Merge pull request #26 from CheckPointSW/chkp-nirm-patch-1

chkp-nirm · web-flow · commit 78afdd660386 · 2025-06-18T14:10:26.000+03:00
Update README.md
diff --git a/README.md b/README.md
@@ -1,73 +1,260 @@
-# MCP Servers Monorepo
+# Check Point Quantum Management MCP Server
 
-This repository contains a collection of Model Context Protocol (MCP) servers implemented in TypeScript. Each server is organized as a separate package within the monorepo structure.
+## What is MCP?
 
-## Getting Started
+Model Context Protocol (MCP) servers expose a structured, machine-readable API for your enterprise data—designed for AI-powered automation, copilots, and decision engines. By delivering a clear, contextual slice of your security environment, MCP lets you query, analyze, and optimize complex systems without building custom SDKs or parsing raw exports.
 
-To work with this repository:
+## Why MCP for Security?
+ 
+Security Policies often span hundreds of rules and thousands of objects across diverse enforcement points. Understanding, auditing, or optimizing these environments is slow and error-prone. 
+MCP changes this: exposing security management data in a modular, context-rich format, ready for AI systems to consume. Enabling the AI to use your data with precision. Ask real-world questions, and get structured, actionable answers—instantly.
+
+## Features
+
+- Query and visualize installed policies, rulebases, and network topology
+- Retrieve and analyze access, NAT and VPN rules
+- List and inspect objects such as hosts, networks, services, VPN communities, and more
+
+## Demo
+
+[![Watch the demo](https://img.youtube.com/vi/QKBcD_99W3s/0.jpg)](https://www.youtube.com/watch?v=QKBcD_99W3s)
+
+## Example Use Cases
+
+### Regulatory Compliance Checks
+“Do my current gateways meet PCI-DSS, HIPAA, or GDPR standards?”  
+*→ Returns a detailed gap analysis across your policy layers.*
+
+### Risky Rule Discovery
+“Show all rules that allow any-to-any traffic. Highlight unused or disabled rules.”  
+*→ Surfaces misconfigurations and expands your visibility.*
+
+### Path Analysis for Access
+“Can host 10.1.2.7 access the internet under current policy?”  
+*→ Traces real access flows across Access, NAT, and interfaces.*
+
+### Rulebase Optimization with AI
+“Review internet-facing rules and suggest which should be tightened or removed.”  
+*→ Actionable insights that improve your security posture.*
+
+### Visual Policy Mapping
+“Generate a report showing allowed and blocked services across my environment.”  
+*→ Delivers structured data for dashboards, reports, and audits.*
+  
+---
+
+## Configuration Options
+
+This server supports two main modes of authentication:
+
+### 1. Smart-1 Cloud (API Key)
+
+Authenticate to Check Point Smart-1 Cloud using an API key.
+
+- **How to generate an API key:**  
+  In your Smart-1 Cloud dashboard, go to **Settings → API & SmartConsole** and generate an API key.  
+  Copy the key and the server login URL (excluding the `/login` suffix) to your client settings.  
+  ![alt text](./resources/s1c_api_key.png)
+
+Set the following environment variables:
+
+- `API_KEY`: Your Smart-1 Cloud API key  
+- `S1C_URL`: Your Smart-1 Cloud tenant "Web-API" URL  
+  
+---
+
+### 2. On-Prem Management (API Key or Username/Password)
+
+- **Configure your management server to allow API access:**  
+  To use this server with an on-premises Check Point management server, you must first enable API access.  
+  Follow the official instructions for [Managing Security through API](https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_SmartProvisioning_AdminGuide/Content/Topics-SPROVG/Managing-Security-through-API.htm).
+
+- **Authenticate to the Security Management Server** using either an API key or username/password:  
+  - Follow the official instructions: [Managing Administrator Accounts (Check Point R81+)](https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SecurityManagement_AdminGuide/Topics-SECMG/Managing_Administrator_Accounts.htm)  
+  - When creating the administrator, assign appropriate permissions for API access and management operations.  
+  - You can authenticate using an API key (recommended for automation) or username/password credentials.
+
+Set the following environment variables:
+
+- `MANAGEMENT_HOST`: IP address or hostname of your management server  
+- `PORT`: (Optional) Management server port (default: 443)  
+- `API_KEY`: Your management API key (if using API key authentication)  
+- `USERNAME`: Username for authentication (if using username/password authentication)  
+- `PASSWORD`: Password for authentication (if using username/password authentication)  
+  
+---
+
+## Client Configuration
+
+### Prerequisites
+
+Download and install the latest version of [Node.js](https://nodejs.org/en/download/) if you don't already have it installed.  
+You can check your installed version by running:
 
 ```bash
-# Clone the repository
-git clone [repository-url]
+node -v      # Should print "v22" or higher
+nvm current  # Should print "v22" or higher
+```
 
-# Install dependencies
-npm install
+### Supported Clients
 
-# Build all packages
-npm run build
+This server has been tested with Claude Desktop, Cursor, GitHub Copilot, and Windsurf clients.  
+It is expected to work with any MCP client that supports the Model Context Protocol.
+
+> **Note:** Due to the nature of management API calls and the variety of server tools, using this server may require a paid subscription to the model provider to support token limits and context window sizes.  
+> For smaller models, you can reduce token usage by limiting the number of enabled tools in the client.
+
+### Smart-1 Cloud Example
+
+```json
+{
+  "mcpServers": {
+    "quantum-management": {
+      "command": "npx",
+      "args": ["@chkp/quantum-management-mcp"],
+      "env": {
+        "API_KEY": "YOUR_API_KEY",
+        "S1C_URL": "YOUR_S1C_URL" // e.g., https://xxxxxxxx.maas.checkpoint.com/yyyyyyy/web_api
+      }
+    }
+  }
+}
 ```
 
-## Running MCP Servers
+### On-Prem Management Example
 
-To run any of the MCP servers in this repository:
+```json
+{
+  "mcpServers": {
+    "quantum-management": {
+      "command": "npx",
+      "args": ["@chkp/quantum-management-mcp"],
+      "env": {
+        "MANAGEMENT_HOST": "YOUR_MANAGEMENT_IP_OR_HOST_NAME",
+        "MANAGEMENT_PORT": "443", // optional, default is 443
+        "API_KEY": "YOUR_API_KEY", // or use USERNAME and PASSWORD
+        "USERNAME": "YOUR_USERNAME", // optional
+        "PASSWORD": "YOUR_PASSWORD"  // optional
+      }
+    }
+  }
+}
+```
+
+> Set only the environment variables required for your authentication method.
+
+### Configuring the Claude Desktop App
 
-1. Navigate to the specific server package directory
-2. Follow the instructions in that package's README.md
-3. When installing dependencies or running npm/npx commands, make sure to include the registry argument:
+#### For macOS:
 
 ```bash
---registry https://artifactory-product.checkpoint.com/artifactory/api/npm/npm/
+# Create the config file if it doesn't exist
+touch "$HOME/Library/Application Support/Claude/claude_desktop_config.json"
+
+# Open the config file in TextEdit
+open -e "$HOME/Library/Application Support/Claude/claude_desktop_config.json"
 ```
 
-### For example, to run the Management MCP server:
-``` json
-"quantum-management":
-    {
+#### For Windows:
+
+```cmd
+code %APPDATA%\Claude\claude_desktop_config.json
+```
+
+Add the server configuration:
+
+```json
+{
+  "mcpServers": {
+    "quantum-management": {
+      "command": "npx",
+      "args": ["@chkp/quantum-management-mcp"],
+      "env": {
+        // Add the configuration from the above instructions
+      }
+    }
+  }
+}
+```
+
+### VSCode 
+
+Enter VSCode settings and type "mcp" in the search bar.
+You should see the option to edit the configuration file.
+Add this configuration:
+
+```json
+{
+  ...
+  "mcp": {
+    "inputs": [],
+    "servers": {
+      "quantum-management": {
         "command": "npx",
-        "args":
-        [
-            "--registry",
-            "https://artifactory-product.checkpoint.com/artifactory/api/npm/npm/",
-            "-y",
-            "@chkp/genai-mcp-server-management@latest"
+        "args": [
+          "@chkp/quantum-management-mcp"
         ],
-        "env":
-        {
-            "S1C_URL": YOUR_S1C_URL, // (for smart1-cloud)
-            "MANAGEMENT_HOST": YOUR_MANAGEMENT_HOST, // (for on-prem)
-            "API_KEY": YOUR_API_KEY,            
-            "USERNAME": YOUR_USERNAME,
-            "PASSWORD": YOUR_PASSWORD,            
+        "env": {
+          "MANAGEMENT_HOST": "YOUR_MANAGEMENT_IP_OR_HOST_NAME",
+          "MANAGEMENT_PORT": "443",  // optional, default is 443
+          "API_KEY": "YOUR_API_KEY", // or use USERNAME and PASSWORD
+          "USERNAME": "YOUR_USERNAME", // optional
+          "PASSWORD": "YOUR_PASSWORD" // optional
         }
+      }
     }
+  },
+  ...
+}
 ```
-## Available MCP Servers
 
-The following table lists all available MCP servers in this repository:
+### Windsurf
 
-| Server | Internal Package | External Package |
-|--------|-----------------|-----------------|
-| Management | @chkp/genai-mcp-server-management@latest | @chkp/quantum_management_mcp |
+Enter Windsurf settings and type "mcp" in the search bar.
+You should see the option to edit the configuration file.
+Add the configuration as Claude Desktop App.
 
-## Repository Structure
+### Cursor
 
-This monorepo is organized as follows:
-
-- `/packages` - Contains all MCP server implementations and shared libraries
-  - `/infra` - Shared infrastructure components
-  - `/management` - Management MCP server
+Enter Cursor settings and click on "MCP Servers" in the left menu.
+You should see the option to add a new MCP Server.
+Add the configuration as Claude Desktop App.
+  
+---
 
 ## Development
 
-For development instructions, please refer to the README within each package directory.
+### Prerequisites
+
+- Node.js 22+  
+- npm 10+  
+
+### Setup
+
+```bash
+# Install all dependencies
+npm install
+```
+
+### Build
+
+```bash
+# Build all packages
+npm run build
+```
+
+### Running Locally
+
+You can run the server locally for development using [MCP Inspector](https://modelcontextprotocol.io/docs/tools/inspector) or any compatible MCP client.
+
+```bash
+node FULL_PATH_TO_SERVER/packages/management/dist/index.js --s1c-url|--management-host --api-key|--username|--password
+```
+
+---
+
+## ⚠️ Security Notice
 
+1. **Authentication keys and credentials are never shared with the model.** They are used only by the MCP server to authenticate with your Check Point management system.  
+2. **Only use client implementations you trust.** Malicious or untrusted clients could misuse your credentials or access data improperly.  
+3. **Management data is exposed to the model.** Ensure that you only use models and providers that comply with your organization’s policies for handling sensitive data and PII.
