Model Context Protocol (MCP) servers expose a structured, machine-readable API for your enterprise data—designed for AI-powered automation, copilots, and decision engines. By delivering a clear, contextual slice of your security environment, MCP lets you query, analyze, and optimize complex systems without building custom SDKs or parsing raw exports.
Troubleshooting connection issues on Check Point gateways can be challenging and time-consuming. Traditional debugging methods require extensive CLI knowledge, manual log analysis, and complex packet captures.
This MCP server simplifies connection debugging by providing structured, context-rich data about connections flowing through your gateway. It enables AI systems to help you troubleshoot connectivity issues by starting a connection analysis session, analyzing the results, and providing actionable insights about what's happening with your traffic.
- Real-time Connection Analysis: Start and stop live connection debugging sessions
- Source and Destination Tracking: Track connections between specific IP addresses
- Comprehensive Connection Data: View packet path, security policy decisions, NAT rules applied, and more
- Interactive Troubleshooting: Start a session, reproduce an issue, then analyze the results
- Start the analysis: Specify the source and destination IP addresses to monitor
- Reproduce the issue: Generate the traffic that's experiencing problems
- Stop the analysis: Capture the results and get a detailed report on what happened
"Why can't my client at 10.0.1.5 reach the server at 192.168.1.10? Let's debug the connection." → Starts a connection analysis session, guides you through reproducing the issue, then explains where the traffic is being blocked or dropped.
"Check if traffic from 10.1.1.100 to external server 203.0.113.50 is being properly NAT'ed." → Analyzes the connection to show which NAT rules are applied and how the addresses are translated.
"Trace the exact path of packets from 10.0.2.15 to database server 10.0.3.25." → Details each step of the packet journey through interfaces, security policies, and network functions.
The Connection Analysis tool starts a debug session on your gateway for specific connections. It may have performance repercussions. Make sure to stop the session when you no longer need it.
📊 Anonymous Usage Statistics: Check Point collects anonymous usage statistics to help improve this MCP server. To opt out, set
TELEMETRY_DISABLED=trueor use--no-telemetryflag.
This server supports two main modes of authentication:
Authenticate to Check Point Smart-1 Cloud using an API key.
- How to generate an API key:
In your Smart-1 Cloud dashboard, go to Settings → API & SmartConsole and generate an API key.
Copy the key and the server login URL (excluding the/loginsuffix) to your client settings.
Set the following environment variables:
API_KEY: Your Smart-1 Cloud API keyS1C_URL: Your Smart-1 Cloud tenant "Web-API" URL
-
Configure your management server to allow API access:
To use this server with an on-premises Check Point management server, you must first enable API access.
Follow the official instructions for Managing Security through API. -
Authenticate to the Security Management Server using either an API key or username/password:
- Follow the official instructions: Managing Administrator Accounts (Check Point R81+)
- When creating the administrator, assign appropriate permissions for API access and management operations.
- You can authenticate using an API key (recommended for automation) or username/password credentials.
Set the following environment variables:
MANAGEMENT_HOST: IP address or hostname of your management serverPORT: (Optional) Management server port (default: 443)API_KEY: Your management API key (if using API key authentication)USERNAME: Username for authentication (if using username/password authentication)PASSWORD: Password for authentication (if using username/password authentication)
Download and install the latest version of Node.js if you don't already have it installed.
You can check your installed version by running:
node -v # Should print "v20" or higher
nvm current # Should print "v20" or higherThis server has been tested with Claude Desktop, Cursor, GitHub Copilot, and Windsurf clients.
It is expected to work with any MCP client that supports the Model Context Protocol.
Note: Due to the nature of management API calls and the variety of server tools, using this server may require a paid subscription to the model provider to support token limits and context window sizes.
For smaller models, you can reduce token usage by limiting the number of enabled tools in the client.
{
"mcpServers": {
"quantum-gw-connection-analysis": {
"command": "npx",
"args": ["@chkp/quantum-gw-connection-analysis-mcp"],
"env": {
"API_KEY": "YOUR_API_KEY",
"S1C_URL": "YOUR_S1C_URL" // e.g., https://xxxxxxxx.maas.checkpoint.com/yyyyyyy/web_api
}
}
}
}{
"mcpServers": {
"quantum-gw-connection-analysis": {
"command": "npx",
"args": ["@chkp/quantum-gw-connection-analysis-mcp"],
"env": {
"MANAGEMENT_HOST": "YOUR_MANAGEMENT_IP_OR_HOST_NAME",
"MANAGEMENT_PORT": "443", // optional, default is 443
"API_KEY": "YOUR_API_KEY", // or use USERNAME and PASSWORD
"USERNAME": "YOUR_USERNAME", // optional
"PASSWORD": "YOUR_PASSWORD" // optional
}
}
}
}Set only the environment variables required for your authentication method.
- Download the MCPB file: 📥 gw-cli-connection-analysis.mcpb
- Open Claude Desktop App → Settings → Extensions
- Drag the MCPB file and configure per the instructions.
# Create the config file if it doesn't exist
touch "$HOME/Library/Application Support/Claude/claude_desktop_config.json"
# Open the config file in TextEdit
open -e "$HOME/Library/Application Support/Claude/claude_desktop_config.json"code %APPDATA%\Claude\claude_desktop_config.jsonAdd the server configuration:
{
"mcpServers": {
"quantum-gw-connection-analysis": {
"command": "npx",
"args": ["@chkp/quantum-gw-connection-analysis-mcp"],
"env": {
// Add the configuration from the above instructions
}
}
}
}Enter VSCode settings and type "mcp" in the search bar. You should see the option to edit the configuration file. Add this configuration:
{
...
"mcp": {
"inputs": [],
"servers": {
"quantum-gw-connection-analysis": {
"command": "npx",
"args": [
"@chkp/quantum-gw-connection-analysis-mcp"
],
"env": {
"MANAGEMENT_HOST": "YOUR_MANAGEMENT_IP_OR_HOST_NAME",
"MANAGEMENT_PORT": "443", // optional, default is 443
"API_KEY": "YOUR_API_KEY", // or use USERNAME and PASSWORD
"USERNAME": "YOUR_USERNAME", // optional
"PASSWORD": "YOUR_PASSWORD" // optional
}
}
}
},
...
}Enter Windsurf settings and type "mcp" in the search bar. You should see the option to edit the configuration file. Add the configuration as Claude Desktop App.
Enter Cursor settings and click on "MCP Servers" in the left menu. You should see the option to add a new MCP Server. Add the configuration as Claude Desktop App.
- Node.js 20+
- npm 10+
# Install all dependencies
npm install# Build all packages
npm run buildYou can run the server locally for development using MCP Inspector or any compatible MCP client.
node FULL_PATH_TO_SERVER/packages/management/dist/index.js --s1c-url|--management-host --api-key|--username|--password- Authentication keys and credentials are never shared with the model. They are used only by the MCP server to authenticate with your Check Point management system.
- Only use client implementations you trust. Malicious or untrusted clients could misuse your credentials or access data improperly.
- Management data is exposed to the model. Ensure that you only use models and providers that comply with your organization's policies for handling sensitive data and PII.
Anonymous Usage Statistics: Check Point collects anonymous usage statistics to improve this MCP server. Only tool usage patterns and anonymous identifiers are collected—no credentials, policies, or sensitive data.
Opt-Out: Set TELEMETRY_DISABLED=true environment variable or use the --no-telemetry flag to disable telemetry collection.