paloalto-panorama
Palo Alto Panorama
MCP Server
- Source:
iflow-mcp-cdot65-palo-alto-mcp/palo-alto-mcp - Command:
$PANOS_MCP_CMD - Transport: stdio
- Requires:
PANOS_HOSTNAME,PANOS_API_KEY - Preferred use: read-only audit and validation; gate policy writes behind ServiceNow CRs
How to Call the MCP Tools
python3 $MCP_CALL "$PANOS_MCP_CMD" TOOL_NAME '{"param":"value"}'
Typical Tool Coverage
- Device groups and managed firewalls
- Templates and template stacks
- Security policy rule search
- NAT policy review
- Address objects, services, tags, and zones
- Commit queues and recent job status
When to Use
- “Can host A reach host B through Palo Alto?”
- Policy hygiene reviews and duplicate-rule cleanup
- Pre-change dependency analysis on Panorama-managed estates
- Commit validation after approved firewall changes
Workflow: Rule Impact Analysis
- Resolve the relevant device group and target firewalls.
- Search security and NAT policies using source, destination, application, and service.
- Review address objects, dynamic tags, and zones tied to the traffic path.
- If a policy change is required, create and approve a ServiceNow CR before any write action.
- Verify commit status and post-change traffic behavior.
Integration with Other Skills
| Skill | Integration |
|---|---|
servicenow-change-workflow |
Required for Panorama policy writes and commits |
slack-network-alerts |
Deliver firewall findings and blocked-path summaries |
te-path-analysis |
Correlate blocked or impaired paths with external reachability |
netbox-reconcile |
Map firewall objects to source-of-truth IP ownership |
Important Rules
- Never push firewall policy without approved change control
- Always check Panorama commit status after a write
- Policy hit counts and logs should validate the outcome
More from automateyournetwork/netclaw
drawio-diagram
Generate draw.io network diagrams — native .drawio files with CLI export (PNG/SVG/PDF), plus browser-based Mermaid/XML/CSV via MCP server. Use when creating network topology diagrams, generating architecture visuals, exporting diagrams to PNG or PDF, or building draw.io files from discovery data.
19aws-architecture-diagram
AWS architecture diagrams — generate visual network topology diagrams from live AWS infrastructure. Use when drawing AWS network diagrams, visualizing VPCs, mapping Transit Gateway topology, or generating architecture documentation.
19grafana-observability
Grafana observability platform — dashboards, Prometheus PromQL, Loki LogQL, alerting, incidents, OnCall schedules, annotations, datasource queries, panel rendering (75+ tools). Use when querying Grafana dashboards, running PromQL for interface metrics, searching Loki logs for syslog events, investigating firing alerts, or checking who is on call.
18pyats-health-check
Comprehensive network device health monitoring - CPU, memory, interfaces, hardware, NTP, logging, environment, and uptime analysis. Use when running a device health check, monitoring CPU or memory usage, checking interface errors, or validating NTP sync.
17aws-security-audit
AWS security auditing — IAM users/roles/policies, CloudTrail API events, security posture analysis. Use when auditing IAM permissions, investigating security incidents, checking MFA compliance, or tracing API activity in CloudTrail.
16aws-cloud-monitoring
AWS CloudWatch monitoring — metrics, alarms, log queries, VPC flow log analysis, network performance. Use when checking AWS alarms, analyzing VPC flow logs, investigating network latency, or monitoring VPN and NAT Gateway metrics.
15