Barracuda_CGF_MCP by LanceHardwoodXXX - MCP Server

Barracuda CloudGen Firewall MCP Server

A Model Context Protocol (MCP) server for managing Barracuda CloudGen Firewalls. This server provides tools to perform administrative tasks on Barracuda CloudGen Firewalls through their REST API.

⚠️ Important Security Notice

This tool is intended exclusively for educational purposes and managing your own firewall environments. Never use it for:

Unauthorized access to foreign systems
Penetration testing without explicit permission
Any illegal activities

🚀 Features

Available Tools

System Health (get_system_health)
- Retrieve general system status
- CPU, memory, and disk usage information
- No parameters required
List Firewall Rules (list_firewall_rules)
- List all configured firewall rules
- No parameters required
Get Firewall Rule Details (get_firewall_rule_details)
- Detailed configuration of a specific rule
- Parameters: rule_name (string) - Name of the firewall rule
List VPN Tunnels (list_vpn_tunnels)
- Status of all Site-to-Site VPN tunnels
- No parameters required
Create Firewall Rule (create_firewall_rule)
- Create a new firewall rule
- Parameters:
  - rule_name (string) - Name of the new rule
  - source (string) - Source IP or network (e.g., '192.168.1.0/24' or 'any')
  - destination (string) - Destination IP or network (e.g., '10.0.0.0/8' or 'any')
  - service (string) - Service/Port (e.g., 'HTTP', 'HTTPS', '80', 'any')
  - action (string) - Action ('allow' or 'deny')
Delete Firewall Rule (delete_firewall_rule)
- Delete an existing firewall rule
- Parameters: rule_name (string) - Name of the rule to delete

📦 Installation and Setup

Prerequisites

Docker and Docker Compose
Access to a Barracuda CloudGen Firewall with enabled REST API
Valid credentials for the firewall

Docker Secrets Setup

Create Docker Secrets for secure configuration:

# Firewall host (IP or FQDN)
echo "https://your-firewall-host" | docker secret create barracuda_host -

# Username
echo "your-username" | docker secret create barracuda_username -

# Password
echo "your-password" | docker secret create barracuda_password -

Docker Compose Configuration

Create a docker-compose.yml:

version: '3.8'

services:
  barracuda-cgf-mcp:
    build: .
    container_name: barracuda-cgf-mcp-server
    environment:
      - BARRACUDA_HOST_FILE=/run/secrets/barracuda_host
      - BARRACUDA_USERNAME_FILE=/run/secrets/barracuda_username  
      - BARRACUDA_PASSWORD_FILE=/run/secrets/barracuda_password
    secrets:
      - barracuda_host
      - barracuda_username
      - barracuda_password
    stdin_open: true
    tty: true
    restart: unless-stopped

secrets:
  barracuda_host:
    external: true
  barracuda_username:
    external: true
  barracuda_password:
    external: true

Build and Start

# Build the image
docker-compose build

# Start the container
docker-compose up -d

# View logs
docker-compose logs -f barracuda-cgf-mcp

🔧 Usage

Direct Docker Run (Alternative)

docker run -d \
  --name barracuda-cgf-mcp \
  -e BARRACUDA_HOST="https://your-firewall-host" \
  -e BARRACUDA_USERNAME="your-username" \
  -e BARRACUDA_PASSWORD="your-password" \
  barracuda-cgf-mcp:latest

MCP Client Integration

The server communicates via STDIO and can be used with any MCP-compatible client:

# Run directly
python barracuda_cgf_admin_server.py

# Or via MCP CLI
mcp run barracuda_cgf_admin_server

📊 Example Responses

System Health

{
  "cpu_usage": "15%",
  "memory_usage": "45%", 
  "disk_usage": "30%",
  "status": "healthy"
}

Firewall Rules List

[
  {
    "name": "Allow_HTTP",
    "source": "192.168.1.0/24",
    "destination": "any",
    "service": "HTTP",
    "action": "allow",
    "enabled": true
  }
]

🔐 Security Features

Non-Root Execution: Container runs as unprivileged user
Input Sanitization: All inputs are sanitized
Docker Secrets: Secure management of credentials
HTTPS Enforcement: Secure API communication
Token-based Auth: Automatic token management and renewal

🐛 Troubleshooting

Common Issues

Authentication Errors
```
Authentication failed: 401 - Unauthorized
```
- Check username and password
- Ensure API access is enabled
Connection Errors
```
Connection error: Connection refused
```
- Check the firewall host URL
- Ensure the firewall is reachable
- Verify network and firewall settings
API Endpoint Not Found
```
Failed to retrieve data. API endpoints may not be available
```
- API structure may vary by firmware version
- Check API documentation for your firewall version

Debugging

# View detailed logs
docker-compose logs -f barracuda-cgf-mcp

# Open container shell for debugging
docker exec -it barracuda-cgf-mcp bash

# Test network connectivity
docker exec -it barracuda-cgf-mcp curl -k https://your-firewall-host/rest/v1/login

📚 API Documentation

Complete Barracuda CloudGen Firewall API documentation can be found at: https://campus.barracuda.com/product/cloudgenfirewall/api/10.0

🤝 Development

Local Development

# Clone repository
git clone <repository-url>
cd barracuda-cgf-mcp

# Create virtual environment
python -m venv venv
source venv/bin/activate  # Linux/Mac
# venv\Scripts\activate   # Windows

# Install dependencies
pip install -r requirements.txt

# Run server locally
python barracuda_cgf_admin_server.py

Testing

# Run unit tests (if available)
pytest tests/

# Manual testing with curl
curl -X POST http://localhost:8000/tools/get_system_health

📝 License

This project is licensed under the MIT License - see LICENSE file for details.

⚖️ Legal Notice

Use this tool only for your own systems or with explicit permission
The author assumes no responsibility for misuse
Comply with local laws and regulations
This tool is intended for educational and administrative purposes only

🆘 Support

For issues or questions:

First check the logs
Consult the Barracuda API documentation
Create an issue in the repository (if available)

Disclaimer: This tool is exclusively intended for legitimate administrative purposes and education. Any misuse is the responsibility of the user.