# PAN-OS MCP

> PAN-OS MCP Server connects any AI agent directly to your firewall policies. It lets you audit rules, check active sessions, and validate changes across the entire network stack using natural language commands. You can run complex security checks—like listing NAT or checking for pending commits—without touching a CLI.

## Overview
- **Category:** other
- **Price:** Free

## Description

The PAN-OS MCP Server hooks your AI agent right into the core operational data of the firewall. You don't gotta run cryptic `show` commands in a CLI anymore; you just tell your agent what you need to know or what change needs making. This setup gives your client deep visibility, letting you audit policies and manage changes across the whole network stack using plain language.

### Auditing Network Rules
To get a full picture of your access controls, use `get_security_rules` to list every defined firewall policy on the device. You'll see all the rules governing what traffic gets through. If you need to check how addresses are translated, run `get_nat_rules`; this pulls back every Network Address Translation (NAT) rule that’s active for auditing. For a quick system health check or just basic versioning info, use `get_system_info`. These three tools let you audit the foundational policies and rules without touching any console.

### Monitoring Live Traffic
Monitoring traffic is straightforward. If you need to know what's moving right now, run `get_active_sessions` to get a real-time list of every network session running on the firewall. For analyzing general flow patterns or troubleshooting connectivity issues, use `get_traffic_logs`, which gives you a stream of raw network traffic data. If something bad happens—a threat pops up—you pull detailed records using `get_threat_logs`. These logs show source/destination IPs and exactly what action was taken during the security incident.

### Validating and Enforcing Changes
Before deploying anything, you gotta check if there are any configuration changes sitting there waiting to be applied. The `get_pending_changes` tool tells you that; it lets you verify config drift before you commit. If everything looks good—the rules pass the audit and no weird pending commits exist—you run `commit`. This tool validates a candidate configuration set and activates those new policies on the firewall, making them live. You'll use these tools to ensure policy consistency across the board.

## Tools

### commit
Validates a candidate configuration set and activates it on the firewall after changes are made.

### get_active_sessions
Lists all current network sessions running on the firewall for real-time monitoring.

### get_nat_rules
Retrieves every configured Network Address Translation (NAT) rule for auditing purposes.

### get_pending_changes
Checks if there are any configuration changes waiting to be applied or committed.

### get_security_rules
Lists all defined firewall policies and access control rules on the device.

### get_system_info
Gathers basic system health data, including software versions and general status checks for the PAN-OS firewall.

### get_threat_logs
Retrieves detailed records of recent security threats, including source/dest IPs and severity.

### get_traffic_logs
Gets a stream of general network traffic logs to analyze flow patterns or troubleshoot connectivity issues.

## Capabilities

### Audit Network Rules
List and review all configured firewall policies, including security rules and NAT mappings.

### Monitor Live Traffic Sessions
Retrieve a list of all active network sessions to identify current user load or debug connections.

### Investigate Security Incidents
Pull detailed threat logs, including source/destination IPs and actions taken, for security incident review.

### Validate Configuration State
Check the firewall for uncommitted changes or gather system health data to ensure policy consistency before deployment.

### Enforce Policy Changes
Commit candidate configuration changes, validating and activating new network policies across the device.

## Use Cases

### Compliance Audit Check
A compliance officer needs to prove that no unauthorized ports are open. They ask their agent: 'List all security rules and check for any exceptions.' The agent runs `get_security_rules` and cross-references the results with known baseline policies, generating a report without manual CLI work.

### Troubleshooting Intermittent Connectivity
A user reports connection drops. The engineer asks their agent to check two things: first, 'What are the active sessions for that user?' (`get_active_sessions`). Second, 'Are there any general traffic logs showing failure patterns?' (`get_traffic_logs`). This pinpoints whether it's a session limit or a flow block.

### Handling an Active Breach
The SOC analyst sees an alert for suspicious IPs. They immediately ask the agent to run `get_threat_logs` and identify all associated IP ranges. Then, they use this data to update rules and execute a controlled `commit`.

### Pre-Deployment Validation
A network team is ready to implement new geo-IP blocking. Before running the changes, they ask the agent to run `get_pending_changes` to ensure the current config is stable, preventing accidental rollback or unexpected side effects.

## Benefits

- Stop manually checking the CLI. Use `get_security_rules` and `get_nat_rules` to audit thousands of policies instantly via your agent.
- Catch configuration drift immediately. Run `get_pending_changes` before you commit anything—it verifies if the running config matches what's supposed to be there.
- Respond faster to attacks. Instead of digging through massive logs, run `get_threat_logs` and get structured data on recent security incidents.
- Monitor live connections without logging in. Use `get_active_sessions` to see who's connected right now or identify a heavy user causing issues.
- Safe policy deployment: The agent can validate the config and then use the `commit` tool to apply changes, automating enforcement.

## How It Works

The bottom line is: It moves complex, multi-step CLI operations into simple chat commands.

1. Tell your AI agent exactly what you need to check or change (e.g., 'Check for uncommitted rules' or 'Show traffic logs for 1 hour ago').
2. The agent selects the appropriate tool (`get_pending_changes` or `get_traffic_logs`) and executes it against the PAN-OS server.
3. You get a structured JSON payload containing the specific data—be it a list of rules, active sessions, or threat entries—that you can then read and act on.

## Frequently Asked Questions

**How do I use get_active_sessions to check who is connected?**
You instruct the agent to run `get_active_sessions`. The resulting data lists every current session, allowing you to see which users or IPs are currently using network resources.

**Do I need to run commit after using get_security_rules?**
No. `get_security_rules` only reads the existing configuration; it doesn't make changes. You only use `commit` when you have made and validated new policy edits you want to enforce.

**What is the difference between get_traffic_logs and get_threat_logs?**
`get_traffic_logs` shows raw flow data (who talked to whom). `get_threat_logs` only returns records flagged as security threats, making it better for incident investigation.

**When I run `get_pending_changes`, how do I know if there are no configuration changes waiting?**
It returns a clear status indicating consistency. If the tool reports zero pending changes, your running config matches your candidate config; you can safely commit.

**If my `commit` job fails, how do I check for specific error messages or rollbacks?**
The returned status object contains detailed failure codes. Reviewing this status tells you if the system rolled back changes or gives a specific reason for rejection.

**Does `get_system_info` provide details about the PAN-OS software version and build?**
Yes, it retrieves the current operating system's full version string. This is crucial data for confirming compatibility between your AI client and the firewall.

**Can I use `get_nat_rules` to filter out rules based on specific IP ranges or zones?**
You can pass parameters to scope the search. Specifying source or destination IP addresses lets you audit only the NAT rules relevant to a particular network segment.

**How do I control the volume of logs returned when using `get_traffic_logs`?**
The tool accepts an optional limit parameter. Passing this number allows you to manage the data size, ensuring your AI agent processes only the necessary log entries.