CiscoFMC -community

Cisco Secure Firewall FMC MCP Connector exposes high-level tooling to interact with Cisco FMC instances. It provides commands to discover FMC instances, search and resolve policies, and perform FMC-wide queries with indicator and policy filters. The main tools include: list_fmc_profiles to enumerate configured FMCs, find_rules_by_ip_or_fqdn to locate rules matching an IP or FQDN, find_rules_for_target to map an FTD device/HA/cluster to its assigned policies, and search_access_rules for broad FMC searches with various filters such as identity indicators. You can run the MCP server locally or via Docker, then connect to it with MCP clients or automation agents that understand the MCP protocol. The server supports both single-FMC and multi-FMC (profile) configurations, auto-loading profile env files and exposing them through list_fmc_profiles.

Prerequisites:\n- Python 3.9+ (or a supported Python environment)\n- Git (optional, for cloning)\n\n1) Create and activate a Python virtual environment:\n\nbash\npython -m venv .venv\nsource .venv/bin/activate\n\n\n2) Install dependencies:\n\nbash\npip install -r requirements.txt\n\n\n3) Run the MCP server locally (single-FMC or profile-enabled):\n\nbash\n# From repo root (default root.env or profiles/* ENV)**\npip install -r requirements.txt\npython -m sfw_mcp_fmc.server\n\n\nNotes: The READMe describes two run modes. For profile mode, place per-FMC environment files under profiles/ and set FMC_PROFILES_DIR and FMC_PROFILE_DEFAULT accordingly. Docker users can rely on docker-compose; ensure .env is available in the repo root or point env_file to a specific profile. The server exposes HTTP at http://0.0.0.0:8000/mcp by default for local/dev. When exposing publicly, front with HTTPS.\n\n4) Optional: run tests (if you clone the repo with tests):\n\nbash\npip install -r requirements.txt\npython -m pytest tests\n

Environment variables to be aware of:\n- FMC_BASE_URL, FMC_USERNAME, FMC_PASSWORD, FMC_VERIFY_SSL control FMC access.\n- FMC_PROFILES_DIR and FMC_PROFILE_DEFAULT enable multi-FMC/profile mode.\n- LOG_LEVEL, HTTPX_TRACE, and HTTPX_LOG_LEVEL can adjust logging verbosity.\nIn profile mode, put logging settings inside the default profile file. In docker mode, the root .env should still provide server-level settings like FMC_PROFILES_DIR and FMC_PROFILE_DEFAULT. Bear in mind that current MCP authentication may not require a token, so bearer auth is typically not enforced. If you want token-backed flows, you may wire it at the proxy level or contribute an implementation.\nCommon issues: SSL verification failures when FMC_BASE_URL uses self-signed certificates; set FMC_VERIFY_SSL=false in development and ensure proper CA configuration in production. Ensure FMC profiles are correctly discovered when FMC_PROFILES_DIR is set.