How a request flows
Both wingmen fly the same profile. You never hold a device credential and you never touch the CLI — the agent plans against its /skills runbook, locks a single tool, and holds every strike at the consent gate.
Plain English
You radio in via the Solo UI, or a wingman tasks it over A2A.
gpt-5.5 + runbook
The model reads its /skills runbook and sets the play.
Target a tool
Selects one MCP tool and fills in the exact arguments.
Real REST
The wrapper calls the device API and reports back plainly.
Recon on sight — strike only on your call.
FortiGate agent
fortigate-mcp-server
Holds the perimeter: policies, NAT, address objects, routing — plus the soft edge most firewalls hide: DHCP leases, fingerprinted devices, and FortiAP wireless clients. It runs recon first, then proposes the narrowest strike that does the job.
Firewall & NAT
Audit policies, flag any accept rule that runs all→all, and isolate a host with a targeted deny rule.
Objects, interfaces & routing
The building blocks: addresses, groups, services, interfaces, and the static routing table.
list_addresses · list_address_groups · get_address_group · list_services · list_service_groups · list_interfaces · list_static_routesSystem & health
Firmware, serial, uptime, live resource load, and which HA node is primary before any strike.
system_status · system_resources · ha_statusWho's on the network
DHCP leases and fingerprinted devices — the “what is that on my Wi-Fi” picture, by IP, MAC, or hostname.
list_dhcp_leases · list_detected_devicesWireless / FortiAP
See connected clients and SSIDs; kick one client, or gate an SSID on/off (hits everyone on it).
list_wireless_clients · list_ssids · disconnect_wireless_client · disable_ssid · enable_ssidBehind the gate
Red tools above never fire on their own — the agent locks the target and waits for you.
6 write tools require consentF5 BIG-IP agent
f5-wrapper-bigip
Runs traffic: pools and members, virtual servers, nodes, health monitors, iRules, certificates, and HA. It checks dependencies and failover state before proposing a strike, and speaks the address:port member format precisely.
Pools & members
List and inspect pools, check member health, and drain a member for zero-impact maintenance.
list_pools · get_pool · create_pool · delete_pool · list_pool_members · add/remove_pool_member · set_pool_member_stateVirtual servers & nodes
The front doors and the backends behind them — created and removed only with your sign-off.
list_virtual_servers · get_virtual_server · create/delete_virtual_server · list_nodes · get_node · create/delete_node · set_node_stateMonitors, iRules & certs
Health-monitor configs, iRule definitions, and SSL certificates — including what's expiring soon.
list_monitors · list_http/https/tcp_monitors · list_irules · get_irule · list_certificates · get_certificateSystem & HA
Version and box info, active/standby failover state, config-sync status, and live performance.
system_info · failover_status · config_sync_status · system_performanceDependency-aware
Before a delete it checks who references the pool or node, and warns if the target is the standby.
recon runs first · then the gated strikeBehind the gate
Red tools above hold for consent — every create, delete, and state change.
10 write tools require consentArchitecture
Each wingman = an in-cluster MCP wrapper Deployment + a RemoteMCPServer (direct in-cluster service, not proxied) + an Agent on gpt-5-5. Device credentials live in Vault and are synced to the wrapper pods by External Secrets — the agent side holds nothing.
Solo UI / A2A ─► kagent controller (ns kagent)
│ plans on gpt-5.5 via agentgateway /openai · /skills runbook per wingman
┌────────────┴────────────┐
▼ ▼
RemoteMCPServer RemoteMCPServer
fortigate-mcp f5-bigip-mcp
│ │
▼ ▼
fortigate-mcp-server pod f5-wrapper-bigip pod creds: Vault ─► ESO ─► Secret (ns kagent)
FORTI_TOKEN ◄───────────── F5_USER/PASS ◄───────── agentgateway/fortigate · agentgateway/f5/bigip
│ HTTPS Bearer │ HTTPS iControl
▼ ▼
FortiGate 172.16.10.1 F5 BIG-IP 172.16.10.10
fw-maniak-hq · v7.4.11 BIG-IP · v17.5.1.3Migrated from the k8s-iceman OSS lab and adapted to goose: model gpt-5-5, the vault ClusterSecretStore on the agentgateway/ mount, and NetworkPolicies dropped. FortiGate authenticates with a REST API token (Bearer) — not a password.
What holds for consent
Human-in-the-loop is declared per tool on each agent (requireApproval). Recon never prompts; anything that mutates a device does. The agent shows the exact call and its arguments, and does nothing until you clear it hot.
| Operation | Wingman | Tool | Status |
|---|---|---|---|
| Enable / disable a firewall policy | SENTRY | enable/disable_firewall_policy | ✦ consent |
| Isolate a host | SENTRY | create_temporary_block_policy | ✦ consent |
| Kick / gate wireless | SENTRY | disconnect_wireless_client · disable/enable_ssid | ✦ consent |
| Create / delete pool or member state | VIPER | create/delete_pool · *_pool_member · set_pool_member_state | ✦ consent |
| Create / delete virtual server or node | VIPER | create/delete_virtual_server · create/delete_node · set_node_state | ✦ consent |
| List, get, audit, inventory, status | both | list_* · get_* · *_status · failover_status | ◇ weapons-free |
Built & proven
Deployed by ArgoCD and verified end-to-end — both wrappers reached the real devices and authenticated, not just started.