firewalla-msp-mcp-server by unknown-sh - MCP Server

Firewalla MSP MCP Server

A Model Context Protocol (MCP) server that provides access to the Firewalla Managed Service Provider (MSP) API. This server enables AI assistants and other MCP clients to interact with Firewalla MSP resources including boxes, devices, alarms, rules, flows, and target lists.

Features

Complete API Coverage: Full CRUD operations for all Firewalla MSP API endpoints
Advanced Search: Global search across devices, alarms, rules, flows, and boxes
Analytics & Insights: Network statistics, historical trends, and performance metrics
Security Management: Create, modify, and monitor security rules and alarms
Network Monitoring: Real-time flow analysis and device tracking
Target Lists: Manage IP/domain allow/block lists
Secure Authentication: API token-based authentication
Smart Pagination: Cursor-based pagination for large datasets
Comprehensive Testing: Extensive test suite with safe read-only validation
Type Safety: Full TypeScript support with complete type definitions
Error Handling: Robust error handling and recovery mechanisms

Installation

npm install -g @unknown-sh/firewalla-msp-mcp-server

Or install locally in your project:

npm install @unknown-sh/firewalla-msp-mcp-server

Configuration

Environment Variables

The server requires two environment variables to be set:

FIREWALLA_MSP_API_KEY: Your Firewalla MSP personal access token
FIREWALLA_MSP_DOMAIN: Your MSP domain (e.g., your-company.firewalla.net)

Getting Your API Credentials

Log in to your Firewalla MSP portal
Navigate to Account Settings
Create a new personal access token
Note your MSP domain from the URL

MCP Client Configuration

1. Claude Desktop

Add to your Claude Desktop configuration file:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "firewalla-msp": {
      "command": "npx",
      "args": ["@unknown-sh/firewalla-msp-mcp-server"],
      "env": {
        "FIREWALLA_MSP_API_KEY": "your-api-key-here",
        "FIREWALLA_MSP_DOMAIN": "your-domain.firewalla.net"
      }
    }
  }
}

2. Claude Code

Add the MCP server using the Claude Code CLI:

claude mcp add firewalla-msp -e FIREWALLA_MSP_API_KEY=your-api-key-here -e FIREWALLA_MSP_DOMAIN=your-domain.firewalla.net -- npx @unknown-sh/firewalla-msp-mcp-server

Or if you have the server installed globally:

claude mcp add firewalla-msp -e FIREWALLA_MSP_API_KEY=your-api-key-here -e FIREWALLA_MSP_DOMAIN=your-domain.firewalla.net -- firewalla-msp-mcp-server

3. Gemini-CLI

Add to ~/.config/gemini-cli/config.json:

{
  "mcpServers": {
    "firewalla-msp": {
      "command": "npx",
      "args": ["@unknown-sh/firewalla-msp-mcp-server"],
      "env": {
        "FIREWALLA_MSP_API_KEY": "your-api-key-here",
        "FIREWALLA_MSP_DOMAIN": "your-domain.firewalla.net"
      }
    }
  }
}

4. Cursor

Add to your Cursor settings file:

macOS: ~/Library/Application Support/Cursor/User/globalStorage/cursor-ai.cursor-chat/config/mcp.json
Windows: %APPDATA%\Cursor\User\globalStorage\cursor-ai.cursor-chat\config\mcp.json

{
  "mcpServers": {
    "firewalla-msp": {
      "command": "npx",
      "args": ["@unknown-sh/firewalla-msp-mcp-server"],
      "env": {
        "FIREWALLA_MSP_API_KEY": "your-api-key-here",
        "FIREWALLA_MSP_DOMAIN": "your-domain.firewalla.net"
      }
    }
  }
}

5. Windsurf (Codeium)

Add to Windsurf's MCP configuration:

macOS: ~/Library/Application Support/Windsurf/mcp.json
Windows: %APPDATA%\Windsurf\mcp.json

{
  "mcpServers": {
    "firewalla-msp": {
      "command": "npx",
      "args": ["@unknown-sh/firewalla-msp-mcp-server"],
      "env": {
        "FIREWALLA_MSP_API_KEY": "your-api-key-here",
        "FIREWALLA_MSP_DOMAIN": "your-domain.firewalla.net"
      }
    }
  }
}

6. VS Code (via Continue or other MCP extensions)

For Continue extension, add to ~/.continue/config.json:

{
  "models": [
    // Your existing models
  ],
  "mcpServers": {
    "firewalla-msp": {
      "command": "npx",
      "args": ["@unknown-sh/firewalla-msp-mcp-server"],
      "env": {
        "FIREWALLA_MSP_API_KEY": "your-api-key-here",
        "FIREWALLA_MSP_DOMAIN": "your-domain.firewalla.net"
      }
    }
  }
}

Local Installation Alternative

If you prefer to install the server locally instead of using npx:

npm install -g @unknown-sh/firewalla-msp-mcp-server

Then use this configuration (same for all clients):

{
  "mcpServers": {
    "firewalla-msp": {
      "command": "firewalla-msp-mcp-server",
      "args": [],
      "env": {
        "FIREWALLA_MSP_API_KEY": "your-api-key-here",
        "FIREWALLA_MSP_DOMAIN": "your-domain.firewalla.net"
      }
    }
  }
}

Development Installation

For development or local testing, use absolute paths:

{
  "mcpServers": {
    "firewalla-msp": {
      "command": "node",
      "args": ["/absolute/path/to/firewalla-msp-mcp-server/dist/index.js"],
      "env": {
        "FIREWALLA_MSP_API_KEY": "your-api-key-here",
        "FIREWALLA_MSP_DOMAIN": "your-domain.firewalla.net"
      }
    }
  }
}

Note: After adding the configuration, restart the respective application for changes to take effect.

Available Tools

The server provides 26 tools across 8 API categories for comprehensive Firewalla MSP management:

Boxes API

list_boxes - Get all Firewalla boxes in the MSP
- Optional: group - Filter by group ID

Devices API

list_devices - Get all devices across boxes
- Optional: box - Filter by specific box ID
- Optional: group - Filter by specific box group ID

Alarms API

list_alarms - Get alarms with optional filtering
- Optional: query - Search query (e.g., 'status:active box:boxId type:9')
- Optional: groupBy - Group results (comma-separated)
- Optional: sortBy - Sort results (e.g., 'ts:desc,total:asc')
- Optional: limit - Max results per page (≤500, default 200)
- Optional: cursor - Pagination cursor
get_alarm - Get a specific alarm
- Required: gid - Box GID
- Required: aid - Alarm ID
delete_alarm - Delete a specific alarm
- Required: gid - Box GID
- Required: aid - Alarm ID

Rules API

list_rules - Get all rules (requires MSP 2.7.0+)
- Optional: query - Search query (e.g., 'status:active box.id:boxId')
create_rule - Create a new security rule
- Required: action - Rule action: allow, block, time_limit
- Required: direction - Traffic direction: inbound, outbound, bidirection
- Required: protocol - Protocol type: tcp, udp, icmp, any
- Required: target - Rule target specification:
  - type - Target type: ip, domain, category, device, network
  - value - Target value (IP, domain, etc.)
- Optional: name - Rule name (auto-generated if not provided)
- Optional: scope - Rule scope specification
- Optional: schedule - Rule schedule (for time_limit rules)
update_rule - Update an existing rule
- Required: id - Rule ID
- Optional: All fields from create_rule
- Optional: status - Rule status: active, paused
delete_rule - Delete a security rule
- Required: id - Rule ID
pause_rule - Pause a specific rule
- Required: id - Rule ID
resume_rule - Resume a paused rule
- Required: id - Rule ID

Flows API

list_flows - Get network flows with filtering
- Optional: query - Search query (e.g., 'ts:1234567890-1234567899 box.id:boxId')
- Optional: groupBy - Group results
- Optional: sortBy - Sort results (default: 'ts:desc')
- Optional: limit - Max results per page (≤500, default 200)
- Optional: cursor - Pagination cursor

Target Lists API

list_target_lists - Get all target lists
get_target_list - Get a specific target list
- Required: id - Target list ID
create_target_list - Create a new target list
- Required: name - Name of the target list
- Required: targets - Array of IP addresses or domains
- Optional: owner - Owner of the target list
- Optional: category - Category of the target list
- Optional: notes - Notes about the target list
update_target_list - Update an existing target list
- Required: id - Target list ID
- Optional: name - Name of the target list
- Optional: targets - Array of IP addresses or domains
- Optional: owner - Owner of the target list
- Optional: category - Category of the target list
- Optional: notes - Notes about the target list
delete_target_list - Delete a target list
- Required: id - Target list ID

Statistics API

get_simple_statistics - Get overview statistics (boxes, alarms, rules counts)
- Optional: group - Filter by specific box group ID
get_statistics - Get detailed statistics by type
- Required: type - Statistics type:
  - topBoxesByBlockedFlows - Top boxes by blocked flows
  - topBoxesBySecurityAlarms - Top boxes by security alarms
  - topRegionsByBlockedFlows - Top regions by blocked flows
- Optional: group - Filter by specific box group ID
- Optional: limit - Maximum results (1-50, default: 5)

Trends API

get_trends - Get historical trend data over time
- Required: type - Trend data type:
  - flows - Daily blocked flows trends
  - alarms - Daily security alarms trends
  - rules - Daily rule creation trends
- Optional: group - Filter by specific box group ID

Search API

Based on comprehensive API testing, search is supported on 4 out of 8 data model types using Firewalla's advanced query syntax.

Supported Search Types

Devices - Full text search and device-specific qualifiers
Alarms - Advanced filtering with alarm-specific qualifiers
Flows - Comprehensive search with flow-specific qualifiers
Boxes - Basic query support

Search Tools

search_global - Search across all searchable entity types
- Required: query - Search query using Firewalla syntax
- Optional: types - Array of entity types: ["devices", "alarms", "flows", "boxes"]
- Optional: limit - Max results per type (1-500, default: 10)
- Optional: cursor - Pagination cursor for continuing results
search_devices - Search devices with device-specific qualifiers
- Required: query - Search query with qualifiers: device.name, device.id, box.id, box.name, box.group.id
- Optional: limit - Maximum results (1-500, default: 50)
- Optional: cursor - Pagination cursor
search_alarms - Search alarms with alarm-specific qualifiers
- Required: query - Search query with qualifiers: ts, type, status, box.id, box.name, box.group.id, device.id, device.name, remote.category, remote.domain, remote.region, transfer.download, transfer.upload, transfer.total
- Optional: limit - Maximum results (1-500, default: 50)
- Optional: cursor - Pagination cursor
search_flows - Search flows with flow-specific qualifiers
- Required: query - Search query with qualifiers: ts, status, direction, box.id, box.name, box.group.id, device.id, device.name, category, domain, region, sport, dport, download, upload, total
- Optional: limit - Maximum results (1-500, default: 50)
- Optional: cursor - Pagination cursor

Query Syntax

Firewalla search supports advanced query syntax:

Basic Text Search:

"iPhone"
"MacBook Pro"
apple

Qualified Search:

status:active
device.name:iPhone
box.name:"Gold Plus"

Wildcard Search:

device.name:*iphone*
domain:*.google.com

Numeric Comparisons:

ts:>1720000000
download:>1MB
total:>=500KB
transfer.total:<100MB

Range Search:

ts:1720000000-1720086400
download:100KB-1MB

Combined Queries:

status:active type:1
direction:outbound domain:*google*
device.name:*iphone* ts:>1720000000

Exclusion Search:

-status:resolved
-type:1

Supported Units

B (Byte)
KB (1000 B)
MB (1000 KB)
GB (1000 MB)
TB (1000 GB)

Timestamp Format

Use Unix timestamps (seconds since epoch):

ts:>1720000000          # After specific time
ts:1720000000-1720086400 # Time range

Non-Searchable Types

These endpoints do not support search queries:

Target Lists (list_target_lists)
Statistics (get_statistics, get_simple_statistics)
Trends (get_trends)

Query Syntax

Many endpoints support advanced querying using specific qualifiers:

Alarm Query Qualifiers

ts - Timestamp
type - Alarm type
status - Alarm status (active/archived)
box.id - Box ID
box.name - Box name
device.id - Device ID
device.name - Device name
remote.category - Remote category
remote.domain - Remote domain
transfer.download - Download amount
transfer.upload - Upload amount
transfer.total - Total transfer

Flow Query Qualifiers

ts - Timestamp
status - Flow status
direction - Traffic direction
box.id - Box ID
box.name - Box name
device.id - Device ID
device.name - Device name
category - Flow category
domain - Domain
region - Geographic region
sport - Source port
dport - Destination port
download - Download amount
upload - Upload amount
total - Total traffic

Rule Query Qualifiers

status - Rule status
action - Rule action
box.id - Box ID
box.group.id - Box group ID
device.id - Device ID

Examples

Using with Claude Desktop

Once configured, you can ask Claude to interact with your Firewalla MSP:

"List all active alarms from the last 24 hours"
"Show me all devices that are currently offline"
"Create a new target list with suspicious IP addresses"
"Pause all rules on box xyz123"

Programmatic Usage

import { Client } from "@modelcontextprotocol/sdk/client/index.js";
import { StdioClientTransport } from "@modelcontextprotocol/sdk/client/stdio.js";

const transport = new StdioClientTransport({
  command: "npx",
  args: ["@unknown-sh/firewalla-msp-mcp-server"],
  env: {
    FIREWALLA_MSP_API_KEY: "your-api-key",
    FIREWALLA_MSP_DOMAIN: "your-domain.firewalla.net"
  }
});

const client = new Client({
  name: "firewalla-client",
  version: "1.0.0"
}, {
  capabilities: {}
});

await client.connect(transport);

// List all boxes
const result = await client.callTool({
  name: "list_boxes",
  arguments: {}
});

console.log(result);

Testing

The server includes comprehensive test scripts to validate all API functionality:

Available Test Scripts

All test scripts are located in the tests/ directory and can be run individually:

cd tests

# Safe read-only test (recommended first test)
node test-readonly.js

# Search API functionality 
node test-search.js

# Statistics API tests
node test-statistics.js

# Trends API tests  
node test-trends.js

# Rules CRUD operations (modifies your Firewalla)
node test-rules-crud.js

# Basic server connectivity
node test-server.js

Test Descriptions

test-readonly.js - Safe read-only operations across all APIs (boxes, devices, alarms, rules, target lists)
test-search.js - Global search functionality across all entity types with filtering
test-statistics.js - Network statistics including top boxes, regions, and overview data
test-trends.js - Historical trend analysis for flows, alarms, and rules
test-rules-crud.js - Complete CRUD operations for security rules (use with caution)
test-server.js - Basic MCP server connectivity and tool listing

Test Runner

For convenience, run all safe tests at once:

cd tests
./run-all-tests.sh

This runs all read-only tests in sequence and provides a comprehensive validation of the MCP server functionality.

Safety Notes

⚠️ Important:

Start with test-readonly.js to verify your setup safely
test-rules-crud.js modifies your Firewalla configuration - use carefully
All other tests are read-only and safe to run
The test runner (run-all-tests.sh) excludes write operations for safety

Development

To run the server in development mode:

# Clone the repository
git clone https://github.com/your-username/firewalla-msp-mcp-server.git
cd firewalla-msp-mcp-server

# Install dependencies
npm install

# Set environment variables
export FIREWALLA_MSP_API_KEY="your-api-key"
export FIREWALLA_MSP_DOMAIN="your-domain.firewalla.net"

# Run in development mode
npm run dev

# Build the project
npm run build

# Run tests
npm test

Security Considerations

Never commit your API key to version control
Use environment variables or secure credential management
The API key provides full access to your MSP account - keep it secure
Consider using read-only tokens if you only need to query data

Error Handling

The server provides detailed error messages for common issues:

401 Unauthorized - Check your API key
404 Not Found - Resource doesn't exist
400 Bad Request - Invalid parameters or query syntax

License

GNU General Public License v3.0

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

See the file for the full license text.

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

When contributing:

Ensure all tests pass (cd tests && ./run-all-tests.sh)
Add tests for new functionality
Update documentation
Follow existing code style

Support

For issues related to:

This MCP server: Open an issue on GitHub
Firewalla MSP API: Contact
MCP protocol: See the MCP documentation

Disclaimer

This is an independent, open-source MCP server implementation for the Firewalla MSP API.

Important: This project is:

✅ Independent: Created and maintained by the open-source community
✅ Unofficial: Not affiliated with, endorsed by, or developed by Firewalla Inc.
✅ Open Source: Licensed under GNU GPL v3.0
✅ Community-Driven: Contributions and feedback welcome

Firewalla® is a trademark of Firewalla Inc. The use of this trademark in this project is purely for descriptive purposes to indicate compatibility and does not imply any official relationship or endorsement.

unknown-sh/firewalla-msp-mcp-server

list_boxes

list_devices

list_alarms

create_rule

list_flows