firewalla-mcp

firewalla-mcp

Enables natural language queries to Firewalla Gold for read-only network security monitoring, including alarms, devices, traffic flows, and system status via local API.

Category
访问服务器

README

Firewalla MCP Server

A read-only Model Context Protocol (MCP) server that connects to your Firewalla Gold via its local API — no MSP subscription required.

Built for AI-powered network security monitoring. Connect it to Claude Code, Claude Desktop, or any MCP-compatible client and query your firewall's alarms, devices, traffic flows, and network stats using natural language.

Features

  • Read-only by design — cannot modify rules, dismiss alarms, or change any settings
  • 100% local — talks directly to your Firewalla box on your LAN (port 8833), no cloud dependency
  • Free — uses the local API, no MSP subscription needed
  • MCP standard — works with any MCP client (Claude Code, Claude Desktop, etc.)

Tools

Devices & Traffic

Tool Description
get_devices List all network devices (name, IP, MAC, manufacturer, last active)
get_top_talkers Devices ranked by bandwidth usage (download, upload, total bytes)
get_clients_by_network Devices grouped by network segment/VLAN
get_offline_devices Devices that recently went offline (configurable lookback window)
get_device_flows Recent network flows for a specific device (by MAC address)
search_flows Search individual flow records with filters (domain, IP, port, category, time range)
get_dns_queries DNS query logs — every domain a device resolved (more complete than flow data)

Security & Rules

Tool Description
get_alarms Security alarms with filtering by severity, type, and device
get_audit_logs Blocked/allowed traffic decisions — see what your firewall rules caught
get_rules Firewall rules/policies with filtering by action/target, summary counts, disabled rule toggle
get_target_lists Block/allow target lists (custom domain lists, IP lists, and associated rules)
get_features Enabled/disabled features, global + per-network policy overrides, DoH status, vulnerability scan results

Network & System

Tool Description
get_network_status Ping/health check — is the Firewalla box alive?
get_network_stats Monthly bandwidth, speed test results, network monitor data
get_network_performance WAN latency, packet loss, DNS response times, connection quality
get_wan_usage Per-WAN bandwidth breakdown (download/upload per interface)
get_vlans Network segments, VLANs, WAN config, and network groups (sensitive data redacted)
get_system_info Firmware version, model, uptime, public IP, CPU/memory usage
get_vpn_status VPN connections — WireGuard, OpenVPN, mesh profiles and connected clients

Prerequisites

  • Firewalla Gold (other models may work but are untested)
  • Node.js 18+
  • Your Mac/PC must be on the same network as the Firewalla
  • An ETP keypair (generated during one-time pairing — see below)

Installation

git clone https://github.com/scott-pallas/firewalla-mcp.git
cd firewalla-mcp
npm install
npm run build

Pairing (One-Time Setup)

Before the MCP server can talk to your Firewalla, you need to generate an authentication keypair (ETP token). This is the same pairing mechanism the Firewalla mobile app uses — think of it as registering a new "device" with your Firewalla box.

This step uses a separate utility called firewalla-tools. It is not a dependency of this project — you only need it once to generate your .pem key files. After pairing is complete, you can delete it.

1. Clone firewalla-tools (temporary)

git clone https://github.com/lesleyxyz/firewalla-tools.git
cd firewalla-tools
npm install

2. Enable Additional Pairing

In the Firewalla app on your phone:

  1. Tap your Firewalla box
  2. Go to SettingsAdvancedAllow Additional Pairing
  3. Toggle it ON — a QR code will appear on screen

3. Get the QR Code JSON

The pairing tool needs the JSON data encoded in the QR code. To get it:

  1. Screenshot the QR code shown in the Firewalla app
  2. Scan the screenshot with a QR code reader app (or use your phone's built-in camera)
  3. The QR code decodes to a JSON string that looks like:
    {"gid":"...","seed":"...","license":"...","ek":"...","ipaddress":"..."}
    
  4. Copy that JSON string — you'll paste it in the next step

4. Generate the Keypair

From the firewalla-tools directory:

cd create-etp-token
node index.js

The tool will prompt you for:

  1. Email — just a label (e.g., you@example.com), used for display in the Firewalla app
  2. QR code JSON — paste the JSON string from step 3
  3. Firewalla IP — your box's IP address (e.g., 10.0.1.1 — this is usually your default gateway)
  4. Create new keypair? — choose Yes

This generates etp.public.pem and etp.private.pem in the current directory.

Tip: To find your Firewalla's IP, run netstat -rn | grep default — the gateway IP is your Firewalla.

5. Store the Keys

Move the .pem files somewhere secure:

mkdir -p ~/.firewalla
mv etp.public.pem etp.private.pem ~/.firewalla/
chmod 600 ~/.firewalla/*.pem

Keep these files safe — they are your authentication credentials.

6. Clean Up

You no longer need firewalla-tools — feel free to delete it:

cd ../..
rm -rf firewalla-tools

Usage

With Claude Code

Add the server to your global config (~/.claude.json) under mcpServers:

{
  "mcpServers": {
    "firewalla": {
      "type": "stdio",
      "command": "node",
      "args": ["/path/to/firewalla-mcp/dist/index.js"],
      "env": {
        "FIREWALLA_IP": "10.0.1.1",
        "FIREWALLA_PUBLIC_KEY_PATH": "/Users/yourname/.firewalla/etp.public.pem",
        "FIREWALLA_PRIVATE_KEY_PATH": "/Users/yourname/.firewalla/etp.private.pem"
      }
    }
  }
}

Then restart Claude Code. The Firewalla tools will be available in all sessions.

With Claude Desktop

Add to your claude_desktop_config.json:

{
  "mcpServers": {
    "firewalla": {
      "command": "node",
      "args": ["/path/to/firewalla-mcp/dist/index.js"],
      "env": {
        "FIREWALLA_IP": "10.0.1.1",
        "FIREWALLA_PUBLIC_KEY_PATH": "/Users/yourname/.firewalla/etp.public.pem",
        "FIREWALLA_PRIVATE_KEY_PATH": "/Users/yourname/.firewalla/etp.private.pem"
      }
    }
  }
}

With MCP Inspector (debugging)

FIREWALLA_IP=10.0.1.1 \
FIREWALLA_PUBLIC_KEY_PATH=~/.firewalla/etp.public.pem \
FIREWALLA_PRIVATE_KEY_PATH=~/.firewalla/etp.private.pem \
npx @modelcontextprotocol/inspector node dist/index.js

Environment Variables

Variable Required Default Description
FIREWALLA_PUBLIC_KEY_PATH Yes Path to etp.public.pem
FIREWALLA_PRIVATE_KEY_PATH Yes Path to etp.private.pem
FIREWALLA_IP No 10.0.1.1 Your Firewalla's IP address

Example Queries

Once connected to an MCP client, try:

  • "Show me all active security alarms"
  • "List every device on my network"
  • "Who are the top bandwidth consumers?"
  • "Show me devices grouped by VLAN"
  • "Which devices went offline in the last 12 hours?"
  • "Show me network flows for device AA:BB:CC:DD:EE:FF"
  • "Search for all connections to netflix.com in the last 24 hours"
  • "What DNS queries did my smart TV make today?"
  • "What traffic has been blocked by the firewall today?"
  • "Show me all my firewall rules"
  • "What block/allow target lists do I have?"
  • "What Firewalla features are enabled?"
  • "Is my Firewalla box healthy?"
  • "What firmware version is running?"
  • "How's my WAN latency and packet loss?"
  • "Show me per-WAN bandwidth usage"
  • "What's the status of my VPN connections?"
  • "Show me my network segments and VLANs"

Project Structure

firewalla-mcp/
├── src/
│   ├── index.ts              # MCP server entry (stdio transport)
│   ├── firewalla-client.ts   # Firewalla local API wrapper
│   └── tools/
│       ├── alarms.ts         # get_alarms
│       ├── devices.ts        # get_devices, get_top_talkers, get_clients_by_network, get_offline_devices
│       ├── dns.ts            # get_dns_queries
│       ├── flows.ts          # get_device_flows, search_flows, get_audit_logs
│       ├── network.ts        # get_network_status, get_network_stats, get_network_performance, get_wan_usage
│       ├── rules.ts          # get_rules, get_features, get_target_lists
│       ├── system.ts         # get_system_info
│       ├── vlans.ts          # get_vlans
│       └── vpn.ts            # get_vpn_status
├── dist/                     # Compiled JS (after build)
├── package.json
├── tsconfig.json
└── CLAUDE.md                 # AI agent project spec

Security

  • Read-only only — this server cannot modify your Firewalla configuration
  • Local network only — communicates directly with your Firewalla box, no cloud relay
  • Key-based auth — uses the same ETP token mechanism as the Firewalla mobile app
  • Sensitive data redacted — WiFi passwords, WireGuard private keys, tokens, credentials, API keys, passphrases, and pre-shared keys are automatically stripped from output
  • Input limits — all count parameters are clamped to a max of 5000 to prevent excessive data retrieval
  • Keep your .pem files secure — they grant read access to your network data

Credits

License

MIT — see LICENSE

推荐服务器

Baidu Map

Baidu Map

百度地图核心API现已全面兼容MCP协议,是国内首家兼容MCP协议的地图服务商。

官方
精选
JavaScript
Playwright MCP Server

Playwright MCP Server

一个模型上下文协议服务器,它使大型语言模型能够通过结构化的可访问性快照与网页进行交互,而无需视觉模型或屏幕截图。

官方
精选
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

一个由人工智能驱动的工具,可以从自然语言描述生成现代化的用户界面组件,并与流行的集成开发环境(IDE)集成,从而简化用户界面开发流程。

官方
精选
本地
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

通过模型上下文协议启用与 Audiense Insights 账户的交互,从而促进营销洞察和受众数据的提取和分析,包括人口统计信息、行为和影响者互动。

官方
精选
本地
TypeScript
VeyraX

VeyraX

一个单一的 MCP 工具,连接你所有喜爱的工具:Gmail、日历以及其他 40 多个工具。

官方
精选
本地
graphlit-mcp-server

graphlit-mcp-server

模型上下文协议 (MCP) 服务器实现了 MCP 客户端与 Graphlit 服务之间的集成。 除了网络爬取之外,还可以将任何内容(从 Slack 到 Gmail 再到播客订阅源)导入到 Graphlit 项目中,然后从 MCP 客户端检索相关内容。

官方
精选
TypeScript
Kagi MCP Server

Kagi MCP Server

一个 MCP 服务器,集成了 Kagi 搜索功能和 Claude AI,使 Claude 能够在回答需要最新信息的问题时执行实时网络搜索。

官方
精选
Python
e2b-mcp-server

e2b-mcp-server

使用 MCP 通过 e2b 运行代码。

官方
精选
Neon MCP Server

Neon MCP Server

用于与 Neon 管理 API 和数据库交互的 MCP 服务器

官方
精选
Exa MCP Server

Exa MCP Server

模型上下文协议(MCP)服务器允许像 Claude 这样的 AI 助手使用 Exa AI 搜索 API 进行网络搜索。这种设置允许 AI 模型以安全和受控的方式获取实时的网络信息。

官方
精选