firewalla-mcp-server

Version:

Model Context Protocol (MCP) server for Firewalla MSP API - Provides real-time network monitoring, security analysis, and firewall management through 28 specialized tools compatible with any MCP client

github.com/amittell/firewalla-mcp-server

amittell/firewalla-mcp-server

676 lines (534 loc) • 20.7 kB

Markdown

# Firewalla MCP Server - Tool Descriptions Enhancement Guide This document provides comprehensive documentation on the tool description improvements, resolved limit discrepancies, and enhancement patterns implemented in the Firewalla MCP Server. ## Table of Contents - [Overview](#overview) - [Resolved Limit Discrepancies](#resolved-limit-discrepancies) - [Tool Description Enhancement Patterns](#tool-description-enhancement-patterns) - [Schema vs Implementation Alignment](#schema-vs-implementation-alignment) - [Advanced Query Syntax Integration](#advanced-query-syntax-integration) - [Error Context Enhancement](#error-context-enhancement) - [Performance Guidance Integration](#performance-guidance-integration) - [Best Practices](#best-practices) ## Overview The Firewalla MCP Server underwent significant tool description enhancements to address critical discrepancies between schema definitions, actual implementations, and user expectations. This guide documents what was fixed and the principles applied to ensure consistency and clarity. ### Key Issues Resolved 1. **Limit Discrepancies**: Schema limits vs actual performance-tested limits 2. **Inconsistent Descriptions**: Tool descriptions didn't reflect actual capabilities 3. **Missing Query Examples**: Advanced search syntax not documented in tools 4. **Error Context Gaps**: Insufficient error guidance in tool descriptions 5. **Performance Expectations**: No guidance on response times and resource usage ## Resolved Limit Discrepancies ### Critical Issues Found and Fixed #### 1. Search Tools Schema Mismatch **Problem**: Tool schemas showed maximum limits that caused performance issues **Before (Schema Definitions)**: ```typescript // Schema showed these limits search_alarms: { max: 5000 } // Caused 8-15s response times search_flows: { max: 10000 } // Caused memory exhaustion search_rules: { max: 3000 } // Inconsistent with other tools search_devices: { max: 2000 } // Performance degradation ``` **After (Performance-Optimized)**: ```typescript // All standardized for optimal performance search_alarms: { max: 1000 } // 1-3s response times search_flows: { max: 1000 } // Consistent memory usage search_rules: { max: 1000 } // Standardized performance search_devices: { max: 1000 } // Optimal device search ``` **Tool Description Enhancement**: ```typescript // Enhanced description now includes performance context { name: "search_alarms", description: `Search security alarms with advanced query syntax. Performance: Optimized for up to 1000 results with 1-3 second response times. Larger datasets should use pagination with cursor parameter. Query Examples: - severity:high AND source_ip:192.168.* - (severity:critical OR severity:high) AND protocol:tcp - blocked:true AND bytes:>10000000`, parameters: { limit: { type: "number", description: "Maximum results (1-1000). Limit optimized for performance. Use pagination for larger datasets.", minimum: 1, maximum: 1000 // Updated from previous 5000 } } } ``` #### 2. Geographic Search Tools Inconsistency **Problem**: Geographic tools had different limits for similar operations **Before**: ```typescript search_flows_by_geography: { max: 1000 } // Reasonable limit search_alarms_by_geography: { max: 5000 } // Caused timeout issues get_geographic_statistics: { max: 10000 } // Excessive for summary data ``` **After**: ```typescript search_flows_by_geography: { max: 1000 } // Consistent performance search_alarms_by_geography: { max: 1000 } // Standardized for reliability get_geographic_statistics: { max: 1000 } // Appropriate for statistical data ``` **Tool Description Enhancement**: ```typescript { name: "search_flows_by_geography", description: `Search network flows with geographic filtering and enrichment. Geographic Features: - Multi-country filtering: countries:["China","Russia","Iran"] - Continent-based search: continents:["Asia","Europe"] - ASN and hosting provider filtering - Risk scoring and threat intelligence Performance: Includes geographic data enrichment (800-2000ms response). Results include country, region, city, ASN, and risk scoring data.`, parameters: { geographic_filters: { type: "object", description: `Geographic filtering options with multi-value support: - countries: Array of country names (OR logic) - continents: Array of continent names (OR logic) - regions: Array of region names (OR logic) - min_risk_score: Minimum geographic risk score (0.0-1.0) - exclude_cloud: Boolean to exclude cloud provider traffic - exclude_vpn: Boolean to exclude VPN/proxy traffic` } } } ``` #### 3. Bandwidth Analysis Over-sizing **Problem**: Bandwidth tools allowed limits that caused memory exhaustion **Before**: ```typescript get_bandwidth_usage: { max: 2000 } // Caused 250-500MB memory usage ``` **After**: ```typescript get_bandwidth_usage: { max: 500 } // Optimized for 50-100MB memory usage ``` **Tool Description Enhancement**: ```typescript { name: "get_bandwidth_usage", description: `Get top bandwidth consuming devices with usage analytics. Performance Note: Bandwidth analysis is memory-intensive due to per-device aggregation. Limit restricted to 500 devices for optimal performance. Data Processing: - Aggregates upload/download statistics per device - Calculates total bandwidth usage over specified period - Sorts by total usage (download + upload) - Includes device identification and network information Memory Usage: ~100MB for 500 devices, scales significantly beyond this limit.`, parameters: { limit: { type: "number", description: "Number of top devices to return (1-500). Lower limit due to intensive bandwidth aggregation processing.", minimum: 1, maximum: 500 // Reduced from 2000 for performance } } } ``` #### 4. Rules Summary Excessive Limits **Problem**: Rules summary operations had impractical limits **Before**: ```typescript get_network_rules_summary: { max: 10000 } // 15-30 second response times get_most_active_rules: { max: 5000 } // Inconsistent with other rule tools ``` **After**: ```typescript get_network_rules_summary: { max: 2000 } // 3-5 second response times get_most_active_rules: { max: 1000 } // Consistent with standard tools ``` **Tool Description Enhancement**: ```typescript { name: "get_network_rules_summary", description: `Get comprehensive summary and analysis of network firewall rules. Analysis Features: - Rule effectiveness statistics (hit counts, last triggered) - Category-based grouping and analysis - Active vs inactive rule identification - Performance impact assessment Performance: Analyzes up to 2000 rules in 3-5 seconds. For networks with more rules, use filtering or multiple targeted queries. Typical Usage: - Security audit of firewall effectiveness - Rule optimization planning - Compliance reporting - Performance impact analysis`, parameters: { limit: { type: "number", description: "Maximum rules to analyze (1-2000). Reduced from 10000 for practical response times.", minimum: 1, maximum: 2000 // Reduced from 10000 } } } ``` #### 5. Cross-Reference Tools Optimization **Problem**: Cross-reference operations had inconsistent limits and unclear performance expectations **Before**: ```typescript search_cross_reference: { max: 5000 } // Often timed out search_enhanced_cross_reference: { max: 10000 } // Excessive processing time ``` **After**: ```typescript search_cross_reference: { max: 2000 } // Reliable 3-5 second responses search_enhanced_cross_reference: { max: 2000 } // Consistent high-quality correlation ``` **Tool Description Enhancement**: ```typescript { name: "search_enhanced_cross_reference", description: `Advanced multi-entity correlation with intelligent scoring and fuzzy matching. Correlation Features: - Multi-field correlation across flows, alarms, devices - Intelligent confidence scoring (0.0-1.0) - Fuzzy matching algorithms for IP subnets, strings - Temporal window filtering for time-based correlation - Network and device scope expansion Performance: Complex correlation analysis optimized for 2000 results. Processing time: 2-5 seconds with high-quality correlation scoring. Use Cases: - Security incident investigation - Threat hunting across multiple data sources - Network behavior analysis - Anomaly detection and root cause analysis`, parameters: { correlation_params: { type: "object", description: `Enhanced correlation configuration: - correlationFields: Array of fields to correlate (max 5 for performance) - correlationType: "AND" or "OR" logic for correlation - temporalWindow: Time-based correlation filtering - networkScope: Network-level correlation options - deviceScope: Device-level correlation options` }, limit: { type: "number", description: "Maximum results for correlation analysis (1-2000). Higher limits provide better correlation quality.", minimum: 1, maximum: 2000 // Optimized for correlation quality vs performance } } } ``` ## Tool Description Enhancement Patterns ### 1. Performance Context Integration **Pattern**: Every tool description now includes performance expectations **Template**: ```typescript { description: `[Tool functionality description] Performance: [Response time expectations, memory usage, processing characteristics] [Additional context about limits, optimization, or usage patterns]` } ``` **Example Implementation**: ```typescript { name: "search_flows", description: `Search network flows with advanced query syntax and filtering. Performance: Optimized for 1000 results with 500-1500ms response times. Memory usage: 20-100MB depending on result complexity and time range. Supports complex queries with logical operators, wildcards, and ranges. Use pagination with cursor parameter for datasets larger than 1000 flows.` } ``` ### 2. Query Syntax Documentation **Pattern**: Advanced search tools include comprehensive query examples **Template**: ```typescript { description: `[Tool description] Query Examples: - [Simple query example] - [Medium complexity example] - [Complex logical query example] - [Field-specific examples]` } ``` **Example Implementation**: ```typescript { name: "search_alarms", description: `Search security alarms with advanced filtering capabilities. Query Examples: - severity:high - severity:high AND source_ip:192.168.* - (severity:critical OR severity:high) AND protocol:tcp - blocked:true AND bytes:>10000000 AND country:China - timestamp:>NOW-24h AND NOT resolved:true` } ``` ### 3. Limit Justification **Pattern**: Parameter descriptions explain why limits exist **Template**: ```typescript { parameters: { limit: { description: "Maximum results (min-max). [Reason for limit] [Performance impact] [Alternative approaches]" } } } ``` **Example Implementation**: ```typescript { parameters: { limit: { type: "number", description: "Maximum results (1-500). Lower limit due to bandwidth aggregation requiring significant memory and processing. Use multiple queries with time-based filtering for larger datasets.", minimum: 1, maximum: 500 } } } ``` ### 4. Usage Context Guidance **Pattern**: Descriptions include when and how to use each tool **Template**: ```typescript { description: `[Tool description] Use Cases: - [Primary use case] - [Secondary use case] - [Advanced use case] Best Practices: - [Performance optimization tip] - [Query optimization tip] - [Result handling tip]` } ``` ### 5. Error Prevention Guidance **Pattern**: Descriptions help users avoid common errors **Template**: ```typescript { description: `[Tool description] Common Issues: - [Issue 1]: [Prevention strategy] - [Issue 2]: [Prevention strategy] Troubleshooting: - If [condition]: [Solution] - For [scenario]: [Alternative approach]` } ``` ## Schema vs Implementation Alignment ### Pre-Enhancement Problems 1. **Misleading Limits**: Schemas suggested capabilities that caused timeouts 2. **Missing Context**: No performance guidance in parameter descriptions 3. **Inconsistent Standards**: Different tools used different limit philosophies 4. **Unclear Errors**: Parameter validation errors lacked context ### Post-Enhancement Standards 1. **Accurate Limits**: All schema limits match performance-tested maximums 2. **Contextual Descriptions**: Every parameter explains its constraints 3. **Consistent Patterns**: All similar tools follow the same limit philosophy 4. **Helpful Validation**: Errors include suggestions for parameter adjustment ### Validation Enhancement Example **Before**: ```typescript // Generic error with no context "limit must be between 1 and 5000" ``` **After**: ```typescript // Contextual error with guidance "limit must be between 1 and 1000. Higher limits cause performance issues. Use pagination with cursor parameter for larger datasets. See docs/limits-and-performance-guide.md for details." ``` ## Advanced Query Syntax Integration ### Query Documentation in Tool Descriptions Every search tool now includes comprehensive query syntax examples: #### Basic Query Patterns ```typescript { description: ` Basic Query Syntax: - field:value # Exact match - field:value* # Wildcard match - field:[min TO max] # Range query - field:>value # Comparison operators - field:>=value # Greater than or equal Examples: - protocol:tcp - source_ip:192.168.* - bytes:[1000 TO 50000] - severity:>=medium - timestamp:>NOW-24h` } ``` #### Logical Operators ```typescript { description: ` Logical Operators: - query1 AND query2 # Both conditions must match - query1 OR query2 # Either condition can match - NOT query # Condition must not match - (query1 OR query2) AND query3 # Grouping with parentheses Examples: - severity:high AND protocol:tcp - (severity:high OR severity:critical) AND source_ip:192.168.* - blocked:true AND NOT source_ip:192.168.*` } ``` #### Field-Specific Examples ```typescript { description: ` Field-Specific Query Examples: Network Fields: - source_ip:192.168.1.1 OR destination_ip:10.0.0.* - protocol:tcp AND port:443 - asn:AS15169 AND country:United\ States Security Fields: - severity:high AND type:malware_detection - blocked:true AND threat_score:>0.8 - resolved:false AND priority:urgent Temporal Fields: - timestamp:>NOW-1h - last_seen:<NOW-24h - created:2024-01-01..2024-01-31` } ``` ### Geographic Query Integration Geographic search tools include specialized geographic query syntax: ```typescript { description: ` Geographic Query Enhancements: Country Filtering: - countries:["China", "Russia", "Iran"] # Multiple countries (OR logic) - continents:["Asia", "Europe"] # Continental filtering - regions:["Eastern Europe", "Middle East"] # Regional filtering Infrastructure Filtering: - asns:["AS4134", "AS8075"] # Autonomous System Numbers - hosting_providers:["cloudflare", "amazon"] # Cloud/hosting providers - exclude_cloud:true # Exclude cloud traffic - exclude_vpn:true # Exclude VPN/proxy traffic Risk-Based Filtering: - min_risk_score:0.7 # Minimum geographic risk score - high_risk_countries:true # Known high-risk locations - threat_analysis:true # Enhanced threat intelligence` } ``` ## Error Context Enhancement ### Enhanced Error Messages Tool descriptions now help users understand and prevent common errors: #### Parameter Validation Errors ```typescript { description: ` Common Parameter Errors: Limit Too High: - Error: "limit exceeds maximum of 1000" - Solution: Use pagination with cursor parameter - Alternative: Apply more specific query filters Invalid Query Syntax: - Error: "unmatched parentheses in query" - Solution: Balance all parentheses: (condition1 OR condition2) - Check: Ensure quotes are properly closed Field Validation: - Error: "invalid field name 'unknown_field'" - Solution: Use documented field names (see query syntax guide) - Reference: docs/query-syntax-guide.md` } ``` #### Timeout Prevention Guidance ```typescript { description: ` Timeout Prevention: If experiencing timeouts: 1. Reduce limit parameter (try 100-500 for complex queries) 2. Add more specific query filters to reduce dataset size 3. Use time-based filtering: timestamp:>NOW-1h 4. Avoid wildcard queries on large datasets Performance Tips: - Start with small limits and increase gradually - Use cursor pagination for large result sets - Apply filters before sorting when possible` } ``` ### Validation Message Enhancement **Before**: ```typescript "limit is required" "query must be a string" "invalid cursor format" ``` **After**: ```typescript "limit parameter is required (1-1000). Specifies maximum results to return. Use pagination for larger datasets." "query must be a valid search string. Examples: 'severity:high', 'protocol:tcp AND source_ip:192.168.*'. See docs/query-syntax-guide.md for complete syntax." "cursor parameter has invalid format. Use cursor from previous response pagination.next_cursor field. Omit cursor for first page of results." ``` ## Performance Guidance Integration ### Response Time Expectations Tool descriptions now include specific performance guidance: ```typescript { description: ` Performance Characteristics: Response Times: - Simple queries (10-100 results): 200-500ms - Standard queries (100-1000 results): 500-1500ms - Complex queries with correlation: 1500-5000ms Memory Usage: - Typical request: 20-100MB - Large datasets: 100-300MB - Geographic enrichment: +50% memory overhead Optimization Tips: - Use specific queries to reduce processing time - Apply time-based filters to limit dataset scope - Consider multiple smaller queries vs one large query` } ``` ### Concurrent Usage Guidance ```typescript { description: ` Concurrent Usage: Recommended Limits: - Interactive usage: 1-5 concurrent requests - Batch processing: 5-10 concurrent requests - High-volume automation: 10+ requests (monitor performance) Rate Limiting: - API rate limits: 100 requests per minute - Burst capacity: Up to 20 requests per 10 seconds - Automatic retry with exponential backoff on rate limit errors` } ``` ## Best Practices ### For Tool Description Writers 1. **Include Performance Context**: Always document response time and resource expectations 2. **Provide Query Examples**: Show realistic usage patterns with varying complexity 3. **Explain Limits**: Justify why limits exist and suggest alternatives 4. **Prevent Common Errors**: Include troubleshooting guidance for frequent issues 5. **Maintain Consistency**: Use the same patterns across similar tools ### For Tool Users 1. **Read Descriptions Carefully**: Tool descriptions contain important performance and usage guidance 2. **Start Small**: Begin with lower limits and simpler queries 3. **Use Examples**: Follow documented query patterns for best results 4. **Monitor Performance**: Be aware of response times and adjust usage accordingly 5. **Handle Errors Gracefully**: Use error messages to improve query construction ### For System Administrators 1. **Monitor Tool Usage**: Track which tools are used most frequently and their performance 2. **Validate Descriptions**: Ensure tool descriptions match actual system behavior 3. **Update Guidance**: Keep performance expectations current with system capabilities 4. **User Education**: Share best practices based on tool descriptions with users ## Conclusion The tool description enhancement initiative resolved critical discrepancies between schema definitions and actual performance characteristics. The improvements provide: - **Accurate Expectations**: Limits and performance guidance match real-world behavior - **Better User Experience**: Clear guidance prevents common errors and timeouts - **Consistent Standards**: All tools follow the same description and limit patterns - **Maintainable Documentation**: Centralized patterns make updates easier