fortimanager-ops

Name: fortimanager-ops
Author: automateyournetwork/netclaw

$npx mdskill add automateyournetwork/netclaw/fortimanager-ops

Audits and manages FortiGate firewall policies via FortiManager operations

Solves tasks like policy package review, ADOM inventory, and install previews
Depends on FortiManager API and MCP tools for data retrieval
Uses predefined workflows for compliance checks and policy validation
Returns structured JSON output for audit or deployment planning

SKILL.md

.github/skills/fortimanager-opsView on GitHub ↗

---
name: fortimanager-ops
description: "FortiManager operations — ADOM inventory, policy package review, object search, install preview, and compliance workflows. Use when auditing FortiGate firewall policies, reviewing ADOM policy packages, validating firewall path rules, or planning a FortiManager package install with rollback."
license: Apache-2.0
user-invocable: true
metadata:
  { "openclaw": { "requires": { "bins": ["python3"], "env": ["FORTIMANAGER_MCP_CMD", "FORTIMANAGER_HOST", "FORTIMANAGER_API_TOKEN"] } } }
---

# FortiManager Operations

## MCP Server

- **Source**: `jmpijll/fortimanager-mcp`
- **Command**: `$FORTIMANAGER_MCP_CMD`
- **Transport**: stdio
- **Requires**: `FORTIMANAGER_HOST`, `FORTIMANAGER_API_TOKEN`
- **Mode**: read-only by default; install or policy writes require approved ServiceNow change control

## How to Call the MCP Tools

```bash
python3 $MCP_CALL "$FORTIMANAGER_MCP_CMD" TOOL_NAME '{"param":"value"}'
```

## Typical Tool Coverage

- ADOM and managed-device inventory
- Policy package lookup and rule search
- Address objects, services, and groups
- Install preview and revision history
- Policy package assignment and status

## When to Use

- FortiGate policy audit and path validation
- Multi-site firewall governance through ADOMs
- Change-review support before package install
- Revision comparison and rollback planning

## Workflow: Policy Package Audit

1. Identify the ADOM and target device or policy package.
2. Search relevant firewall and NAT rules.
3. Review objects and groups referenced by the rules.
4. Check revision history and install status.
5. If changes are needed, require an approved ServiceNow CR before install.

## Integration with Other Skills

| Skill | Integration |
|-------|-------------|
| `servicenow-change-workflow` | Required before package installation or writes |
| `pyats-troubleshoot` | Correlate firewall policy results with device-side path and routing state |
| `slack-report-delivery` | Deliver policy audit summaries |

## Important Rules

- **Treat package install as production change execution**
- **Review ADOM and package scope carefully before acting**
- **Use revision history as rollback context**

More from automateyournetwork/netclaw

Skill	Description
aap-automation	Red Hat Ansible Automation Platform — inventory management, job template execution, project SCM sync, ad-hoc commands, host management, Galaxy content discovery. Use when automating infrastructure with Ansible, running playbooks, managing inventories, or searching for Ansible collections and roles.
aap-eda	Event-Driven Ansible (EDA) — activation lifecycle, rulebook management, decision environments, event stream monitoring. Use when managing event-driven automation triggers, enabling/disabling activations, or reviewing EDA rulebooks.
aap-lint	ansible-lint playbook and role validation — syntax checking, best practice enforcement, project-wide analysis, rule filtering. Use when validating Ansible playbooks, checking code quality, or enforcing automation best practices before deployment.
aci-change-deploy	Safe ACI policy change deployment - ServiceNow CR lifecycle, pre/post-change fault baselines, APIC policy application, automatic rollback on fault delta, and GAIT audit trail. Use when deploying ACI policy changes, creating tenants or EPGs, pushing config to APIC, or running a change window with rollback protection.
aci-fabric-audit	Comprehensive Cisco ACI fabric health audit - node status, tenant/VRF/BD/EPG policy review, contract analysis, fault triage, and endpoint learning verification. Use when auditing ACI fabric health, checking for faults, reviewing tenant policies, or running pre/post-change baselines on APIC.
arista-cvp	Arista CloudVision Portal (CVP) automation via REST API — device inventory, events, connectivity monitoring, tag management (4 tools). Use when managing Arista devices, checking CloudVision events, monitoring network connectivity probes, or tagging devices in CVP.
aruba-cx-config	View and manage Aruba CX switch configurations, perform ISSU upgrades, and firmware operations
aruba-cx-interfaces	Monitor Aruba CX switch interface status, LLDP neighbors, and optical transceiver health
aruba-cx-switching	View and manage Aruba CX switch VLANs and MAC address tables for Layer 2 operations
aruba-cx-system	Discover Aruba CX switch system information, firmware versions, and VSF topology