false,
"allow_agent": false,
"disabled_algorithms": {}
}
}
fortigate.config.json esta ignorado por Git.
Herramientas MCP
fortigate_list_allowed_commandsfortigate_get_system_statusfortigate_get_interfacesfortigate_get_routesfortigate_get_firewall_policiesfortigate_get_ipsec_vpnsfortigate_get_ssl_vpn_usersfortigate_get_ssl_vpn_lan_connectionsfortigate_get_auth_attack_summaryfortigate_run_audit_readonlyfortigate_get_public_exposurefortigate_find_policy_by_ipfortigate_get_interface_healthfortigate_get_vpn_overviewfortigate_export_readonly_snapshotfortigate_run_readonly_command
Configuracion para Claude Desktop
Anade este servidor en el JSON de Claude Desktop, ajustando la ruta si cambia:
{
"mcpServers": {
"fortigate": {
"command": "C:\\Users\\Alberto\\Documents\\CODEX\\MCP-Fortigate\\.venv\\Scripts\\python.exe",
"args": [
"C:\\Users\\Alberto\\Documents\\CODEX\\MCP-Fortigate\\server.py"
],
"env": {
"FORTIGATE_MCP_CONFIG": "C:\\Users\\Alberto\\Documents\\CODEX\\MCP-Fortigate\\fortigate.config.json"
}
}
}
}
Si lo instalas desde PyPI en vez de ejecutar el server.py del repo, puedes usar el comando fortigate-mcp:
{
"mcpServers": {
"fortigate": {
"command": "fortigate-mcp",
"env": {
"FORTIGATE_MCP_CONFIG": "C:\\ruta\\segura\\fortigate.config.json"
}
}
}
}
Configuracion para Codex
Anade este bloque a C:\Users\Alberto\.codex\config.toml:
[mcp_servers.fortigate]
command = 'C:\Users\Alberto\Documents\CODEX\MCP-Fortigate\.venv\Scripts\python.exe'
args = ['C:\Users\Alberto\Documents\CODEX\MCP-Fortigate\server.py']
[mcp_servers.fortigate.env]
FORTIGATE_MCP_CONFIG = 'C:\Users\Alberto\Documents\CODEX\MCP-Fortigate\fortigate.config.json'
Prueba rapida
Validar sintaxis:
.\.venv\Scripts\python.exe -m py_compile server.py
Verificar con MCP Inspector:
npx @modelcontextprotocol/inspector .\.venv\Scripts\python.exe server.py
Publicacion
No guardar tokens de PyPI/TestPyPI en el repositorio. Usar variables de entorno o twine interactivo.
Build local:
.\.venv\Scripts\python.exe -m pip install build twine
.\.venv\Scripts\python.exe -m build
.\.venv\Scripts\python.exe -m twine check dist/*
Subida a TestPyPI:
$env:TWINE_USERNAME='__token__'
$env:TWINE_PASSWORD='<token-testpypi>'
.\.venv\Scripts\python.exe -m twine upload --repository-url https://test.pypi.org/legacy/ dist/*
Subida a PyPI:
$env:TWINE_USERNAME='__token__'
$env:TWINE_PASSWORD='<token-pypi>'
.\.venv\Scripts\python.exe -m twine upload dist/*
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file fortigate_readonly_mcp-0.1.0.tar.gz.
File metadata
- Download URL: fortigate_readonly_mcp-0.1.0.tar.gz
- Upload date:
- Size: 20.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4cae469199ae22e3f12a74c4cf4c6cd9c40da82988b9f60ca5a93d70133e747e
|
|
| MD5 |
6ce9ece08a44611c663ff0d92f0d07f7
|
|
| BLAKE2b-256 |
90c1e32d5ea4a16013e6abfc71047ebdb439c2cb6e40658a30e809069ef8fff6
|
File details
Details for the file fortigate_readonly_mcp-0.1.0-py3-none-any.whl.
File metadata
- Download URL: fortigate_readonly_mcp-0.1.0-py3-none-any.whl
- Upload date:
- Size: 20.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
cd7aba4271704c38e672711e18d259a50268f354a4e4ff3089c04c4abd9997c1
|
|
| MD5 |
d6e4b328eccce3d4a706ba609cdfddc3
|
|
| BLAKE2b-256 |
8a9695b52c935a988cb65468c3db386943dc73c9ea2552b59475daf5d0cf6da9
|