Using Model Context Protocol (MCP) Server with SASE

Model Context Protocol (MCP) is an open-source standard that enables AI assistants to securely connect with external data sources and tools. By integrating MCP with Check Point SASE, you can query your infrastructure through natural conversation with AI.

Features

• Query SASE networks and their configurations.

• Retrieve and analyze gateway deployments across regions.

• List and inspect Zero Trust Architecture (ZTA) applications.

• Get all available Network regions.

• Get all the deployed Gateways, regions, and tunnels in the Network.

Supported Actions

MCP server provides to run these actions through your AI assistant:

• Network Management:

  • list_networks - Lists all Harmony SASE networks.

  • get_network / find_network - Fetches details for a specific network by ID.

• Gateway Management:

  • get_gateway - Provides gateway details for a specified network and gateway identifier.

• Region Management:

  • list_network_regions - Lists all available regions.

  • get_region - Retrieves detailed information for a specific region.

• Application Management:

  • list_applications - Lists all applications.

  • get_application - Retrieves detailed information for a specified application.

  • get_application_status - Provides the deployment status of a specified application.

  Note - Administrators can perform supported actions using free-text queries, not just predefined commands.

Security Guidelines

• API keys and credentials are never shared with the model.

• Only use client implementations you trust.

• Make sure that you only use models and providers that comply with your organization's policies for handling sensitive infrastructure data and Personally Identifiable Information.

SASE MCP Server Configuration

Prerequisites

• Administrator access to the SASE Administrator Portal.

• API key generated from the SASE Administrator Portall.

• Node.js version 18 or higher.

• npm version 10 or higher.

• MCP compatible AI client. For example, Claude, Cursor, GitHub Copilot, and Windsurf.

High-Level Procedure

• Step 1 - Generate API Credentials

• Step 2 - Configure Bypass Rule for AI Tool Access

• Step 3 - Configure the AI Client

• Step 4 - Install and Access the SASE MCP Server

Step 1 - Generate API Credentials

1. Access the SASE Administrator Portal.

2. Go to Settings > API Support.

3. Click Generate New Key.

   

   The Generate New API Key window appears.

   

4. In the Key Name field, enter a name for the token.

5. From the Expiration Date list, select one of these:

   • Never (Default)

   • 1 Month

   • 3 Month

   • 6 Month

   • 1 Year

6. From the Key Permissions list, select the required permission(s).

7. Click Generate.

   The system generates the API Token.

   

8. To copy the API key, go to the Active Tokens tab, hover over the generated token, and click .

9. To copy your Management Host and Origin domain, click Dashboard, and in the Workspace field, click .

   The workspace name is your Management Host and Origin domain.

   

   Note - Make a note of the API key, Management Host, and Origin domain. These values are required during Client configuration.

Step 2 - Configure Bypass Rule for the AI Client

1. Click Internet Access and go to HTTPS Inspection Policy.

2. Click Add New Rule.

   

   A new rule appears in the table.

3. Specify these:

   1. Name

   2. Source

   3. Destination - For example, enter these:

      1. *.claude.ai

      2. *.anthropic.com

      3. *.api.anthropic.com

         For more information on adding a new rule, see Bypass Rules

4. Turn on the Status toggle button.

5. Click Apply at the bottom of the page.

   

6. Click Apply.

Step 3 - Configure the AI Client

Supported Client

• Claude Desktop

• GitHub Copilot

• Cursor

• Windsurf

• Any MCP compatible AI Client

Note - Due to the nature of SASE API calls and the variety of server tools, using this server may require a paid subscription to the AI client provider to support token limits and context window sizes. For smaller models, you can reduce token usage by limiting the number of enabled tools in the client.

Management Host and Origin

Use these values according to your regions:

• For US regions:

  • MANAGEMENT_HOST: https://api.perimeter81.com/api

  • ORIGIN: https://tenant.perimeter81.com

• For Other Regions:

  • MANAGEMENT_HOST: https://api.<region>.sase.checkpoint.com/api

  • ORIGIN: https://tenant.<region>.sase.checkpoint.com

Replace, <region> with your Harmony SASE region (for example: eu, in, au, etc.).

Note - Using incorrect region values will result in authentication or connection failures.

Configuring Claude Desktop

1. For macOS:

   1. Open Terminal.

   2. Run this command to check if the claude_desktop_config.json file is available:

      Copy

      ls"$HOME/Library/Application Support/Claude/claude_desktop_config.json"

   3. If the file is not available, create the file using this command:

      Copy

      touch "$HOME/Library/Application Support/Claude/claude_desktop_config.json"

   4. To open the file in TextEdit, run:

      Copy

      open -e "$HOME/Library/Application Support/Claude/claude_desktop_config.json"

   5. Add the below configuration to the JSON file:

      Copy

      {
        "mcpServers": {
          "harmony-sase": {
            "command": "npx",
      
            "args": ["@chkp/harmony-sase-mcp"],
      
            "env": {
              "API_KEY": "your-harmony-sase-api-key",
      
              "MANAGEMENT_HOST": "<MANAGEMENT_HOST>",
      
              "ORIGIN": "<ORIGIN>"
            }
          }
        }
      }

   Replace,

   • your-harmony-sase-api-key with your SASE API Key. See step 8 in Generating API Credentials.

   • <MANAGEMENT_HOST> and <ORIGIN>. See, Management Host and Origin.

2. For Windows:

   1. Press Win+R.

      The Run window appears.

   2. From the Open list, select cmd.

   3. To open the configuration file, run:

      Copy

      code %APPDATA%\Claude\claude_desktop_config.json

   4. Add the below configuration to the JSON file:

      Copy

      {
        "mcpServers": {
          "harmony-sase": {
            "command": "npx",
      
            "args": ["@chkp/harmony-sase-mcp"],
      
            "env": {
               "API_KEY": "your-harmony-sase-api-key",
      
              "MANAGEMENT_HOST": "<MANAGEMENT_HOST>",
      
              "ORIGIN": "<ORIGIN>"
            }
          }
        }
      }

   Replace,

   • your-harmony-sase-api-key with your SASE API Key. See step 8 in Generating API Credentials.

   • <MANAGEMENT_HOST> and <ORIGIN>. See, Management Host and Origin.

Configuring Visual Studio (VS) Code

1. Open Visual Studio (VS) Code.

2. Open the Command Palette (Ctrl+Shift+P).

3. Search for MCP: Open User Configuration.

4. Edit the mcp.json.

5. Add these configuration:

   Copy

       "servers": { 
           "harmony_sase": { 
               "command": "npx", 
               "args": [ 
                   "@chkp/harmony-sase-mcp" 
               ], 
               "env": { 
                   "API_KEY": "<API_KEY>", 
                   "MANAGEMENT_HOST": "<MANAGEMENT_HOST>", 
                   "ORIGIN": "<ORIGIN>" 
               }, 
               "type": "stdio" 
           } 
       } 

   Replace,

   • your-harmony-sase-api-key with your SASE API Key. See step 8 in Generating API Credentials.

   • <MANAGEMENT_HOST> and <ORIGIN>. See, Management Host and Origin.

6. Save the file and click Start to launch the server.

   

(Optional) To validate the configuration, open your AI assistant (for example, Copilot Chat in Visual Studio Code) and ask: List all SASE networks.

A successful response confirms the MCP server is configured correctly.

Configuring Windsurf

1. Open Windsurf.

2. Go to Windsurf Settings.

3. In the search bar, search for mcp.

4. Add the below configuration to the JSON file:

   Copy

   {
     "mcpServers": {
       "harmony-sase": {
         "command": "npx",
   
         "args": ["@chkp/harmony-sase-mcp"],
   
         "env": {
            "API_KEY": "your-harmony-sase-api-key",
   
           "MANAGEMENT_HOST": "<MANAGEMENT_HOST>",
   
           "ORIGIN": "<ORIGIN>"
         }
       }
     }
   }

Replace,

• your-harmony-sase-api-key with your SASE API Key. See step 8 in Generating API Credentials.

• <MANAGEMENT_HOST> and <ORIGIN>. See, Management Host and Origin.

Configuring Cursor

1. Open Cursor.

2. Go to Settings > Cursor Settings > MCP.

3. Click Add new MSP server.

4. Add the below configuration to the JSON file:

   Copy

   {
     "mcpServers": {
       "harmony-sase": {
         "command": "npx",
   
         "args": ["@chkp/harmony-sase-mcp"],
   
         "env": {
           "API_KEY": "your-harmony-sase-api-key",
   
           "MANAGEMENT_HOST": "<MANAGEMENT_HOST>",
   
           "ORIGIN": "<ORIGIN>"
         }
       }
     }
   }

Replace,

• your-harmony-sase-api-key with your SASE API Key. See step 8 in Generating API Credentials.

• <MANAGEMENT_HOST> and <ORIGIN>. See, Management Host and Origin.

Step 4 - Install and Access the SASE MCP Server

1. Install the MCP Server Tool Globally.

   1. Open Terminal or Command Prompt.

   2. Run:

      Copy

      npm install -g @chkp/harmony-sase-mcp

2. To clone the repository, run:

   Copy

   git clone <repository-url>
   cd mcp-servers/packages/harmony-sase

3. To install dependencies, run:

   Copy

   npm install

4. To build the project, run:

   Copy

   npm run build

5. Run the server locally:

   Copy

   node /path/to/packages/harmony-sase/dist/index.js 
   --api-key YOUR_API_KEY 
   --management-host <MANAGEMENT_HOST> 
   --origin <ORIGIN>

Replace,

• your-harmony-sase-api-key with your SASE API Key. See step 8 in Generating API Credentials.

• <MANAGEMENT_HOST> and <ORIGIN>. See, Management Host and Origin.

Note - You can also run the server locally for development using MCP Inspector or any compatible client.