Using Model Context Protocol (MCP) Server with Harmony SASE

Model Context Protocol (MCP) is an open-source standard that enables AI assistants to securely connect with external data sources and tools. By integrating MCP with Check Point Harmony SASE, you can query your infrastructure through natural conversation with AI.

Features

  • Query Harmony SASE networks and their configurations.

  • Retrieve and analyze gateway deployments across regions.

  • List and inspect Zero Trust Architecture (ZTA) applications.

  • Get all available Network regions.

  • Get all the deployed Gateways, regions, and tunnels in the Network.

Supported Actions

MCP server provides to run these actions through your AI assistant:

  • Network Management:

    • list_networks - Lists all Harmony SASE networks.

    • get_network / find_network - Fetches details for a specific network by ID.

  • Gateway Management:

    • get_gateway - Provides gateway details for a specified network and gateway identifier.

  • Region Management:

    • list_network_regions - Lists all available regions.

    • get_region - Retrieves detailed information for a specific region.

  • Application Management:

    • list_applications - Lists all applications.

    • get_application - Retrieves detailed information for a specified application.

    • get_application_status - Provides the deployment status of a specified application.

    Note - Administrators can perform supported actions using free-text queries, not just predefined commands.

Security Guidelines

  • API keys and credentials are never shared with the model.

  • Only use client implementations you trust.

  • Make sure that you only use models and providers that comply with your organization's policies for handling sensitive infrastructure data and Personally Identifiable Information.

Harmony SASE MCP Server Configuration

Prerequisites

  • Administrator access to the Harmony SASE Administrator Portal.

  • API key generated from the Harmony SASE Administrator Portall.

  • Node.js version 18 or higher.

  • npm version 10 or higher.

  • MCP compatible AI client. For example, Claude, Cursor, GitHub Copilot, and Windsurf.

High-Level Procedure

Step 1 - Generate API Credentials

  1. Access the Harmony SASE Administrator Portal.

  2. Go to Settings > API Support.

  3. Click Generate New Key.

    The Generate New API Key window appears.

  4. In the Key Name field, enter a name for the token.

  5. From the Expiration Date list, select one of these:

    • Never (Default)

    • 1 Month

    • 3 Month

    • 6 Month

    • 1 Year

  6. From the Key Permissions list, select the required permission(s).

  7. Click Generate.

    The system generates the API Token.

  8. To copy the API key, go to the Active Tokens tab, hover over the generated token, and click .

  9. To copy your Management Host and Origin domain, click Dashboard, and in the Workspace field, click .

    The workspace name is your Management Host and Origin domain.

    Note - Make a note of the API key, Management Host, and Origin domain. These values are required during Client configuration.

Step 2 - Configure Bypass Rule for the AI Client

  1. Click Internet Access and go to HTTPS Inspection Policy.

  2. Click Add New Rule.

    A new rule appears in the table.

  3. Specify these:

    1. Name

    2. Source

    3. Destination - For example, enter these:

      1. *.claude.ai

      2. *.anthropic.com

      3. *.api.anthropic.com

        For more information on adding a new rule, see Creating a Bypass Rule

  4. Turn on the Status toggle button.

  5. Click Apply at the bottom of the page.

  6. Click Apply.

Step 3 - Configure the AI Client

Supported Client

  • Claude Desktop

  • GitHub Copilot

  • Cursor

  • Windsurf

  • Any MCP compatible AI Client

Note - Due to the nature of Harmony SASE API calls and the variety of server tools, using this server may require a paid subscription to the AI client provider to support token limits and context window sizes.

For smaller models, you can reduce token usage by limiting the number of enabled tools in the client.

Configuring Claude Desktop

  1. For macOS:

    1. Open Terminal.

    2. Run this command to check if the claude_desktop_config.json file is available:

      Copy 
      ls"$HOME/Library/Application Support/Claude/claude_desktop_config.json"

    3. If the file is not available, create the file using this command:

      Copy 
      touch "$HOME/Library/Application Support/Claude/claude_desktop_config.json"

    4. To open the file in TextEdit, run:

      Copy 
      open -e "$HOME/Library/Application Support/Claude/claude_desktop_config.json"

    5. Add the below configuration to the JSON file:

      Copy 
      {
        "mcpServers": {
          "harmony-sase": {
            "command": "npx",

            "args": ["@chkp/harmony-sase-mcp"],

            "env": {
              "API_KEY": "your-harmony-sase-api-key",

              "MANAGEMENT_HOST": "https://api.<your-workspace-url>/api",

              "ORIGIN": "https://<your-workspace-url>"
            }
          }
        }
      }

    Replace,

    your-harmony-sase-api-key with your Harmony SASE API Key. See step 8 in Generating API Credentials.

    <your-workspace-url> with your workspace name from step 9 in Generating API Credentials.

  2. For Windows:

    1. Press Win+R.

      The Run window appears.

    2. From the Open list, select cmd.

    3. To open the configuration file, run:

      Copy 
      code %APPDATA%\Claude\claude_desktop_config.json

    4. Add the below configuration to the JSON file:

      Copy 
      {
        "mcpServers": {
          "harmony-sase": {
            "command": "npx",

            "args": ["@chkp/harmony-sase-mcp"],

            "env": {
               "API_KEY": "your-harmony-sase-api-key",

              "MANAGEMENT_HOST": "https://api.<your-workspace-url>/api",

              "ORIGIN": "https://<your-workspace-url>"
            }
          }
        }
      }

    Replace,

    your-harmony-sase-api-key with your Harmony SASE API Key. See step 8 in Generating API Credentials.

    <your-workspace-url> with your workspace name from step 9 in Generating API Credentials.

Configuring Visual Studio (VS) Code

  1. Open Visual Studio (VS) Code.

  2. Click File.

  3. Go to Preferences > Settings.

  4. In the search bar, search for mcp.

  5. Click Edit in settings.json.

  6. In the settings.file, add the below configuration:

    Copy 
    {

      ...

      "mcp": {

        "inputs": [

          {

            "type": "promptString",

            "id": "harmony_sase_api_key",

            "description": "Harmony SASE API Key",

            "password": true

          }

        ],

        "servers": {

          "harmony-sase": {

            "command": "npx",

            "args": ["@chkp/harmony-sase-mcp"],

            "env": {

              "API_KEY": "${input:harmony_sase_api_key}",

              "MANAGEMENT_HOST": "https://api.<your-workspace-url>/api",

              "ORIGIN": "https://<your-workspace-url>"

            }

          }

        }

      },

      ...

    }

Replace,

your-harmony-sase-api-key with your Harmony SASE API Key. See step 8 in Generating API Credentials.

<your-workspace-url> with your workspace name from step 9 in Generating API Credentials.

Configuring Windsurf

  1. Open Windsurf.

  2. Go to Windsurf Settings.

  3. In the search bar, search for mcp.

  4. Add the below configuration to the JSON file:

    Copy 
    {
      "mcpServers": {
        "harmony-sase": {
          "command": "npx",

          "args": ["@chkp/harmony-sase-mcp"],

          "env": {
             "API_KEY": "your-harmony-sase-api-key",

            "MANAGEMENT_HOST": "https://api.<your-workspace-url>/api",

            "ORIGIN": "https://<your-workspace-url>"
          }
        }
      }
    }

Replace,

your-harmony-sase-api-key with your Harmony SASE API Key. See step 8 in Generating API Credentials.

<your-workspace-url> with your workspace name from step 9 in Generating API Credentials.

Configuring Cursor

  1. Open Cursor.

  2. Go to Settings > Cursor Settings > MCP.

  3. Click Add new MSP server.

  4. Add the below configuration to the JSON file:

    Copy 
    {
      "mcpServers": {
        "harmony-sase": {
          "command": "npx",

          "args": ["@chkp/harmony-sase-mcp"],

          "env": {
            "API_KEY": "your-harmony-sase-api-key",

            "MANAGEMENT_HOST": "https://api.<your-workspace-url>/api",

            "ORIGIN": "https://<your-workspace-url>"
          }
        }
      }
    }

Replace,

your-harmony-sase-api-key with your Harmony SASE API Key. See step 8 in Generating API Credentials.

<your-workspace-url> with your workspace name from step 9 in Generating API Credentials.

Step 4 - Install and Access the Harmony SASE MCP Server

  1. Install the MCP Server Tool Globally.

    1. Open Terminal or Command Prompt.

    2. Run:

      Copy 
      npm install -g @chkp/harmony-sase-mcp

  2. To clone the repository, run:

    Copy 
    git clone <repository-url>
    cd mcp-servers/packages/harmony-sase

  3. To install dependencies, run:

    Copy 
    npm install

  4. To build the project, run:

    Copy 
    npm run build

  5. Run the server locally:

    Copy 
    node /path/to/packages/harmony-sase/dist/index.js 
    --api-key YOUR_API_KEY 
    --management-host https://api.<your-workspace-url>.com/api> 
    --origin https://your.<your-workspace-url>

Replace,

your-harmony-sase-api-key with your Harmony SASE API Key. See step 8 in Generating API Credentials.

<your-workspace-url> with your workspace name from step 9 in Generating API Credentials.

Note - You can also run the server locally for development using MCP Inspector or any compatible client.