Skip to main content
The OneFirewall MCP Server exposes OneFirewall’s threat intelligence platform to AI agents — Claude, GPT-4, Copilot, and any MCP-compatible client — as callable tools. Agents can investigate IPs, pull live threat feeds, report malicious actors, and query firewall agent status without leaving the conversation.

What is MCP?

The Model Context Protocol (MCP) is an open standard that lets AI models call external tools over a secure, structured interface. Instead of copy-pasting IPs into a dashboard, an AI agent can call get_ip_intel("1.2.3.4") and receive structured threat intelligence directly in its context.

Connect Your AI Tool

The OneFirewall MCP server is hosted and managed for you. Your JWT token is available from the OneFirewall dashboard. Paste it into the configuration for your AI client below.
Edit claude_desktop_config.json:macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json
{
  "mcpServers": {
    "onefirewall": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote",
        "https://mcp.onefirewall.com/mcp",
        "--header", "Authorization: Bearer YOUR_JWT_TOKEN"
      ]
    }
  }
}
Restart Claude Desktop. The OneFirewall tools appear in the tools panel (hammer icon).

Available Tools

get_ip_intel

Full CTI profile for an IPv4 — crime score, MITRE ATT&CK mappings, STIX2 bundles, member reports, and attack observations.

get_live_ipv4_feeds

Paginated real-time feed of all malicious IPs above a configurable crime score threshold. Ready for firewall/IPS ingestion.

report_ip

Submit threat intelligence on a malicious IP to the OneFirewall Alliance, contributing to the collective crime score.

get_agent_status

Status, configuration, active blocklist, and last sync time for all WCF firewall agents in your organisation.

Tool Reference

get_ip_intel

Retrieve the complete intelligence profile for an IPv4 address.
ParameterTypeRequiredDescription
ipv4stringYesThe IPv4 address to investigate (e.g. "185.220.101.5")
Example prompt:
“What does OneFirewall know about 185.220.101.5?”
Returns: crime score, MITRE ATT&CK techniques, STIX2 bundles, number of Alliance members who reported it, agent observations, geolocation, ASN, and historical notes.

get_live_ipv4_feeds

Pull a real-time blocklist of malicious IPs above a minimum crime score.
ParameterTypeRequiredDefaultDescription
min_scoreintegerYesMinimum WCF crime score (1–1000)
formatstringNoCSVCSV or LIST (comma-separated)
show_scorestringNo"yes" to include score alongside each IP
pagestringNoPagination cursor from next_page response header
agidstringNoScope feed to a specific WCF Agent ID
pluginstringNoFilter by IPS/plugin name
Example prompt:
“Give me all IPs with a crime score above 200 in CSV format.”
Responses are paginated. If the next_page header is present in the API response, pass that value as the page parameter to retrieve the next batch.

report_ip

Report an IP address as malicious to the OneFirewall Alliance.
ParameterTypeRequiredDefaultDescription
ipstringYesIPv4 address or CIDR network
confidencefloatYesConfidence level: 0.0 (uncertain) → 1.0 (certain)
sourcestringYesWhere the threat was observed (e.g. "sshlog", "ids")
notesstringNoFree-text description of the observed behaviour
decisionintegerNo-1-1 = score-based, 0 = whitelist, 1 = blacklist
ttlintegerNoUnix timestamp after which the decision override expires
Example prompt:
“Report 10.0.0.1 as malicious — I observed repeated SSH brute-force attempts, confidence 0.95, source ‘sshlog’.”

get_agent_status

Retrieve the status of WCF firewall agents registered in your organisation.
ParameterTypeRequiredDescription
agidstringNoAgent ID to filter to a single agent. Omit to return all agents.
Example prompt:
“Show me the status of all my firewall agents.”
Returns: per-agent configuration (score threshold, sync interval, max rules), last sync timestamp, active blocklist, plugin name, and error codes.