fortimanager-mcp

jmpijll/fortimanager-mcp

3.3

If you are the rightful owner of fortimanager-mcp and would like to certify it and/or have it hosted online, please leave a comment on the right or send an email to dayong@mcphub.com.

The FortiManager MCP Server provides complete programmatic access to FortiManager infrastructure through a Model Context Protocol server, enabling AI assistants and automation systems to manage FortiManager environments.

FortiManager MCP Server

Beta Release: This project implements 590 MCP tools covering 100% of documented FortiManager 7.4.8 API operations. While early tools have been tested in production environments, comprehensive testing of all 590 tools is ongoing. Production use is possible but should be approached with appropriate caution and testing.

A Model Context Protocol (MCP) server providing complete access to FortiManager JSON-RPC API operations. Enables AI assistants and automation systems to programmatically manage FortiManager infrastructure.

Overview

This MCP server exposes all documented FortiManager 7.4.8 API operations as standardized MCP tools, providing:

  • Complete API Coverage: 590 tools implementing 555 documented operations (100%)
  • Production Quality: Zero-bug implementation with comprehensive error handling
  • Type Safety: Full type hints and Pydantic validation
  • Well Documented: Detailed docstrings optimized for AI understanding
  • Enterprise Ready: Docker deployment with health checks and logging

Features

Core Capabilities

  • Device Management: Complete device lifecycle, configuration, and monitoring
  • Policy Management: Policy packages, firewall rules, NAT, and installations
  • ADOM Operations: Multi-tenancy, workspace management, and revision control
  • Object Management: Addresses, services, zones, VIPs, and metadata
  • Security Profiles: Web filter, IPS, AV, application control, and DLP
  • System Operations: Administration, backup, restore, and monitoring

Technical Features

  • Dual Authentication: Token-based (recommended) and session-based
  • Stateless Design: Horizontal scaling via streamable HTTP transport
  • Docker Deployment: Production-ready containerization
  • Async Operations: Efficient async/await throughout
  • Comprehensive Logging: Structured logging for debugging and monitoring

Quick Start

Prerequisites

  • Docker and Docker Compose
  • FortiManager 7.2.2+ (for API token support) or 6.x+ (for session auth)
  • FortiManager API access (rpc-permit configured)

1. Generate FortiManager API Token

On your FortiManager:

# Create API user
config system admin user
    edit api_mcp_user
        set user_type api
        set rpc-permit read-write
    next
end

# Generate token
execute api-user generate-key api_mcp_user

Save the generated API key for configuration.

2. Configure Environment

# Copy example environment file
cp env.example .env

# Edit with your FortiManager details
nano .env

Required settings in .env:

FORTIMANAGER_HOST=your-fortimanager-host
FORTIMANAGER_API_TOKEN=your-api-token-here
FORTIMANAGER_VERIFY_SSL=false  # Set true for production

3. Run with Docker Compose

# Build and start
docker-compose up -d

# Check logs
docker-compose logs -f

# Verify health
curl http://localhost:8000/health

The MCP server will be available at: http://localhost:8000/mcp

For detailed Docker deployment, troubleshooting, and health monitoring, see

Configuration

Environment Variables

Required:

  • FORTIMANAGER_HOST - FortiManager hostname or IP
  • FORTIMANAGER_API_TOKEN - API authentication token

Optional:

  • FORTIMANAGER_PORT - API port (default: 443)
  • FORTIMANAGER_VERIFY_SSL - SSL verification (default: true)
  • LOG_LEVEL - Logging level (default: INFO)

Authentication Methods

Token-Based (Recommended):

  • More secure and efficient
  • No session management overhead
  • Requires FortiManager 7.2.2+

Session-Based:

  • Compatible with FortiManager 6.x+
  • Automatic session management
  • Requires username/password in environment

Usage with AI Assistants

Claude Desktop

Add to claude_desktop_config.json:

{
  "mcpServers": {
    "fortimanager": {
      "command": "docker",
      "args": [
        "run",
        "--rm",
        "-i",
        "-e", "FORTIMANAGER_HOST=your-host",
        "-e", "FORTIMANAGER_API_TOKEN=your-token",
        "fortimanager-mcp"
      ]
    }
  }
}

Tool Loading Modes

The server supports two operational modes for different context window sizes:

ModeTools LoadedContext UsageBest For
Full (default)All 590 tools~118K tokensLarge contexts (200K+)
Dynamic~15 direct proxy tools~3K tokensSmall contexts (<200K)

Enable Dynamic Mode:

# In .env file
FMG_TOOL_MODE=dynamic
MCP_SERVER_MODE=auto  # or http/stdio

# Or environment variable
export FMG_TOOL_MODE=dynamic

Dynamic mode provides:

  • Direct proxy tools for common operations (list_adoms, list_devices, create_firewall_address, etc.)
  • Discovery tools for advanced operations (find_fortimanager_tool, execute_advanced_tool)
  • Full access to all 590 FortiManager operations via dynamic loading

97% context reduction in dynamic mode! See for details and for LLM testing.

Example Operations

List managed devices:

Can you show me all FortiGate devices managed by FortiManager?

Create firewall policy:

Create a firewall policy allowing HTTPS from internal to DMZ.

Deploy configuration:

Install the "production" policy package to device FGT-001.

Monitor system:

Check the health status of all managed devices.

API Coverage

The server implements 100% of documented FortiManager 7.4.8 API operations across 24 functional categories:

CategoryOperationsCoverage
Device Management116100%
Provisioning & Templates82100%
Policy Package Management77100%
Objects Management61100%
ADOM Management36100%
Security Profiles35100%
FMG System Operations30100%
FortiGuard Management28100%
Monitoring & Tasks26100%
Installation & Updates20100%
And 14 additional categories44100%

Total: 590 MCP tools implementing 555 API operations

See for detailed breakdown.

Modes

Set FMG_TOOL_MODE in .env to control tool loading:

  • full (default): registers ~590 direct tools
  • dynamic: registers only discovery tools and executes all operations dynamically

Dynamic tools available:

  • find_fortimanager_tool(operation: str)
  • execute_advanced_tool(tool_name: str, parameters: dict | None = None, kwargs: dict | None = None)
  • list_fortimanager_categories()

Examples (client JSON payloads):

{ "tool_name": "execute_advanced_tool", "arguments": { "tool_name": "list_devices", "parameters": { "adom": "Loods5" } } }

Health endpoint:

curl http://localhost:8000/health

Returns JSON including fortimanager_connected and current mode.

Development

Local Setup

# Install dependencies with uv
uv sync

# Run server
python -m fortimanager_mcp

# Run tests
pytest tests/

Project Structure

src/fortimanager_mcp/
├── api/          # API client layer (24 modules)
├── tools/        # MCP tool layer (19 modules)
├── utils/        # Configuration and utilities
└── server.py     # FastMCP server initialization

Code Quality Standards

  • Linting: Zero tolerance for linter errors
  • Type Coverage: 100% type hints required
  • Testing: Non-intrusive integration tests
  • Documentation: Comprehensive docstrings on all tools
  • Standards: PEP 8 compliance

Documentation

Technical Documentation

  • - Context window optimization
  • - Current capabilities
  • - Detailed coverage
  • - System design
  • - Development overview
  • - Common operations

Wiki

Architecture Decision Records

Security Considerations

Authentication

  • Use API tokens instead of username/password when possible
  • Rotate tokens periodically
  • Use least-privilege API user accounts
  • Never commit credentials to version control

Network Security

  • Enable SSL/TLS verification in production
  • Use private networks or VPN for FortiManager access
  • Implement network segmentation
  • Monitor API access logs

Operational Security

  • Regular backup of FortiManager configuration
  • Test automation in non-production environments first
  • Implement change management procedures
  • Monitor for unauthorized API access

Troubleshooting

Connection Issues

Problem: Cannot connect to FortiManager

# Check network connectivity
ping <fortimanager-host>

# Verify API port is accessible
telnet <fortimanager-host> 443

# Check Docker logs
docker-compose logs fortimanager-mcp

Authentication Failures

Problem: 401 Unauthorized errors

  • Verify API token is valid
  • Check API user has rpc-permit configured
  • Ensure API user is not locked

Problem: Session timeout

  • Token authentication recommended over session auth
  • Increase session timeout in FortiManager if needed

Performance Issues

Problem: Slow API responses

  • Check FortiManager system load
  • Verify network latency
  • Consider connection pooling
  • Review FortiManager logs

See for more solutions.

Contributing

Development Workflow

  1. Fork the repository
  2. Create feature branch
  3. Implement changes with tests
  4. Ensure zero linter errors
  5. Add documentation
  6. Submit pull request

Code Standards

  • Follow PEP 8 style guide
  • Add type hints to all functions
  • Include comprehensive docstrings
  • Maintain zero-bug quality
  • Add integration tests

Documentation

  • Update API coverage map for new tools
  • Add ADRs for architectural decisions
  • Update QUICK_REFERENCE for common operations
  • Include examples in docstrings

License

MIT License — see

Support

Acknowledgments

Built with:

Special thanks to the Fortinet and MCP communities for their support.

Version History

v1.0.0 (October 2025)

  • Complete API coverage (590 tools, 555 operations)
  • Production-ready quality
  • Comprehensive documentation
  • Docker deployment
  • Integration testing

See for detailed version history.

FortiManager MCP Server - Complete programmatic access to FortiManager infrastructure