A Model Context Protocol (MCP) server that provides a conversational AI interface to interact with Illumio PCE (Policy Compute Engine). This server enables programmatic access to workload management, label operations, traffic flow analysis, and security policy management through natural language.
- Workload Management: Create, update, delete, and query workloads
- Label Operations: Manage labels for application segmentation
- Traffic Analysis: Analyze traffic flows with detailed filtering and summaries
- Policy Management: Create and manage rulesets and IP lists
- Security Analysis: Generate security assessments and remediation plans
- Event Monitoring: Track PCE events and system health
- Read-Only Mode: Safely explore PCE without risk of changes
- Comprehensive Error Handling: Detailed logging and error reporting
- Input Validation: Secure handling of all PCE operations
# Install directly from GitHub
uvx --from git+https://github.com/lukeburciu/illumio-mcp-server@main illumio-mcpAdd to your Claude Desktop config file:
macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%/Claude/claude_desktop_config.json
Claude Code: $PROJECT_DIR/.mcp.json
{
"mcpServers": {
"illumio-mcp": {
"command": "uvx",
"args": [
"--from",
"git+https://github.com/lukeburciu/illumio-mcp-server@main",
"illumio-mcp"
],
"env": {
"PCE_HOST": "your-pce-host.com",
"PCE_PORT": "443",
"PCE_ORG_ID": "1",
"API_KEY": "your-api-key",
"API_SECRET": "your-api-secret",
"READ_ONLY": "false"
}
}
}
}| Variable | Description | Default | Required |
|---|---|---|---|
PCE_HOST |
PCE hostname | - | β |
PCE_PORT |
PCE port | 443 | β |
PCE_ORG_ID |
Organization ID | 1 | β |
API_KEY |
API key for authentication | - | β |
API_SECRET |
API secret | - | β |
READ_ONLY |
Enable read-only mode | false | β |
get-workloads: Retrieve workloads with optional filteringcreate-workload: Create unmanaged workloads with labelsupdate-workload: Modify existing workload propertiesdelete-workload: Remove workloads from PCE
get-labels: List all labels in PCEcreate-label: Create new key-value labelsdelete-label: Remove existing labels
get-traffic-flows: Detailed traffic flow data with filtering:- Date range selection
- Source/destination filtering
- Service and port filtering
- Policy decision analysis
get-traffic-flows-summary: Aggregated traffic summaries
get-rulesets: Query rulesets with name/status filteringget-iplists: Manage IP lists with range filtering
check-pce-connection: Verify connectivity and credentialsget-events: Monitor PCE events by type/severity/status
Creates comprehensive security policies to isolate applications:
Arguments:
- application_name: Target application
- application_environment: Target environment
Creates:
- Inter-tier communication rules
- Inbound/outbound restrictions
- External connection policies
Provides detailed traffic pattern analysis:
Arguments:
- application_name: Application to analyze
- application_environment: Environment to analyze
Returns:
- Traffic flow patterns
- Service identification
- Label categorization
- Internet exposure status
- Click "Attach from MCP" button
- Select "illumio-mcp" from available servers
- Choose your prompt (e.g., "analyze-application-traffic")
- Fill in required parameters
- Submit to generate analysis
Enable safe exploration without modifications:
"env": {
"READ_ONLY": "true"
}When enabled, blocks:
- Workload creation/updates/deletion
- Label modifications
- Policy changes
- Any PCE state modifications
All read operations remain available.
# Clone repository
git clone https://github.com/lukeburciu/illumio-mcp-server
cd illumio-mcp-server
# Install with UV
uv pip install -e .
# Run locally
uv run illumio-mcpuv run python test_server.pysrc/illumio_mcp/
βββ server.py # Main FastMCP entry point
βββ core/ # Core functionality
β βββ config.py # Environment configuration
β βββ connection.py # PCE connection management
β βββ logging.py # Centralized logging
βββ tools/ # MCP tool implementations
β βββ workloads.py # Workload operations
β βββ labels.py # Label management
β βββ policies.py # Policy operations
β βββ traffic.py # Traffic analysis
β βββ misc.py # Utility tools
βββ prompts/ # MCP prompt definitions
- Generate compliance reports (PCI, SWIFT, etc.)
- Identify high-risk vulnerabilities
- Create remediation plans
- Analyze application dependencies
- Monitor service communications
- Track workload metrics
- Manage segmentation policies
- Audit label usage
- Identify unknown services
- Map application flows
- Detect policy violations
- Optimize rule sets
The server enables creation of rich visualizations through Claude Desktop:
- Application Analysis: Communication patterns and dependencies
- Security Assessments: Compliance reports and risk findings
- Traffic Patterns: Service role inference and flow analysis
- Policy Management: Ruleset organization and IP list management
- Workload Insights: Detailed metrics and traffic identification
- Verify PCE_HOST is accessible
- Check API credentials are valid
- Confirm PCE_ORG_ID is correct
- Use
check-pce-connectiontool to diagnose
- Ensure API key has required permissions
- Enable READ_ONLY mode for testing
- Check PCE role assignments
- "Resource not found": Verify resource names/IDs
- "Authentication failed": Check API_KEY and API_SECRET
- "Connection timeout": Verify network connectivity to PCE
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit changes (
git commit -m 'Add amazing feature') - Push to branch (
git push origin feature/amazing-feature) - Open a Pull Request
[License information to be added]
For issues and questions:
- Open an issue on GitHub
- Check existing documentation in
/docs - Review CLAUDE.md for development guidelines
Built with:
- FastMCP - MCP server framework
- Illumio SDK - Python SDK for PCE
- Model Context Protocol - AI integration protocol