Cisco FMC Firewall Operations

Query and inspect Cisco Secure Firewall policies via the FMC MCP server — search access rules by IP/FQDN, resolve FTD device policies, perform firewall-wide rule searches with network and identity indicators, and manage multi-FMC environments.

MCP Server

Repository: CiscoDevNet/CiscoFMC-MCP-server-community
Transport: HTTP (http://<host>:8000/mcp) — requires HTTPS reverse proxy for production
Install: git clone + pip install -r requirements.txt + python -m sfw_mcp_fmc.server (or Docker)
Requires: FMC_BASE_URL, FMC_USERNAME, FMC_PASSWORD

Available Tools (4)

Tool	What It Does
`list_fmc_profiles`	Discover all configured FMC instances (single or multi-FMC mode). Returns profile IDs, display names, and aliases. Use this first to select which FMC to query.
`find_rules_by_ip_or_fqdn`	Search rules within a specific access policy by IP address or FQDN. Matches source/destination network objects against the given indicator.
`find_rules_for_target`	Resolve FTD devices or HA clusters to their assigned access policies, then search those policies. Use when you know the firewall device name but not the policy name.
`search_access_rules`	FMC-wide rule search with multiple filter types: network indicators (IP, FQDN), identity indicators (SGT tags, realm users/groups), and policy name filters. The most powerful search tool.

Key Concepts

Concept	What It Means
FMC	Firepower Management Center — centralized management for Cisco Secure Firewalls (FTD)
FTD	Firepower Threat Defense — the firewall appliance/virtual managed by FMC
Access Policy	Collection of access rules (ACLs) applied to FTD devices — permit/deny by source/dest/port/app
Access Rule	Individual rule within a policy — source zones, dest zones, source/dest networks, ports, action (allow/block/monitor)
SGT	Security Group Tag — TrustSec identity-based tag for micro-segmentation
HA Cluster	High Availability pair of FTD devices sharing the same policy
Profile	FMC connection configuration (URL, credentials) — supports multi-FMC environments

Workflow: Firewall Rule Audit

When a user asks "what firewall rules exist for 10.1.1.0/24?":

Discover FMCs: list_fmc_profiles — identify which FMCs manage this network
Search rules: search_access_rules with network indicator 10.1.1.0/24
For each match: Extract rule name, action (allow/block), source/dest zones, source/dest networks, ports, logging settings
Cross-reference: Check if rules are overly permissive (any/any), redundant, or shadowed
Report: Formatted rule table with security assessment

Workflow: "Can Host A Reach Host B?"

When investigating connectivity through the firewall:

Identify FTD: Which firewall sits between source and destination?
Resolve policy: find_rules_for_target with the FTD device name
Search source IP: find_rules_by_ip_or_fqdn for the source IP in the resolved policy
Search dest IP: Same for destination IP
Analyze: Do the matching rules permit the required port/protocol?
Report: "Traffic from 10.1.1.50 to 10.2.1.100:443 is ALLOWED by rule 'Web-Servers-Inbound' (line 47)" or "BLOCKED by implicit deny"

Workflow: Security Group Tag (SGT) Policy Review

When auditing TrustSec/SGT-based policies:

Search by SGT: search_access_rules with identity indicator for a specific SGT value
List matching rules: Which rules reference this SGT in source or destination?
Check actions: Are SGT-based rules enforcing proper segmentation?
Cross-reference: Use ise-posture-audit to verify SGT assignment policies in ISE
Report: SGT policy coverage analysis

Workflow: Multi-FMC Environment Audit

When managing multiple FMC instances:

List all FMCs: list_fmc_profiles — see all managed FMC instances
For each FMC: search_access_rules with common indicators
Compare policies: Are policies consistent across FMCs?
Identify drift: Rules present in one FMC but not another
Report: Cross-FMC policy consistency analysis

Integration with Other Skills

Skill	How They Work Together
`pyats-security`	FMC rule audit + device-level ACL verification via pyATS
`ise-posture-audit`	FMC SGT rules + ISE SGT assignment and TrustSec matrix
`ise-incident-response`	FMC rules for quarantine verification + ISE endpoint investigation
`aws-security-audit`	Cross-platform security: FMC on-prem + AWS cloud security posture
`gcp-cloud-logging`	FMC firewall logs vs GCP firewall logs for hybrid environments
`nso-device-ops`	FMC policies + NSO device config for end-to-end policy view
`servicenow-change-workflow`	ServiceNow CR gating before any FMC policy modifications
`github-ops`	Commit FMC rule snapshots to Git for config-as-code tracking

Multi-FMC Configuration

Single FMC mode (set in .env):

FMC_BASE_URL=https://fmc.example.com
FMC_USERNAME=api-user
FMC_PASSWORD=changeme
FMC_VERIFY_SSL=false

Multi-FMC mode (profile directory):

profiles/
  dc-east.env    # FMC for DC East
  dc-west.env    # FMC for DC West
  dmz.env        # FMC for DMZ firewalls

Each profile .env contains:

FMC_PROFILE_ID=dc-east
FMC_PROFILE_DISPLAY_NAME=DC East FMC
FMC_PROFILE_ALIASES=10.1.1.10,fmc-east
FMC_BASE_URL=https://fmc-east.example.com
FMC_USERNAME=api-user
FMC_PASSWORD=changeme
FMC_VERIFY_SSL=false

Important Rules

Read-only — all 4 tools are search/query operations; no rule modifications
HTTP transport — server runs on port 8000, front with HTTPS proxy for production
Multi-FMC — always call list_fmc_profiles first to select the right FMC instance
FMC API rate limits — FMC REST API has per-user rate limits; avoid rapid-fire queries
Record in GAIT — log all firewall policy investigations for audit trail

Environment Variables

FMC_BASE_URL — FMC URL (e.g., https://fmc.example.com)
FMC_USERNAME — FMC API username
FMC_PASSWORD — FMC API password
FMC_VERIFY_SSL — SSL verification (true/false)
FMC_PROFILES_DIR — path to multi-FMC profiles directory (optional)
FMC_PROFILE_DEFAULT — default profile name (optional)

fmc-firewall-ops