naftiko: 1.0.0-alpha2 info: label: Tufin Network Security Policy Management description: Unified workflow capability combining Tufin SecureTrack and SecureChange for end-to-end network security policy lifecycle management. Enables network security engineers and SOC analysts to analyze topology, query firewall rules, assess risk, and automate policy change workflows from a single interface. Ideal for firewall change automation, compliance auditing, and network access troubleshooting. tags: - Change Management - Compliance - Firewall Management - Network Security - Policy Orchestration - Risk Management - Tufin - Workflow Automation created: '2026-05-03' modified: '2026-05-06' binds: - namespace: env keys: SECURETRACK_USERNAME: SECURETRACK_USERNAME SECURETRACK_PASSWORD: SECURETRACK_PASSWORD SECURECHANGE_USERNAME: SECURECHANGE_USERNAME SECURECHANGE_PASSWORD: SECURECHANGE_PASSWORD capability: consumes: - type: http namespace: securetrack baseUri: https://{tos_host}/securetrack/api description: Tufin SecureTrack REST API for network security policy management authentication: type: basic username: '{{SECURETRACK_USERNAME}}' password: '{{SECURETRACK_PASSWORD}}' resources: - name: devices path: /devices description: Network devices managed by SecureTrack operations: - name: get-devices method: GET description: Retrieve all network devices managed by SecureTrack inputParameters: - name: name in: query type: string required: false description: Filter by device name - name: vendor in: query type: string required: false description: Filter by vendor outputRawFormat: json outputParameters: - name: result type: object value: $. - name: device path: /devices/{deviceId} description: Single network device operations: - name: get-device-by-id method: GET description: Retrieve a specific network device by ID inputParameters: - name: deviceId in: path type: integer required: true description: Device identifier outputRawFormat: json outputParameters: - name: result type: object value: $. - name: device-revisions path: /devices/{deviceId}/revisions description: Policy revisions for a device operations: - name: get-device-revisions method: GET description: Retrieve policy revision history for a device inputParameters: - name: deviceId in: path type: integer required: true description: Device identifier outputRawFormat: json outputParameters: - name: result type: object value: $. - name: device-rules path: /devices/{deviceId}/rules description: Firewall rules for a device operations: - name: get-rules-by-device method: GET description: Retrieve all firewall rules for a specific device inputParameters: - name: deviceId in: path type: integer required: true description: Device identifier - name: policy in: query type: string required: false description: Filter by policy name outputRawFormat: json outputParameters: - name: result type: object value: $. - name: topology-path path: /topology/path description: Network path analysis operations: - name: get-topology-path method: GET description: Query network topology to determine if traffic is permitted between endpoints inputParameters: - name: src in: query type: string required: true description: Source IP address or CIDR - name: dst in: query type: string required: true description: Destination IP address or CIDR - name: service in: query type: string required: false description: Service (e.g., tcp/443) outputRawFormat: json outputParameters: - name: result type: object value: $. - name: topology-map path: /topology/map description: Full network topology map operations: - name: get-topology-map method: GET description: Retrieve the full network topology map outputRawFormat: json outputParameters: - name: result type: object value: $. - name: network-objects path: /network_objects description: Network objects across managed devices operations: - name: get-network-objects method: GET description: Search for network objects across all managed devices inputParameters: - name: name in: query type: string required: false description: Filter by object name - name: ip in: query type: string required: false description: Filter by IP address outputRawFormat: json outputParameters: - name: result type: object value: $. - name: services path: /services description: Service objects across managed devices operations: - name: get-services method: GET description: Search for service objects across all managed devices inputParameters: - name: name in: query type: string required: false description: Filter by service name - name: port in: query type: string required: false description: Filter by port number outputRawFormat: json outputParameters: - name: result type: object value: $. - name: zones path: /zones description: Security zones operations: - name: get-zones method: GET description: Retrieve all security zones outputRawFormat: json outputParameters: - name: result type: object value: $. - name: risk path: /risk description: Risk analysis findings operations: - name: get-risk-analysis method: GET description: Retrieve risk analysis findings including policy violations outputRawFormat: json outputParameters: - name: result type: object value: $. - type: http namespace: securechange baseUri: https://{tos_host}/securechangeworkflow/api/securechange description: Tufin SecureChange REST API for security policy change workflows authentication: type: basic username: '{{SECURECHANGE_USERNAME}}' password: '{{SECURECHANGE_PASSWORD}}' resources: - name: tickets path: /tickets description: Security change tickets operations: - name: get-tickets method: GET description: Retrieve security change tickets with optional status filtering inputParameters: - name: status in: query type: string required: false description: Filter by ticket status - name: count in: query type: integer required: false description: Number of tickets to return outputRawFormat: json outputParameters: - name: result type: object value: $. - name: create-ticket method: POST description: Submit a new security change ticket outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: subject: '{{tools.subject}}' description: '{{tools.description}}' priority: '{{tools.priority}}' workflow: '{{tools.workflow}}' - name: ticket path: /tickets/{ticketId} description: Single change ticket operations: - name: get-ticket-by-id method: GET description: Retrieve a specific security change ticket inputParameters: - name: ticketId in: path type: integer required: true description: Ticket identifier outputRawFormat: json outputParameters: - name: result type: object value: $. - name: update-ticket method: PUT description: Update an existing change ticket inputParameters: - name: ticketId in: path type: integer required: true description: Ticket identifier outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: subject: '{{tools.subject}}' description: '{{tools.description}}' - name: ticket-tasks path: /tickets/{ticketId}/tasks description: Workflow tasks for a ticket operations: - name: get-ticket-tasks method: GET description: Retrieve all workflow tasks for a ticket inputParameters: - name: ticketId in: path type: integer required: true description: Ticket identifier outputRawFormat: json outputParameters: - name: result type: object value: $. - name: ticket-task path: /tickets/{ticketId}/tasks/{taskId} description: Single workflow task operations: - name: get-task-by-id method: GET description: Retrieve a specific workflow task inputParameters: - name: ticketId in: path type: integer required: true description: Ticket identifier - name: taskId in: path type: integer required: true description: Task identifier outputRawFormat: json outputParameters: - name: result type: object value: $. - name: update-task method: PUT description: Update a workflow task (approve, reject, or provide implementation) inputParameters: - name: ticketId in: path type: integer required: true description: Ticket identifier - name: taskId in: path type: integer required: true description: Task identifier outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: status: '{{tools.status}}' comment: '{{tools.comment}}' - name: workflow-definitions path: /workflow_definitions description: Workflow template definitions operations: - name: get-workflow-definitions method: GET description: Retrieve all workflow definitions configured in SecureChange outputRawFormat: json outputParameters: - name: result type: object value: $. exposes: - type: rest port: 8080 namespace: network-policy-api description: Unified REST API for Tufin network security policy management. resources: - path: /v1/devices name: devices description: Network devices managed by SecureTrack operations: - method: GET name: get-devices description: List all network devices in SecureTrack call: securetrack.get-devices with: vendor: rest.vendor name: rest.name outputParameters: - type: object mapping: $. - path: /v1/devices/{deviceId}/rules name: device-rules description: Firewall rules for a network device operations: - method: GET name: get-device-rules description: Get firewall rules for a device call: securetrack.get-rules-by-device with: deviceId: rest.deviceId outputParameters: - type: object mapping: $. - path: /v1/topology/path name: topology-path description: Network topology path analysis operations: - method: GET name: check-path description: Check if traffic is allowed between network endpoints call: securetrack.get-topology-path with: src: rest.src dst: rest.dst service: rest.service outputParameters: - type: object mapping: $. - path: /v1/network-objects name: network-objects description: Network objects across managed devices operations: - method: GET name: search-objects description: Search for network objects call: securetrack.get-network-objects with: name: rest.name ip: rest.ip outputParameters: - type: object mapping: $. - path: /v1/risk name: risk description: Risk analysis and policy compliance findings operations: - method: GET name: get-risk description: Get risk analysis findings call: securetrack.get-risk-analysis outputParameters: - type: object mapping: $. - path: /v1/change-tickets name: change-tickets description: Security policy change tickets operations: - method: GET name: get-tickets description: List security change tickets call: securechange.get-tickets with: status: rest.status outputParameters: - type: object mapping: $. - method: POST name: create-ticket description: Submit a security change request call: securechange.create-ticket outputParameters: - type: object mapping: $. - path: /v1/change-tickets/{ticketId} name: change-ticket description: Single security change ticket operations: - method: GET name: get-ticket description: Get a specific change ticket call: securechange.get-ticket-by-id with: ticketId: rest.ticketId outputParameters: - type: object mapping: $. - path: /v1/change-tickets/{ticketId}/tasks/{taskId} name: change-ticket-task description: Workflow task in a change ticket operations: - method: GET name: get-task description: Get a workflow task call: securechange.get-task-by-id with: ticketId: rest.ticketId taskId: rest.taskId outputParameters: - type: object mapping: $. - method: PUT name: update-task description: Update a workflow task call: securechange.update-task with: ticketId: rest.ticketId taskId: rest.taskId outputParameters: - type: object mapping: $. - type: mcp port: 9080 namespace: network-policy-mcp transport: http description: MCP server for AI-assisted Tufin network security policy management. tools: - name: list-devices description: List all network devices (firewalls) managed by Tufin SecureTrack hints: readOnly: true openWorld: true call: securetrack.get-devices with: vendor: tools.vendor outputParameters: - type: object mapping: $. - name: get-device-rules description: Get firewall rules for a specific network device hints: readOnly: true openWorld: false call: securetrack.get-rules-by-device with: deviceId: tools.deviceId outputParameters: - type: object mapping: $. - name: check-network-path description: Check if traffic is allowed between source and destination IP addresses hints: readOnly: true openWorld: false call: securetrack.get-topology-path with: src: tools.src dst: tools.dst service: tools.service outputParameters: - type: object mapping: $. - name: get-topology-map description: Retrieve the full network topology map from SecureTrack hints: readOnly: true openWorld: true call: securetrack.get-topology-map outputParameters: - type: object mapping: $. - name: search-network-objects description: Search for network objects (IPs, ranges, groups) across all managed devices hints: readOnly: true openWorld: true call: securetrack.get-network-objects with: name: tools.name ip: tools.ip outputParameters: - type: object mapping: $. - name: search-services description: Search for service definitions across managed devices hints: readOnly: true openWorld: true call: securetrack.get-services with: name: tools.name port: tools.port outputParameters: - type: object mapping: $. - name: get-risk-findings description: Get security risk analysis findings including policy violations and unused rules hints: readOnly: true openWorld: true call: securetrack.get-risk-analysis outputParameters: - type: object mapping: $. - name: list-change-tickets description: List security policy change tickets in SecureChange hints: readOnly: true openWorld: true call: securechange.get-tickets with: status: tools.status outputParameters: - type: object mapping: $. - name: create-change-ticket description: Submit a new firewall rule change request to SecureChange workflow hints: readOnly: false destructive: false idempotent: false call: securechange.create-ticket with: subject: tools.subject description: tools.description priority: tools.priority workflow: tools.workflow outputParameters: - type: object mapping: $. - name: get-change-ticket description: Get details for a specific security change ticket hints: readOnly: true openWorld: false call: securechange.get-ticket-by-id with: ticketId: tools.ticketId outputParameters: - type: object mapping: $. - name: get-ticket-tasks description: Get workflow tasks for a change ticket hints: readOnly: true openWorld: false call: securechange.get-ticket-tasks with: ticketId: tools.ticketId outputParameters: - type: object mapping: $. - name: approve-change-task description: Approve or update a workflow task in a security change ticket hints: readOnly: false destructive: false idempotent: false call: securechange.update-task with: ticketId: tools.ticketId taskId: tools.taskId status: tools.status comment: tools.comment outputParameters: - type: object mapping: $. - name: list-device-revisions description: Get policy revision history for a network device hints: readOnly: true openWorld: false call: securetrack.get-device-revisions with: deviceId: tools.deviceId outputParameters: - type: object mapping: $.