paloalto

To get started, install the MCP server bundle using your preferred method (for example via Smithery or by pulling the npm package). Once running, each server exposes MCP tools you can call through the same MCP client interface. The Policy Server provides commands like get_security_rules, create_rule, and update_rule to manage firewall policies. The Objects Server enables creating and grouping address objects and dynamic address groups. The Config Server offers operations to update DNS, configure interfaces, and adjust system settings. The Device Server includes actions such as get_device_status, commit_changes, and backup_config to monitor and apply changes to Palo Alto devices. The Core Server handles authentication, API routing, and common utilities used by all other servers. Use a single MCP client to target the specific server and tool you need, supplying the appropriate rule or object data payloads as shown in the examples in the README.

Prerequisites

• Node.js and npm installed on your machine
• Git installed
• Access to a terminal or shell

Installation options Option A — Smithery (automatic installation)

1. Install the MCP suite automatically via Smithery:

npx -y @smithery/cli install @DynamicEndpoints/paloalto-mcp-server --client claude

2. When prompted, follow the Smithery flow to connect to your client environment.

Option B — Manual installation (npm package)

1. Clone or install from npm:

# Install the MCP server package (as a local or global package depending on your setup)
npm install -g @DynamicEndpoints/paloalto-mcp-server

2. Run the server (see mcp_config for the invocation provided by this repository):

# Example if the package provides a bin or script, or use npx as in this project
npx @DynamicEndpoints/paloalto-mcp-server

Environment configuration (required for all servers)

• PANOS_API_KEY: Your Palo Alto API key
• PANOS_API_BASE_URL: Base URL for the PAN-OS API (e.g., https://pan.example.com/api)
• Optional: PANOS_VERIFY_SSL: true/false PANOS_TIMEOUT: request timeout in milliseconds PANOS_DEBUG: true/false

Configure per-server environment as needed (see README for example env blocks).

Tips and caveats:

• Ensure PAN-OS API access is enabled and your credentials have the necessary privileges.
• Use the Objects Server to group addresses before applying policy rules to simplify rule management.
• Dynamic address groups can help respond to changing environments (e.g., tags like production/staging).
• If you run into SSL verification issues in development, you can disable SSL verification temporarily via PANOS_VERIFY_SSL=false, but keep it enabled in production.
• The framework uses a consistent MCP tool invocation pattern (useMcpTool("<server>", "<tool>", { ...payload })) in the examples; adapt these snippets to your actual client implementation.
• When deploying changes, consider performing a dry-run or a verification step to retrieve the resulting security rules before committing on device configurations.