NetClaw Adds Blender 3D Network Topology Visualization

Visualize Your Network in 3D with Blender

NetClaw now integrates with Blender via the community blender-mcp server, enabling 3D network topology visualization. Network engineers can now say "draw the network topology using CDP data" and watch their network come to life in stunning 3D.

What’s New

This integration brings NetClaw’s total to 156 skills backed by 69 MCP servers, adding a powerful visualization capability that transforms how you understand and document your network infrastructure.

Natural Language to 3D Visualization

Simply ask NetClaw to draw your network:

"Draw the network topology in Blender using CDP data"
"Visualize the CDP neighbors for core-rtr-01 in 3D"
"Create a 3D network diagram from the LLDP data"

NetClaw automatically:

  1. Queries CDP/LLDP neighbor data from your devices
  2. Identifies device types from hostnames
  3. Calculates optimal 3D layout positions
  4. Creates cubes for each device with appropriate colors
  5. Connects devices with visual links

Device Type Color Coding

Devices are automatically colored by type:

Device Type Color Visual
Router Blue Easy to identify core infrastructure
Switch Green Clear distinction from routers
Firewall Red Security devices stand out
Access Point Yellow Wireless infrastructure highlighted
Unknown Gray Catch-all for unidentified devices

Export and Customize

Beyond basic visualization, you can:

Export your diagrams:

"Export the Blender scene as topology.png"
"Save the network diagram as a PNG file"

Customize appearance:

"Color router-1 red"
"Add labels to all devices"
"Highlight the core switches"

Technical Architecture

The integration uses a clever cross-platform architecture:

NetClaw (WSL) → blender-mcp (MCP Server) → Blender (Windows)
                     ↓
              Socket:9876
  • NetClaw runs in WSL2, processing natural language requests
  • blender-mcp translates commands to Blender Python API calls
  • Blender runs on Windows with the BlenderMCP addon

This architecture supports the WSL-to-Windows connectivity pattern common in enterprise development environments.

Getting Started

Prerequisites

  1. Blender installed on Windows (winget install BlenderFoundation.Blender)
  2. BlenderMCP addon from GitHub
  3. NetClaw with the latest configuration

Quick Setup

  1. Install the BlenderMCP addon in Blender (Edit → Preferences → Add-ons → Install)
  2. Press ‘N’ in Blender to show the sidebar, find "BlenderMCP" tab
  3. Click "Connect to Claude" — should show "Server running on port 9876"
  4. Get your Windows IP from WSL: cat /etc/resolv.conf | grep nameserver
  5. Set BLENDER_HOST in your .env file

Test It

"Create a blue cube in Blender"

If a blue cube appears in Blender, you’re ready to visualize your network!

Design Decisions

Several thoughtful design decisions make this integration practical:

  • 25-device limit: Keeps visualizations readable and Blender responsive
  • Force-directed layout: Automatically positions devices for clarity
  • Hostname-based type inference: No manual device classification needed
  • Graceful error handling: Clear messages when Blender isn’t connected

What’s Next

This is just the beginning of 3D network visualization in NetClaw. Future possibilities include:

  • Traffic animation: Show packet flows between devices
  • Health overlays: Color devices by CPU/memory utilization
  • Timeline scrubbing: Visualize network changes over time
  • VR integration: Walk through your network in virtual reality

Conclusion

The Blender integration exemplifies NetClaw’s philosophy: powerful capabilities accessible through natural language. Whether you’re documenting your network, presenting to stakeholders, or troubleshooting connectivity issues, 3D visualization provides a new perspective on your infrastructure.

Try it today: "Draw the network topology in Blender"


NetClaw is the AI-powered network engineer that speaks fluent CLI. With 156 skills across 69 MCP integrations, it transforms how network teams operate, automate, and innovate.

NetClaw Adds Zscaler and Cloudflare: Zero Trust Security Through Natural Language

NetClaw Adds Zscaler and Cloudflare: Zero Trust Security Through Natural Language

Zero trust, conversational access. NetClaw now integrates with Zscaler and Cloudflare, bringing 10 new skills for managing zero trust security, DNS, edge networking, and web security. Query policies, inspect tunnels, analyze traffic, and investigate threats—all through natural language.


The Security Perimeter is Everywhere

Modern networks don’t have walls. Users work from anywhere, applications live in multiple clouds, and the "perimeter" is wherever a connection happens. Zscaler and Cloudflare are leaders in this zero trust world:

  • Zscaler: Secure access to applications and internet, wherever users are
  • Cloudflare: Edge security, DNS, and performance at global scale

Now NetClaw speaks both.


Zscaler Integration: 5 Skills

zscaler-zia

Zscaler Internet Access—secure web gateway:

List URL filtering policies in ZIA

Show web security rules for the engineering group

What categories are blocked for guest users?

Get details on the DLP policy for sensitive data

Tools included: list_url_policies, get_url_policy, list_firewall_rules, get_firewall_rule, list_dlp_policies, get_dlp_policy, list_url_categories, get_url_category

zscaler-zpa

Zscaler Private Access—zero trust application access:

List all application segments in ZPA

Show access policies for the internal-apps segment

What connectors are online for the datacenter group?

Get details on the SAP application segment

Tools included: list_application_segments, get_application_segment, list_access_policies, get_access_policy, list_connectors, get_connector, list_connector_groups

zscaler-zdx

Zscaler Digital Experience—endpoint and application performance:

Show ZDX scores for all devices

What's the application performance for Office 365?

List devices with poor network quality scores

Get the digital experience trend for the sales team

Tools included: get_zdx_scores, list_applications, get_application_metrics, list_devices, get_device_details, get_network_metrics

zscaler-identity

User and group management across Zscaler:

List all user groups in Zscaler

Show users in the engineering department

What groups does user john.doe belong to?

Get identity provider configuration

Tools included: list_users, get_user, list_groups, get_group, list_departments, get_idp_config

zscaler-insights

Analytics and reporting:

Show web traffic analytics for the last 24 hours

What are the top blocked categories today?

Get bandwidth usage by department

List security events for the network team

Tools included: get_traffic_analytics, get_security_analytics, get_bandwidth_report, list_audit_logs, get_threat_report


Cloudflare Integration: 5 Skills

cloudflare-dns

DNS management at the edge:

List all DNS zones in Cloudflare

Show DNS records for example.com

What's the TTL for the www A record?

List zones with DNSSEC enabled

Tools included: list_zones, get_zone, list_dns_records, get_dns_record, get_zone_settings, get_dnssec_status

cloudflare-security

Web application security:

List WAF rules for example.com

Show firewall events from the last hour

What custom rules are blocking traffic?

Get the security level for the API zone

Tools included: list_waf_rules, get_waf_rule, list_firewall_events, list_custom_rules, get_custom_rule, get_security_settings, list_rate_limits

cloudflare-zerotrust

Cloudflare Access and Tunnels:

List all Access applications

Show policies for the internal-dashboard app

What Cloudflare Tunnels are configured?

Get connection status for the datacenter tunnel

Tools included: list_access_applications, get_access_application, list_access_policies, get_access_policy, list_tunnels, get_tunnel, list_casb_findings, get_casb_finding

cloudflare-analytics

Traffic insights and Radar data:

Show traffic analytics for example.com today

What are the global Internet traffic trends?

Scan https://suspicious-site.com for threats

Get threat intelligence for IP 1.2.3.4

Tools included: get_zone_analytics, search_logs, get_traffic_insights, scan_url, get_threat_intel, get_internet_trends

cloudflare-workers

Edge compute monitoring:

List all deployed Workers

Show details for the api-gateway Worker

What bindings does my edge-proxy Worker have?

Get build history for auth-worker

Tools included: list_workers, get_worker, get_worker_bindings, list_builds, get_build, get_worker_analytics


Quick Setup

Zscaler

# ZIA (Internet Access)
export ZSCALER_ZIA_API_KEY="your-zia-api-key"
export ZSCALER_ZIA_CLOUD="zscaler.net"
export ZSCALER_ZIA_USERNAME="admin@example.com"
export ZSCALER_ZIA_PASSWORD="your-password"

# ZPA (Private Access)
export ZSCALER_ZPA_CLIENT_ID="your-client-id"
export ZSCALER_ZPA_CLIENT_SECRET="your-client-secret"
export ZSCALER_ZPA_CUSTOMER_ID="your-customer-id"

Cloudflare

export CLOUDFLARE_API_TOKEN="your-api-token"
export CLOUDFLARE_ACCOUNT_ID="your-account-id"

Generate tokens at dash.cloudflare.com → My Profile → API Tokens.


Real-World Security Investigation

Here’s how a security engineer investigates a potential threat:

1. Check Cloudflare for Anomalies

netclaw: Show firewall events for the api zone in the last hour

2. Analyze Traffic Patterns

netclaw: Get traffic analytics for api.example.com today

3. Investigate Suspicious Source

netclaw: Get threat intelligence for IP 203.0.113.42 from Cloudflare Radar

4. Check Zscaler for Internal Activity

netclaw: List security events in Zscaler for users accessing external APIs

5. Verify Access Policies

netclaw: Show ZPA access policies for the internal-api application segment

6. Check User Context

netclaw: What groups does user john.doe belong to in Zscaler?

Complete visibility across edge and access security—through conversation.


Integration Architecture

Both platforms connect through their official MCP interfaces:

{
  "zscaler-mcp": {
    "url": "mcp://zscaler.com/mcp",
    "env": {
      "ZSCALER_ZIA_API_KEY": "${ZSCALER_ZIA_API_KEY}",
      "ZSCALER_ZPA_CLIENT_ID": "${ZSCALER_ZPA_CLIENT_ID}",
      "ZSCALER_ZPA_CLIENT_SECRET": "${ZSCALER_ZPA_CLIENT_SECRET}"
    }
  },
  "cloudflare-observability": {
    "url": "mcp://observability.mcp.cloudflare.com",
    "env": {
      "CLOUDFLARE_API_TOKEN": "${CLOUDFLARE_API_TOKEN}",
      "CLOUDFLARE_ACCOUNT_ID": "${CLOUDFLARE_ACCOUNT_ID}"
    }
  }
}

Cloudflare uses multiple specialized MCP endpoints for different capabilities (DNS analytics, Radar, CASB, Workers builds).


The Complete Security Stack

With Zscaler and Cloudflare joining Palo Alto and Cisco FMC, NetClaw covers the major security platforms:

Platform Domain NetClaw Skills
Palo Alto Next-gen firewall Existing
Cisco FMC Firewall management Existing
Zscaler Zero trust access 5 skills
Cloudflare Edge security 5 skills

Network security engineers can now query across all platforms:

netclaw: Show blocked connections on the Palo Alto firewall,
         check if the source IP is in Zscaler block lists,
         and get threat intel from Cloudflare Radar

Zero Trust Through Conversation

Zero trust means verifying everything, everywhere. That’s a lot of queries across a lot of systems. NetClaw makes this manageable:

Before:

  • Log into Zscaler admin portal
  • Navigate to correct policy section
  • Log into Cloudflare dashboard
  • Check multiple tabs and filters
  • Cross-reference manually

After:

netclaw: Verify that user john.doe can access the SAP application 
         through ZPA and show any recent security events

The security perimeter might be everywhere, but your interface to it doesn’t have to be.


NetClaw now supports 68 MCP servers with 124 skills. Zero trust security just became conversational.


Get started at github.com/automateyournetwork/netclaw

NetClaw Adds HashiCorp Terraform and Vault: Infrastructure as Code Meets Natural Language

NetClaw Adds HashiCorp Terraform and Vault: Infrastructure as Code Meets Natural Language

Infrastructure automation through conversation. NetClaw now integrates with HashiCorp Terraform Cloud and Vault, bringing 6 new skills for managing infrastructure as code and secrets. Query workspace state, explore the Terraform Registry, retrieve certificates, and manage secrets—all through natural language.


The HashiCorp Stack

HashiCorp tools are foundational to modern infrastructure:

  • Terraform defines infrastructure as code, managing everything from cloud resources to network devices
  • Vault secures secrets, manages certificates, and provides encryption as a service

Network engineers increasingly rely on both. Now NetClaw speaks their language.


Terraform Cloud Integration: 3 Skills

terraform-registry

Explore the Terraform ecosystem:

Search the Terraform Registry for Cisco ACI providers

Show details for the hashicorp/aws provider

What modules exist for network automation?

List versions of the PAN-OS provider

Tools included: search_providers, get_provider, get_provider_versions, search_modules, get_module, get_module_versions

terraform-workspaces

Understand your infrastructure state:

List all Terraform workspaces in my organization

Show the current state of the production-network workspace

What resources are managed in the dmz-firewalls workspace?

Compare state between staging and production workspaces

Tools included: list_workspaces, get_workspace, get_workspace_state, list_state_versions, get_state_version, list_workspace_resources

terraform-operations

Monitor infrastructure changes:

Show recent runs for the network-core workspace

What's the status of the latest plan?

List runs that failed in the last 24 hours

Show the plan output for run-abc123

Tools included: list_runs, get_run, get_plan, list_applies, get_apply, get_run_logs


HashiCorp Vault Integration: 3 Skills

vault-secrets

Secure secrets management:

List secrets in the network-credentials path

Get the SNMP community strings from Vault

What secrets are stored under infrastructure/routers?

Show metadata for the admin-credentials secret

Tools included: list_secrets, get_secret, get_secret_metadata, list_secret_versions

vault-pki

Certificate lifecycle management:

List PKI roles in the network-ca mount

Generate a certificate for core-rtr-01.example.com

Show the CA certificate chain

What certificates are about to expire?

Tools included: list_pki_roles, get_pki_role, issue_certificate, get_ca_chain, list_certificates, get_certificate, revoke_certificate

vault-mounts

Understand your secrets architecture:

List all secrets engines in Vault

Show configuration for the network-kv mount

What auth methods are enabled?

Get details on the PKI secrets engine

Tools included: list_mounts, get_mount, list_auth_methods, get_auth_method


Quick Setup

Terraform Cloud

export TF_CLOUD_TOKEN="your-terraform-cloud-token"
export TF_CLOUD_ORGANIZATION="your-org-name"

Generate a token at app.terraform.io → User Settings → Tokens.

HashiCorp Vault

export VAULT_ADDR="https://vault.example.com:8200"
export VAULT_TOKEN="your-vault-token"
# Or use other auth methods:
export VAULT_ROLE_ID="your-role-id"
export VAULT_SECRET_ID="your-secret-id"

Real-World Workflow: Network Device Provisioning

Here’s how these integrations work together:

1. Find the Right Provider

netclaw: Search Terraform Registry for Juniper Junos providers

2. Check Workspace State

netclaw: Show resources in the juniper-spine-switches workspace

3. Get Credentials Securely

netclaw: Get the Juniper admin credentials from Vault

4. Generate Device Certificates

netclaw: Issue a certificate for spine-sw-01.dc1.example.com from the network-ca

5. Monitor the Deployment

netclaw: Show the status of the latest Terraform run for juniper-spine-switches

6. Verify State

netclaw: List all resources managed in the workspace after the apply

All secure. All audited. All conversational.


Integration Architecture

{
  "terraform-cloud-mcp": {
    "command": "npx",
    "args": ["-y", "@hashicorp/terraform-mcp-server"],
    "env": {
      "TF_CLOUD_TOKEN": "${TF_CLOUD_TOKEN}",
      "TF_CLOUD_ORGANIZATION": "${TF_CLOUD_ORGANIZATION}"
    }
  },
  "vault-mcp": {
    "command": "uvx",
    "args": ["mcp-vault"],
    "env": {
      "VAULT_ADDR": "${VAULT_ADDR}",
      "VAULT_TOKEN": "${VAULT_TOKEN}"
    }
  }
}

Why This Matters for Network Engineers

Modern network infrastructure is increasingly defined in code:

  • Cisco ACI fabrics managed through Terraform
  • Palo Alto firewalls configured via providers
  • Cloud networking (VPCs, subnets, security groups) in HCL
  • Device credentials secured in Vault
  • Certificates for mutual TLS between network devices

By integrating Terraform and Vault, NetClaw bridges the gap between network operations and infrastructure as code practices.

Before:

# Check workspace state
terraform login
cd workspace
terraform state list
terraform state show resource.name

# Get credentials
vault login
vault kv get secret/network/credentials

After:

netclaw: List resources in the aci-production workspace 
         and get the APIC credentials from Vault

Security First

These integrations respect the security models of both platforms:

  • Terraform Cloud: Token-based auth with organization scoping
  • Vault: Full support for token, AppRole, and other auth methods
  • Audit: All operations logged through Vault’s audit backend
  • RBAC: Permissions enforced by the respective platforms

NetClaw never bypasses security—it just makes it more accessible.


The Infrastructure Stack

With Terraform and Vault joining Ansible, NetClaw now covers the major infrastructure automation tools:

Platform Use Case NetClaw Skills
Ansible Configuration management Existing
Terraform Infrastructure as code 3 skills
Vault Secrets management 3 skills

Network engineers have a complete automation toolkit through natural language.


NetClaw now supports 68 MCP servers with 124 skills. Your infrastructure as code just became conversational.


Get started at github.com/automateyournetwork/netclaw

NetClaw Adds Splunk and Datadog: Enterprise Observability Through Natural Language

NetClaw Adds Splunk and Datadog: Enterprise Observability Through Natural Language

Your logs and metrics, accessible through conversation. NetClaw now integrates with both Splunk and Datadog, bringing enterprise-grade observability to network engineers through natural language. Query terabytes of logs, explore metrics, and investigate issues—all without writing SPL or navigating complex dashboards.


The Observability Gap

Network engineers live in a world of distributed systems. When something breaks, the evidence is scattered across:

  • Syslog servers
  • SNMP traps
  • Flow collectors
  • Application logs
  • Infrastructure metrics

Splunk and Datadog are where this data converges. Now NetClaw can query it directly.


Splunk Integration: 3 Skills, Full SPL Power

splunk-search

Run searches and analyze results through conversation:

Search Splunk for "connection refused" errors in the last hour

Find all syslog messages from 10.0.0.0/8 with severity error

Search for BGP state changes across all routers today

Run this SPL: index=network sourcetype=syslog | stats count by host

Capabilities:

  • Ad-hoc SPL queries
  • Time-bounded searches
  • Field extraction and filtering
  • Result summarization

splunk-indexes

Understand your data landscape:

List all Splunk indexes

Show details for the network-logs index

What's the data volume in the firewall index?

Which indexes contain Cisco syslog data?

splunk-saved

Leverage existing institutional knowledge:

List all saved searches related to network

Run the "Daily BGP Summary" saved search

Show the schedule for the "Firewall Denies Report"

What saved searches exist for security events?

Datadog Integration: Metrics, Monitors, and More

Datadog brings infrastructure metrics, APM traces, and intelligent alerting. NetClaw exposes this through intuitive queries:

Metrics and Dashboards

Show CPU metrics for all network devices

What's the interface utilization on core-rtr-01?

List dashboards tagged with "network"

Show the Network Health dashboard

Monitors and Alerts

List all critical monitors in alert state

Show monitors for the network team

What triggered the "High Latency" alert?

List monitors with "BGP" in the name

Infrastructure and Logs

Search Datadog logs for "authentication failed"

Show all hosts tagged environment:production

List infrastructure metrics for network devices

What events occurred in the last hour?

Quick Setup

Splunk Configuration

# Splunk Enterprise or Cloud
export SPLUNK_HOST="https://your-splunk-instance:8089"
export SPLUNK_TOKEN="your-api-token"

# For Splunk Cloud
export SPLUNK_CLOUD_HOST="your-instance.splunkcloud.com"

Datadog Configuration

export DD_API_KEY="your-api-key"
export DD_APP_KEY="your-app-key"
export DD_SITE="datadoghq.com"  # or datadoghq.eu, etc.

Real-World Investigation

Here’s how a network engineer might investigate an outage:

1. Initial Alert

netclaw: Show me all critical Datadog monitors in alert state

2. Gather Context

netclaw: Search Splunk for errors on core-rtr-01 in the last 30 minutes

3. Correlate Events

netclaw: What BGP state changes occurred in Splunk today?

4. Check Metrics

netclaw: Show interface utilization metrics for core-rtr-01 from Datadog

5. Historical Pattern

netclaw: Run the "Weekly Network Anomalies" saved search in Splunk

All without leaving the terminal. All in natural language.


Integration Architecture

Both integrations use the official MCP servers:

{
  "splunk-mcp": {
    "command": "uvx",
    "args": ["mcp-splunk"],
    "env": {
      "SPLUNK_HOST": "${SPLUNK_HOST}",
      "SPLUNK_TOKEN": "${SPLUNK_TOKEN}"
    }
  },
  "datadog-mcp": {
    "command": "npx",
    "args": ["-y", "@datadog/mcp-server"],
    "env": {
      "DD_API_KEY": "${DD_API_KEY}",
      "DD_APP_KEY": "${DD_APP_KEY}"
    }
  }
}

The Complete Observability Stack

With Splunk and Datadog joining Grafana and Prometheus, NetClaw now covers the major observability platforms:

Platform Strength NetClaw Skills
Grafana Visualization, dashboards 2 skills
Prometheus Metrics, alerting 2 skills
Datadog Full-stack observability 3 skills
Splunk Log analytics, SIEM 3 skills

Network engineers can now query across platforms:

netclaw: Check Prometheus for high CPU alerts, 
         then search Splunk for corresponding syslogs,
         and show me the Datadog dashboard for that device

What This Means

Observability tools are only as good as your ability to query them quickly. By bringing Splunk and Datadog into the NetClaw ecosystem, we’re eliminating the friction between "I need to know" and "I found the answer."

No more:

  • Learning SPL syntax for one-off queries
  • Navigating complex Datadog dashboards
  • Context-switching between tools
  • Losing investigation threads

Instead:

  • Ask questions in plain English
  • Get answers in seconds
  • Stay in your flow

NetClaw now supports 68 MCP servers with 124 skills. Your observability stack just became conversational.


Get started at github.com/automateyournetwork/netclaw

NetClaw Adds PagerDuty Integration: AI-Powered Incident Management for Network Engineers

NetClaw Adds PagerDuty Integration: AI-Powered Incident Management for Network Engineers

NetClaw now speaks incident management. We’re excited to announce full PagerDuty integration, bringing 4 new skills backed by 70 tools to the NetClaw ecosystem. Network engineers can now manage incidents, on-call schedules, services, and automation workflows through natural language.


Why PagerDuty?

When a network goes down at 3 AM, the last thing you want is to fumble through multiple dashboards. PagerDuty is the industry standard for incident response, and now NetClaw can:

  • Query active incidents across your infrastructure
  • Check who’s on-call for any service or escalation policy
  • Inspect service configurations and dependencies
  • Manage Event Orchestration rules and automations

The 4 New Skills

1. pagerduty-incidents

Manage the full incident lifecycle through conversation:

Show me all P1 incidents from the last 24 hours

What's the status of INC-12345?

List incidents affecting the core-network service

Who acknowledged the latest database incident?

Tools included: list_incidents, get_incident, create_incident, update_incident, merge_incidents, snooze_incident, list_incident_notes, create_incident_note, list_incident_alerts, manage_incident_alerts, list_responder_requests, list_notification_subscribers, list_incident_workflows

2. pagerduty-oncall

Never wonder who to contact during an outage:

Who's on-call for the network-operations team right now?

Show the on-call schedule for next week

List all escalation policies for infrastructure services

What's the rotation schedule for the NOC team?

Tools included: list_oncalls, list_schedules, get_schedule, list_schedule_users, list_escalation_policies, get_escalation_policy

3. pagerduty-services

Understand your service topology and health:

List all services in the network domain

Show dependencies for the edge-router service

What integrations does the firewall-alerts service have?

Get details on service SVC-ABC123

Tools included: list_services, get_service, list_service_integrations, list_service_dependencies, list_business_services, get_business_service, get_impacted_business_services, get_service_standards, get_standards_scores

4. pagerduty-orchestration

Automate incident response workflows:

List all Event Orchestration rules

Show the global orchestration configuration

What automation rules trigger for network alerts?

Get details on orchestration ORCH-12345

Tools included: list_event_orchestrations, get_event_orchestration, get_global_orchestration, list_automation_actions, get_automation_action, list_automation_runners


Quick Setup

1. Get Your API Key

Navigate to My Profile → User Settings → Create API User Token in PagerDuty.

2. Configure Environment

export PAGERDUTY_USER_API_KEY="your-api-key"
export PAGERDUTY_API_HOST="https://api.pagerduty.com"  # Optional

3. Start Using

netclaw: Show me all active P1 and P2 incidents

netclaw: Who's on-call for infrastructure right now?

netclaw: Create a P3 incident for "BGP session flapping on core-rtr-01"

Integration Architecture

NetClaw uses the official pagerduty-mcp package with write tools enabled:

{
  "pagerduty-mcp": {
    "command": "uvx",
    "args": ["pagerduty-mcp", "--enable-write-tools"],
    "env": {
      "PAGERDUTY_USER_API_KEY": "${PAGERDUTY_USER_API_KEY}"
    }
  }
}

The --enable-write-tools flag allows NetClaw to create incidents, add notes, and manage alerts—not just read data.


Real-World Workflow

Imagine this scenario:

  1. Detection: Your monitoring detects BGP session drops
  2. Query: "Show me active network incidents"
  3. Context: "Who’s on-call for network-operations?"
  4. Action: "Create a P2 incident for BGP instability on core-rtr-01 and assign to the on-call engineer"
  5. Update: "Add a note to INC-12345: Root cause identified as fiber cut on provider link"
  6. Resolution: "Resolve INC-12345 with resolution note: Provider restored connectivity"

All through natural language. No dashboard switching. No context loss.


What’s Next

This PagerDuty integration is part of a larger wave of observability and incident management capabilities coming to NetClaw. Combined with our existing integrations (Grafana, Prometheus, Datadog), network engineers now have a complete incident lifecycle toolkit at their fingertips.

NetClaw now supports 68 MCP servers with 124 skills. The network operations center is evolving, and natural language is the new CLI.


Ready to try it? Check out the NetClaw GitHub repository for installation instructions.

NetClaw Integrates Palo Alto Networks Prisma SD-WAN: Complete Fabric Visibility Through Natural Language

NetClaw Now Speaks Prisma SD-WAN

We’re excited to announce that NetClaw now integrates with Palo Alto Networks Prisma SD-WAN, bringing complete fabric visibility through natural language queries. This integration adds 4 new skills backed by 16 tools, enabling network engineers to discover topology, monitor health, inspect configurations, and view application definitions without leaving the CLI.

What’s New

The Prisma SD-WAN integration leverages the community MCP server from iamdheerajdubey/prisma-sdwan-mcp, providing read-only access to your SD-WAN fabric through 16 tools organized into 4 purpose-built skills:

prisma-sdwan-topology (4 tools)

Discover your entire SD-WAN fabric through natural language:

  • get_sites — List all sites with element counts and addresses
  • get_elements — View ION devices (routers) by site
  • get_machines — Audit hardware inventory with serial numbers
  • get_topology — Visualize site-to-site VPN connectivity

Example: "Show me all SD-WAN sites" returns a complete inventory with element counts.

prisma-sdwan-status (4 tools)

Monitor fabric health without clicking through dashboards:

  • get_element_status — CPU, memory, uptime, online/offline state
  • get_software_status — Current versions and upgrade availability
  • get_events — Recent operational events with severity
  • get_alarms — Active critical and major alarms

Example: "Are there any critical SD-WAN alarms?" instantly surfaces issues requiring attention.

prisma-sdwan-config (7 tools)

Inspect configurations across the fabric:

  • get_interfaces — LAN/WAN interface configurations per element
  • get_wan_interfaces — WAN circuit details with bandwidth and BFD
  • get_bgp_peers — BGP peering configurations and session states
  • get_static_routes — Static route tables per element
  • get_policy_sets — Policy set definitions
  • get_security_zones — Security zone configurations
  • generate_site_config — Export validated YAML for offline review

Example: "What BGP peers are configured on hq-router-1?" shows peering state instantly.

prisma-sdwan-apps (1 tool)

Understand application-aware policies:

  • get_app_defs — Application definitions with categories and risk levels

Example: "List high-risk applications" helps identify policy opportunities.

Why This Matters

SD-WAN operations typically require navigating through web consoles, clicking through multiple tabs, and mentally correlating information across screens. With NetClaw’s Prisma SD-WAN integration:

  1. One question, one answer: Ask "which elements are offline?" instead of navigating to device inventory, filtering by status, and scrolling through results.

  2. Cross-domain correlation: Combine SD-WAN queries with other NetClaw skills. Check NetBox for expected device counts, compare with actual Prisma inventory, and flag discrepancies—all in one conversation.

  3. Audit trail: Every query is logged to GAIT, providing a complete record of what was asked and what was found.

Getting Started

Prerequisites

  • Palo Alto Networks Prisma Access/SASE subscription with SD-WAN enabled
  • Service account with SD-WAN API permissions

Configuration

  1. Run ./scripts/install.sh to clone the MCP server
  2. Configure your .env file:
PAN_CLIENT_ID=name@tsg.iam.panserviceaccount.com
PAN_CLIENT_SECRET=your-secret-key
PAN_TSG_ID=your-tenant-service-group-id
PAN_REGION=americas  # or europe
  1. Start NetClaw and ask: "List all SD-WAN sites"

Read-Only by Design

This integration is intentionally read-only. All 16 tools query state without making changes, which means:

  • No ServiceNow Change Request gating required
  • No risk of accidental configuration changes
  • Safe for production environments

What’s Next

The Prisma SD-WAN integration is our 45th MCP server integration and brings NetClaw to 106 total skills. We continue to expand multi-vendor coverage while maintaining our core principle: network engineers should be able to ask questions in natural language and get precise, actionable answers.


NetClaw is an open-source CCIE-level digital coworker that brings network automation to the CLI through Model Context Protocol (MCP) integrations. Learn more at github.com/automateyournetwork/netclaw.

The Virtual Network Trifecta: NetClaw Now Supports GNS3, CML, and ContainerLab

The Virtual Network Trifecta: NetClaw Now Supports GNS3, CML, and ContainerLab

Network engineers love choice. Some swear by Cisco Modeling Labs (CML) for its polished Cisco device support. Others prefer ContainerLab’s lightweight, container-based approach. And many have years of experience with GNS3’s flexible, open-source platform.

With the addition of GNS3 MCP server support, NetClaw now speaks all three languages — giving you the freedom to build virtual network labs in whichever framework fits your workflow.

Why Three Platforms?

Each network virtualization platform has its strengths:

Cisco Modeling Labs (CML)

  • Official Cisco images with full feature parity
  • Integrated with Cisco DevNet and CML-Personal licenses
  • Best for Cisco-centric environments

ContainerLab

  • Lightning-fast container-based nodes
  • Declarative YAML topology definitions
  • Ideal for CI/CD pipelines and rapid prototyping

GNS3

  • Open-source with massive community
  • Supports QEMU, Docker, VirtualBox, and VMware
  • Flexible compute server architecture (local or remote)

Now NetClaw can orchestrate labs across all three — using natural language.

What We Built: GNS3 MCP Server

The GNS3 MCP server provides 23 tools organized into 5 skills:

gns3-project-lifecycle

Create, open, close, delete, clone, and export/import GNS3 projects (labs).

gns3-node-operations

Add devices from templates, start/stop/suspend/reload nodes, access consoles, isolate nodes for testing.

gns3-link-management

Connect devices together, list links, delete links, build complete topologies.

gns3-packet-capture

Start and stop packet captures on any link, retrieve PCAP files for analysis.

gns3-snapshot-ops

Save and restore lab state — perfect for training scenarios or risky config changes.

Natural Language Lab Management

With GNS3 skills loaded, you can tell NetClaw:

  • "Create a new GNS3 lab called bgp-testing"
  • "Add two Cisco IOSv routers to the lab"
  • "Connect router1 eth0 to router2 eth0"
  • "Start all nodes"
  • "Capture traffic on the link between router1 and router2"
  • "Create a snapshot called baseline before I break everything"

NetClaw handles the REST API calls, UUID resolution, and error handling — you focus on the network design.

Setting Up GNS3 with NetClaw

Option 1: Fresh Install via install.sh

If you’re setting up NetClaw from scratch, the install script handles everything:

git clone https://github.com/automateyournetwork/netclaw.git
cd netclaw
./install.sh

During setup, provide your GNS3 server details when prompted, or set them in your .env file:

GNS3_URL=http://your-gns3-server:3080
GNS3_USER=admin
GNS3_PASSWORD=your-password

Option 2: Adding to Existing NetClaw

Already running NetClaw? Add GNS3 support in three steps:

Step 1: Add environment variables

Edit your .env file (or export directly):

# GNS3 Configuration
GNS3_URL=http://your-gns3-server:3080
GNS3_USER=admin
GNS3_PASSWORD=your-password

Step 2: Register the MCP server

Add to your config/openclaw.json under the "mcpServers" section:

"gns3": {
  "command": "python",
  "args": ["-m", "mcp_servers.gns3_mcp_server"],
  "env": {
    "GNS3_URL": "${GNS3_URL}",
    "GNS3_USER": "${GNS3_USER}",
    "GNS3_PASSWORD": "${GNS3_PASSWORD}"
  }
}

Step 3: Restart NetClaw

The GNS3 MCP server will connect on startup and verify connectivity.

GNS3 Server Requirements

  • GNS3 version 2.2.0 or later (REST API v3)
  • REST API enabled and accessible over the network
  • Node templates pre-configured (Cisco IOSv, Arista vEOS, etc.)
  • Compute resources available (local QEMU or remote Docker/VirtualBox/VMware)

Lab-Only Operations

Like CML and ContainerLab skills, GNS3 operations are designated lab-only — no ServiceNow Change Request gating required. This is intentional: virtual labs are isolated environments for testing, training, and proof-of-concept work.

All operations are still recorded in NetClaw’s GAIT audit trail for session traceability.

The Complete Picture

With GNS3 joining CML and ContainerLab, NetClaw now offers:

Capability CML ContainerLab GNS3
Project/Lab Management Yes Yes Yes
Node Operations Yes Yes Yes
Link Management Yes Yes Yes
Packet Capture Yes Yes Yes
Snapshots Yes No Yes
Topology Export Yes Yes Yes

Mix and match based on your needs — or use all three in different scenarios.

What’s Next

The GNS3 MCP server is available now in the netclaw repository on the 012-gns3-mcp-server branch. Pull request incoming to main.

Future enhancements may include:

  • Cross-platform topology conversion (CML to GNS3 and back)
  • Unified lab inventory across all three platforms
  • Template synchronization between environments

This post documents the GNS3 MCP server milestone — completing NetClaw’s virtual network trifecta. Built collaboratively by John Capobianco and Claude.

Optimizing NetClaw’s SOUL: From 60k to 8k Characters with Modular Architecture

Optimizing NetClaw’s SOUL: From 60k to 8k Characters with Modular Architecture

When your AI agent’s personality file is three times larger than its allowed bootstrap limit, something has to change. That’s the challenge we faced with NetClaw’s SOUL.md — and the solution taught us valuable lessons about modular AI architecture.

The Problem: Growing Pains

NetClaw’s SOUL.md file had grown organically over months of development. What started as a simple identity document evolved into a comprehensive reference containing:

  • 97 skill procedures with step-by-step instructions
  • CCIE-level networking expertise (OSPF, BGP, IS-IS, EIGRP, ACI, F5, and more)
  • Operational workflows (GAIT audit logging, ServiceNow CR gating)
  • Personality traits and rules defining NetClaw’s behavior

The result? A 59,696-character file that exceeded OpenClaw’s 20,000-character bootstrap limit by nearly 3x. This caused truncation warnings and incomplete agent initialization.

The Solution: Modular SOUL Architecture

Rather than simply cutting content, we designed a modular architecture that preserves 100% of the original content while dramatically reducing bootstrap size:

1. SOUL.md — The Core Bootstrap (8,131 chars)

Contains only what’s needed at startup:

  • Identity: "I am NetClaw (CCIE #AI-001)…"
  • Condensed Skill Index: All 97 skills listed by category (60 chars each)
  • GAIT Workflow: Audit logging essentials
  • ServiceNow CR Workflow: Change management rules
  • Loading Instructions: How to fetch reference files on-demand
  • Personality & Rules: The 12 non-negotiable behaviors

2. SOUL-SKILLS.md — On-Demand Skill Reference (28,832 chars)

Detailed step-by-step procedures for all 97 skills, organized by category:

  • Device Automation (pyATS, Nornir)
  • Cloud Operations (AWS, GCP, Azure)
  • Cisco Platforms (CML, SD-WAN, Meraki, NSO)
  • Security Tools (nmap, ISE, firewall analysis)
  • And 12 more categories…

3. SOUL-EXPERTISE.md — On-Demand Technical Knowledge (13,445 chars)

CCIE-level networking expertise, loaded when explaining protocol behavior:

  • Routing & Switching (BGP path selection, OSPF areas, IS-IS levels)
  • Data Center/SDN (ACI fabric model)
  • Application Delivery (F5 virtual servers, pools, iRules)
  • Identity/Security (ISE, 802.1X, TrustSec)

How It Works

When NetClaw starts, only SOUL.md loads — under 20k chars, no truncation. When a user asks to "run a pyATS health check," NetClaw:

  1. Recognizes the skill from the condensed index
  2. Loads SOUL-SKILLS.md to get detailed procedures
  3. Executes with full context

When a user asks "explain BGP path selection," NetClaw:

  1. Loads SOUL-EXPERTISE.md for CCIE-level detail
  2. Provides the complete 11-step algorithm

Results

Metric Before After Improvement
Bootstrap size 59,696 chars 8,131 chars 86% reduction
Within limit? ❌ No (3x over) ✅ Yes Fixed
Content preserved 100% 100% No loss
Load time Truncated Clean Reliable

Lessons Learned

  1. Bootstrap ≠ Reference: Not everything needs to load at startup. Identify what’s essential vs. what can be fetched on-demand.

  2. Indexes Enable Discovery: A condensed skill index (60 chars per skill) lets the agent know what it CAN do without loading HOW to do it.

  3. Modular Files Scale: As NetClaw gains more skills, we add to SOUL-SKILLS.md without touching the bootstrap. The architecture scales.

  4. Preserve Everything: Optimization shouldn’t mean deletion. All 97 skills and all CCIE knowledge remain — just organized better.

Try It Yourself

The modular SOUL architecture is now live in NetClaw. Start a fresh session and notice:

  • No truncation warning
  • Clean identity response to "who are you?"
  • Full skill access when needed

The code is available in the netclaw repository under the 011-soul-optimization feature.


This post documents a milestone in NetClaw’s development — the modular SOUL optimization. Built collaboratively by John Capobianco and Claude.

NetClaw Gets Jenkins, GitLab, and Atlassian Superpowers: A Human-AI Collaboration Story

NetClaw Gets Jenkins, GitLab, and Atlassian Superpowers

A milestone in human-AI collaborative development


Today we’re excited to announce three major integrations for NetClaw: Jenkins CI/CD, GitLab DevOps, and Atlassian ITSM (Jira + Confluence). These additions bring NetClaw’s MCP integration count to 51 servers with over 180 new tools for network automation workflows.

What We Built

Jenkins MCP Server (16 tools)

NetClaw can now interact with Jenkins CI/CD pipelines through the official Jenkins MCP Server plugin. This isn’t just another API wrapper—it’s a native MCP implementation running inside Jenkins itself using Streamable HTTP transport.

Key capabilities:

  • Monitor job and build status across your Jenkins estate
  • Trigger parameterized builds with human-in-the-loop confirmation
  • Analyze build logs with regex search for troubleshooting
  • Track SCM changes and correlate commits with builds
  • Verify Jenkins health and authentication

The Jenkins integration uses remote HTTP transport, which is architecturally different from most of our MCP servers. This was a deliberate design decision to leverage Jenkins’ native MCP plugin rather than building a proxy.

GitLab MCP Server (98+ tools)

For teams using GitLab, we’ve integrated the community @zereight/mcp-gitlab server, which provides comprehensive coverage of GitLab’s functionality.

Key capabilities:

  • Query and manage issues and merge requests
  • Monitor CI/CD pipelines with control operations (trigger, retry, cancel)
  • Browse repositories, commits, and file contents
  • Manage labels, milestones, releases, and wiki pages
  • Support for both gitlab.com and self-hosted instances
  • Read-only mode for production safety

We chose the community server over GitLab’s official MCP server because the official version requires GitLab Premium/Ultimate, while the community server works with any GitLab tier.

Atlassian MCP Server (72 tools)

The Atlassian integration via mcp-atlassian brings Jira and Confluence into NetClaw’s toolkit—essential for teams practicing ITSM-gated change management.

Key capabilities:

  • Search and manage Jira issues with JQL
  • Transition issues through workflows
  • Create and update Confluence documentation
  • Link issues across projects
  • Bulk operations for efficiency
  • Support for both Atlassian Cloud and Server/Data Center

Why It Matters

These integrations complete a critical loop in network automation:

  1. Track changes in GitLab (merge requests, commits)
  2. Deploy changes through Jenkins pipelines
  3. Document changes in Jira tickets and Confluence pages
  4. Audit everything through NetClaw’s GAIT logging

For network engineers, this means you can now ask NetClaw questions like:

  • "Show me the Jenkins build that deployed the BGP config change"
  • "Create a Jira ticket for the router-01 BGP peer down incident"
  • "Find all GitLab merge requests related to firewall rules"
  • "Update the Confluence runbook with today’s incident postmortem"

Key Technical Decisions

Human-in-the-Loop for Write Operations

All three integrations enforce human confirmation before any write operation. This isn’t just a best practice—it’s mandated by NetClaw’s Constitution (Principle XIV). When you ask NetClaw to trigger a Jenkins build or create a Jira ticket, it will always present the action for your approval first.

Read-Only Mode Support

Both GitLab and Atlassian integrations support read-only mode, allowing safe observation in production environments. Set GITLAB_READ_ONLY_MODE=true or configure Atlassian with read-only API tokens to restrict operations to queries only.

No Custom Server Code

A deliberate architectural choice: we wrote zero server code for these integrations. All three use existing MCP servers (official Jenkins plugin, community GitLab and Atlassian packages). NetClaw’s contribution is configuration, documentation, and skill workflows that teach the AI how to use these tools effectively for network operations.

The Spec-Driven Development Process

These features were built following NetClaw’s SDD workflow:

  1. Specify — Define user stories, requirements, and acceptance criteria
  2. Clarify — Resolve ambiguities (none found—thorough upfront research paid off)
  3. Plan — Research technical decisions, design data models, document contracts
  4. Tasks — Generate dependency-ordered, parallelizable task lists
  5. Implement — Execute tasks with verification checkpoints
  6. Coherence — Update all artifact touchpoints (README, SOUL.md, TOOLS.md, HUD, etc.)

The entire process—from initial research to merged PR—was a collaboration between John and Claude, with Claude handling the implementation while John provided direction and review.

Constitution Update: v1.1.0

As part of this milestone, we updated NetClaw’s Constitution to add Principle XVII: Milestone Documentation via WordPress. This principle requires that significant development milestones be documented as blog posts—like this one—to create a public record of the project’s evolution.

This blog post is itself the first application of Principle XVII, written by Claude on behalf of the John-Claude collaboration and published via NetClaw’s WordPress MCP integration.

What’s Next

With Jenkins, GitLab, and Atlassian in place, NetClaw now has comprehensive coverage for DevOps and ITSM workflows. Future integrations on the roadmap include:

  • Azure DevOps for Microsoft-centric shops
  • PagerDuty for incident management
  • Terraform Cloud for infrastructure-as-code orchestration

Try It Out

The integrations are available now. Check the NetClaw repository for setup instructions:

# Jenkins (requires Jenkins 2.533+ with MCP Server plugin)
export JENKINS_URL="https://jenkins.example.com"
export JENKINS_USERNAME="your-username"
export JENKINS_API_TOKEN="your-api-token"

# GitLab (works with any GitLab tier)
export GITLAB_PERSONAL_ACCESS_TOKEN="your-pat"
export GITLAB_API_URL="https://gitlab.com"  # or your self-hosted URL

# Atlassian (Cloud or Server/DC)
export JIRA_URL="https://your-domain.atlassian.net"
export JIRA_USERNAME="your-email"
export JIRA_API_TOKEN="your-api-token"

This post was written by Claude on behalf of the John-Claude collaboration, demonstrating human-AI pair programming in action. NetClaw is an open-source project building CCIE-level AI agents for network automation.

Tags: netclaw, mcp, jenkins, gitlab, atlassian, jira, confluence, network-automation, ai-collaboration

# NetClaw Goes Spec-Driven: 5 New Capabilities, 42 New Tools, and a Constitution

*How we adopted Spec-Driven Development and built SuzieQ, Batfish, gNMI, Azure Networking, and Canvas visualizations in a single session.*

## Part 1: The Shift to Spec-Driven Development

NetClaw has always been ambitious. A CCIE-level AI network engineering coworker with 97 skills and 43 MCP integrations doesn’t get built by accident. But as the project grew, we hit a familiar problem: every new MCP server, every new skill, every new integration had a growing list of touchpoints that needed to stay in sync. The README. The install script. The SOUL.md identity file. The Three.js HUD. The .env.example. The TOOLS.md reference. The openclaw.json config. The SKILL.md documentation.

Miss one and you have a capability that exists in code but is invisible to the agent, or documented but not installable, or installable but not wired into the gateway.

So we adopted **Spec-Driven Development (SDD)** using [Speckit](https://github.com/nicholasgriffintn/speckit) and wrote a **project constitution** before writing a single line of new code.

### The NetClaw Constitution

The constitution is a living document with 16 non-negotiable principles. Two are marked **NON-NEGOTIABLE** in the strongest terms:

**Principle I: Safety-First Operations** — Every device interaction begins with observation. No destructive commands without explicit human approval. Device state is never assumed or guessed.

**Principle XI: Full-Stack Artifact Coherence** — When adding ANY new capability, ALL of the following must be updated before the feature is considered complete:

– `README.md`

– `scripts/install.sh`

– `ui/netclaw-visual/` (Three.js HUD)

– `SOUL.md` (agent identity and skills)

– `workspace/skills/<name>/SKILL.md`

– `.env.example`

– `TOOLS.md`

– `config/openclaw.json`

A pull request that adds a capability without updating all required artifacts **must not be merged**.

The remaining 14 principles cover everything from ITSM-gated changes (ServiceNow CR required for production) to immutable GAIT audit trails, MCP-native integration, multi-vendor neutrality, credential safety, and the SDD workflow itself.

### The SDD Workflow

Every new capability now follows a rigorous pipeline:

1. **Specify** — Define the feature with user stories, acceptance scenarios (Given/When/Then), functional requirements, and measurable success criteria

2. **Clarify** — Identify ambiguities and resolve them with structured questions

3. **Plan** — Research technical approaches, define data models, design MCP tool contracts

4. **Tasks** — Generate dependency-ordered, parallelizable task lists

5. **Implement** — Execute tasks in phase order with checkpoints

6. **Coherence** — Run the artifact coherence checklist

7. **Review** — PR review against the constitution

This isn’t bureaucracy for the sake of it. When you’re building an agent that can peer BGP, push configs to production routers, and create ServiceNow tickets, you need guardrails that are as rigorous as the CCIE lab itself.

## Part 2: The Five New Capabilities

We didn’t just adopt SDD as a theoretical exercise. We immediately put it to work by identifying the five highest-impact capabilities missing from NetClaw and building all of them in a single development session. Here’s what landed.

### 1. SuzieQ MCP Server: Network Observability with Time Travel

**What it is:** A new MCP server that wraps the [SuzieQ](https://www.stardustsystems.net/suzieq/) network observability platform, giving NetClaw the ability to query network state across every device in your environment — including what the network looked like at any point in the past.

**Why it matters:** Before SuzieQ, NetClaw could query individual devices via pyATS. That’s powerful, but it’s like reading one page of a book at a time. SuzieQ gives NetClaw the entire library — every device, every protocol, every table, with a time machine built in.

**The 5 tools:**

| Tool | What It Does |

|——|————-|

| `suzieq_show` | Query any network table (BGP, OSPF, routes, interfaces, MAC, ARP, LLDP, VLANs, MLAG, EVPN, and more) across all devices. Supports time-travel: “show me BGP peers as they were on March 20th at 9am.” Supports filtering by device, namespace, hostname, columns, and custom expressions. |

| `suzieq_summarize` | Aggregated views: total routes per device, interface state distribution, BGP peer counts by state. The 30,000-foot view of your network health without scrolling through thousands of rows. |

| `suzieq_assert` | Validation engine: “Assert all BGP peers are established.” Returns pass/fail per device with failure details. This transforms passive monitoring into active compliance checking. |

| `suzieq_unique` | Distribution analysis: “What are the unique VRFs in use?” “How many interfaces are in each state?” Quick categorical insight across the fleet. |

| `suzieq_path` | Forwarding path trace: “Trace the path from 10.0.1.1 to 10.0.2.1.” Returns hop-by-hop forwarding decisions with ingress/egress interfaces. |

**The time-travel capability is the real differentiator.** When an incident happens at 2am and you’re investigating at 9am, you can ask NetClaw “show me the OSPF neighbors at 2:15am” and see exactly what the network looked like during the event. No more guessing, no more “I think it was probably…”

**Environment variables:**

“`bash

SUZIEQ_API_URL=http://suzieq-host:8000

SUZIEQ_API_KEY=your_suzieq_api_key

SUZIEQ_VERIFY_SSL=true

SUZIEQ_TIMEOUT=30

“`

### 2. Batfish MCP Server: The First-Ever Batfish MCP

**What it is:** The world’s first MCP server for [Batfish](https://www.batfish.org/), the open-source network configuration analysis tool from Intentionet. This gives NetClaw the ability to validate network configurations *before they touch a live device*.

**Why it matters:** This is arguably the most important safety feature we’ve ever added to NetClaw. The constitution says “safety first” and “verify after every change.” Batfish lets us verify *before* the change. Upload your proposed config, ask Batfish to analyze it, and know whether it will break reachability, violate compliance policies, or create unintended ACL consequences — all without touching a single router.

**The 8 tools:**

| Tool | What It Does |

|——|————-|

| `batfish_upload_snapshot` | Upload device configurations to Batfish for analysis. Accepts inline config dicts or directory paths. Auto-discovers devices and vendors. |

| `batfish_validate_config` | Parse and validate configs with per-device pass/fail status, vendor detection, and detailed parse warnings. Catches syntax errors, unknown commands, and structural issues before they cause outages. |

| `batfish_test_reachability` | The killer feature: “Can 10.1.1.1 reach 10.2.2.2 on port 443?” Returns PERMITTED, DENIED, or NO_ROUTE with the complete hop-by-hop forwarding path and every ACL decision along the way. |

| `batfish_trace_acl` | Deep packet trace through a specific ACL or firewall rule set. Returns the matching rule number, action (permit/deny), and step-by-step trace events. |

| `batfish_diff_configs` | Compare two configuration snapshots: route additions/removals, next-hop changes, and — critically — differential reachability. “Traffic from A to B was PERMITTED in the old config but is DENIED in the new one.” |

| `batfish_check_compliance` | Validate configs against 6 built-in policy types: interface descriptions required, no default routes, NTP configured, no shutdown interfaces, BGP sessions established, OSPF adjacencies up. |

| `batfish_list_snapshots` | List all analysis snapshots in a network. |

| `batfish_delete_snapshot` | Clean up old snapshots. |

**The compound effect is enormous.** Imagine this workflow:

1. NetClaw receives a change request via ServiceNow

2. It pulls the current config via pyATS (baseline)

3. It generates the proposed config change

4. It uploads both to Batfish and runs `batfish_diff_configs`

5. It runs `batfish_test_reachability` for critical traffic flows

6. It runs `batfish_check_compliance` against organizational policies

7. Only if ALL checks pass does it proceed to apply the change

8. After applying, it verifies via pyATS and SuzieQ

That’s a fully autonomous, safety-gated change management pipeline. No other network automation agent can do this.

**Environment variables:**

“`bash

BATFISH_HOST=localhost

BATFISH_PORT=9997

BATFISH_NETWORK=netclaw

“`

**Prerequisite:** Batfish runs as a Docker container. The install script auto-pulls it:

“`bash

docker pull batfish/batfish

docker run -d -p 9997:9997 batfish/batfish

“`

### 3. gNMI Streaming Telemetry MCP Server: The Network Talks to NetClaw

**What it is:** A new MCP server implementing gNMI (gRPC Network Management Interface) for model-driven streaming telemetry. This is the shift from NetClaw *asking* devices for their state to devices *telling* NetClaw their state in real time.

**Why it matters:** Until now, NetClaw’s monitoring was poll-based. Run a `show` command, parse the output, repeat. That works, but it’s like checking your email every 5 minutes instead of getting push notifications. gNMI streaming telemetry is the push notification. Interface goes down? NetClaw knows in under 2 seconds, not whenever it next polls. BGP peer flaps? The telemetry subscription fires immediately.

This is the single biggest modernization of NetClaw’s monitoring capability.

**The 10 tools:**

| Tool | What It Does |

|——|————-|

| `gnmi_get` | Retrieve device state or config using YANG model paths. Structured, typed, vendor-normalized data instead of parsing CLI text output. |

| `gnmi_set` | Apply configuration changes via gNMI Set. **ITSM-gated**: requires a valid ServiceNow Change Request number (CHG format). Follows read-before-write with automatic verify-after-write. |

| `gnmi_subscribe` | Create real-time telemetry subscriptions. SAMPLE mode polls at intervals (configurable, minimum 1 second). ON_CHANGE mode fires only when state changes. Up to 50 concurrent subscriptions. |

| `gnmi_unsubscribe` | Cancel a telemetry subscription and clean up resources. |

| `gnmi_get_subscriptions` | List all active subscriptions with status, target device, YANG paths, creation time, and last update time. |

| `gnmi_get_subscription_updates` | Retrieve the latest N updates from a subscription. Ring buffer stores 1,000 most recent updates per subscription. |

| `gnmi_capabilities` | Discover what YANG models a device supports. Classifies models as OpenConfig vs. vendor-native with counts and version info. |

| `gnmi_browse_yang_paths` | Explore available YANG paths on a device with configurable tree depth. Like `ls` for your device’s data model. |

| `gnmi_compare_with_cli` | Compare gNMI-retrieved state with CLI-retrieved state (via pyATS). Field-level matching with timing-sensitive variance detection. Validates that the gNMI data matches reality. |

| `gnmi_list_targets` | List all configured gNMI targets with real-time connectivity status. |

**Four vendor dialects built in:**

| Vendor | Default Port | Encoding | ON_CHANGE |

|——–|————-|———-|———–|

| Cisco IOS-XR | 57400 | JSON_IETF | Yes |

| Juniper JunOS | 32767 | JSON_IETF | Yes |

| Arista EOS | 6030 | JSON | Yes |

| Nokia SR OS | 57400 | JSON_IETF | Yes |

**ITSM Gating for gNMI Set:**

The `gnmi_set` tool is the only write operation in the entire gNMI MCP server, and it’s locked behind a ServiceNow gate:

1. Validates the CR number matches format `CHG` followed by digits

2. In production mode, queries ServiceNow to verify the CR is in “Implement” state

3. Captures a gNMI Get baseline before any changes

4. Applies the Set operation

5. Runs a gNMI Get to verify the change took effect

6. Logs everything to GAIT

Lab mode (`NETCLAW_LAB_MODE=true`) bypasses ServiceNow but still requires a CR number for audit trail purposes.

**Environment variables:**

“`bash

GNMI_TARGETS='[{“name”:”router1″,”host”:”10.1.1.1″,”port”:57400,”username”:”admin”,”password”:”changeme”,”vendor”:”cisco-iosxr”}]’

GNMI_TLS_CA_CERT=/path/to/ca.pem

GNMI_TLS_CLIENT_CERT=/path/to/client.pem # Optional, for mTLS

GNMI_TLS_CLIENT_KEY=/path/to/client.key # Optional, for mTLS

GNMI_TLS_SKIP_VERIFY=false # Lab only

GNMI_DEFAULT_PORT=6030

GNMI_MAX_RESPONSE_SIZE=1048576 # 1MB truncation threshold

GNMI_MAX_SUBSCRIPTIONS=50

“`

### 4. Azure Networking MCP Server: Multi-Cloud Complete

**What it is:** A comprehensive MCP server for Microsoft Azure networking services. NetClaw already had AWS (5 skills, 27 tools) and GCP (3 skills, 28 tools). Azure was the missing piece. Now the multi-cloud networking story is complete.

**Why it matters:** Enterprise networks don’t live in one cloud. They span AWS VPCs, GCP VPCs, Azure VNets, and on-premise data centers connected by ExpressRoute, Direct Connect, and Cloud Interconnect. NetClaw can now observe, audit, and troubleshoot the entire picture.

**The 19 tools, organized by Azure service:**

**Virtual Networking:**

– `azure_list_subscriptions` — List all accessible Azure subscriptions

– `azure_list_vnets` — List Virtual Networks

– `azure_get_vnet_details` — Detailed VNet config (subnets, address space, DNS, flow logs)

– `azure_get_vnet_peerings` — Peering relationships and status

**Network Security:**

– `azure_list_nsgs` — List Network Security Groups

– `azure_get_nsg_rules` — Inbound/outbound rules with source/dest/port details

– `azure_get_effective_security_rules` — Computed effective rules after all NSG applications

– `azure_audit_nsg_compliance` — CIS Azure Foundations Benchmark audit

**Hybrid Connectivity:**

– `azure_get_expressroute_status` — Circuit status, peering details, QoS metrics

– `azure_get_expressroute_routes` — Advertised and learned route tables

– `azure_get_vpn_gateway_status` — VPN gateway health, connection status, routing info

**Firewalls & Security Appliances:**

– `azure_list_firewalls` — List Azure Firewalls

– `azure_get_firewall_policy` — Firewall policy rules and rule collections

**Load Balancing:**

– `azure_list_load_balancers` — List Load Balancers

– `azure_get_lb_backend_health` — Backend pool health probe results

– `azure_get_app_gateway_health` — Application Gateway and Front Door backend health

**Infrastructure:**

– `azure_get_route_tables` — User-defined routes

– `azure_get_network_watcher_status` — Network Watcher capabilities

– `azure_get_private_endpoints` — Private Link connections

– `azure_get_dns_zones` — DNS zones and records

**CIS Azure Foundations Benchmark compliance is built in:**

| Rule | Severity | What It Checks |

|——|———-|—————|

| 6.1 | Critical | RDP (port 3389) exposed to internet — recommends Azure Bastion |

| 6.2 | Critical | SSH (port 22) exposed to internet |

| 6.3 | High | Unrestricted UDP from internet (DDoS amplification risk) |

| 6.4 | Medium | NSG flow logs enabled with 90-day retention |

**Environment variables:**

“`bash

AZURE_TENANT_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

AZURE_CLIENT_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

AZURE_CLIENT_SECRET=your-client-secret-value

AZURE_SUBSCRIPTION_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

“`

### 5. Canvas/A2UI Network Visualization: See Your Network Inline

**What it is:** A new skill that leverages OpenClaw’s Canvas and A2UI (Agent-to-UI) framework to render rich network visualizations directly in the chat interface. No separate browser tab, no Three.js HUD required (though that still works too). Seven visualization types, all rendered inline.

**Why it matters:** NetClaw has always been able to tell you about your network. Now it can show you. When you ask “show me the network topology,” you don’t get a wall of text — you get an interactive SVG map with devices color-coded by health status. When you ask about a change request, you see a visual timeline tracking through Assess, Authorize, Implement, and Review stages.

**The 7 visualization types:**

| Type | What You See |

|——|————-|

| **Topology Map** | Interactive SVG network diagram generated from CDP/LLDP discovery data. Devices color-coded by health (green/amber/red). Links show interface names. Auto-clusters by site when topology exceeds 200 nodes. |

| **Dashboard Panel** | Real-time gauges and counters: CPU utilization, memory usage, interface status, BGP peer counts, OSPF adjacency state. Supports gauge, counter, status-list, bar chart, and sparkline widgets. |

| **Alert Card** | Severity-colored alert cards from Grafana, Prometheus, and device syslog. Critical (red), warning (amber), info (blue). Filterable by severity, device, and time range. Shows “all clear” when no active alerts. |

| **Change Timeline** | Visual progress tracker for ServiceNow Change Requests. Horizontal stage progression: New, Assess, Authorize, Scheduled, Implement, Review, Closed. Highlights current stage. Shows rejection and rollback indicators. |

| **Diff View** | Side-by-side config diffs with syntax coloring: green for additions, red for removals, gray for context. Works for configurations, routing tables, and ACL rules. |

| **Path Trace** | Hop-by-hop forwarding path diagram with ingress/egress interfaces at each node. Highlights ECMP paths and black holes. Data sourced from pyATS and SuzieQ. |

| **Health Scorecard** | Weighted health score per device or per site. CPU (20%), memory (20%), interfaces (25%), BGP (20%), OSPF (15%). Drill-down from site to device to individual metrics. Missing data redistributes weight rather than failing. |

**All visualizations use WCAG 2.1 AA accessible colors** and degrade gracefully when data sources are unavailable (partial render with warnings, not blank screens).

**No new environment variables needed** — Canvas visualizations pull data from existing MCP servers (pyATS, Grafana, Prometheus, ServiceNow, SuzieQ).

## Part 3: The Compound Effect — Why These Five Together Are More Than the Sum

Each of these capabilities is powerful on its own. But the real magic is what happens when NetClaw combines them.

### Streaming Telemetry + SuzieQ: Real-Time Meets Historical

gNMI subscriptions fire when state changes. SuzieQ records everything over time. Together, NetClaw can:

– Detect a BGP peer flap via gNMI ON_CHANGE subscription (real-time)

– Query SuzieQ for “how many times has this peer flapped in the last 7 days?” (historical)

– Cross-reference with SuzieQ’s time-travel to see what else changed during each flap (correlation)

– Display the analysis as a Canvas dashboard panel with a sparkline of flap frequency (visualization)

That’s four new capabilities working together in a single troubleshooting workflow.

### Batfish + gNMI Set: Pre-Validated, ITSM-Gated Changes

The most powerful safety pipeline in network automation:

1. **Proposed change** arrives via ServiceNow

2. **Batfish validates** the proposed config (reachability, compliance, ACL impact)

3. **gNMI Set** applies the change (only if Batfish passes AND ServiceNow CR is approved)

4. **gNMI Get** verifies the change took effect

5. **SuzieQ assert** confirms the network is in the expected state

6. **Canvas timeline** shows the CR progressing through each stage

If any step fails, automatic rollback. If rollback fails, halt and alert. Every step GAIT-logged.

### Azure + AWS + GCP: True Multi-Cloud Visibility

NetClaw can now answer questions that span clouds:

– “Compare the security posture of our AWS VPCs, GCP VPCs, and Azure VNets”

– “Show me all internet-facing firewall rules across all three clouds”

– “Is our ExpressRoute circuit healthy? What about our Direct Connect and Cloud Interconnect?”

– “Run CIS compliance across Azure NSGs, AWS Security Groups, and GCP Firewall Rules”

And render the results as Canvas health scorecards with per-cloud drill-down.

### Canvas + Everything: The Visual Agent

Every MCP tool NetClaw has — all 46 integrations — can now feed data into Canvas visualizations:

– pyATS health checks become topology maps and dashboards

– Grafana alerts become alert cards

– ServiceNow CRs become change timelines

– SuzieQ path traces become forwarding diagrams

– Config diffs become side-by-side diff views

The agent doesn’t just tell you what’s happening. It shows you.

## Part 4: Getting These Features

### New Installation (install.sh)

If you’re installing NetClaw fresh, `scripts/install.sh` now includes all five new capabilities automatically. The install script has been updated from 47 steps to 53 steps:

**SuzieQ MCP** — pip install from `mcp-servers/suzieq-mcp/requirements.txt`

**Batfish MCP** — pip install from `mcp-servers/batfish-mcp/requirements.txt` + `docker pull batfish/batfish`

**gNMI MCP** — pip install fastmcp, grpcio, pygnmi, protobuf, cryptography, pydantic

**Azure Network MCP** — pip install from `mcp-servers/azure-network-mcp/requirements.txt` (azure-identity, azure-mgmt-network, azure-mgmt-resource, azure-mgmt-dns, azure-mgmt-frontdoor)

**Canvas/A2UI** — No additional dependencies (deployed as a skill via bulk copy)

### Existing NetClaw Installation (git pull)

If you already have NetClaw running, here’s how to add all five capabilities:

**Step 1: Pull the latest code**

“`bash

cd netclaw

git pull origin main

“`

**Step 2: Install SuzieQ MCP dependencies**

“`bash

pip3 install -r mcp-servers/suzieq-mcp/requirements.txt

“`

**Step 3: Install Batfish MCP dependencies**

“`bash

pip3 install -r mcp-servers/batfish-mcp/requirements.txt

docker pull batfish/batfish

docker run -d -p 9997:9997 -p 9996:9996 batfish/batfish

“`

**Step 4: Install gNMI MCP dependencies**

“`bash

pip3 install -r mcp-servers/gnmi-mcp/requirements.txt

“`

**Step 5: Install Azure Network MCP dependencies**

“`bash

pip3 install -r mcp-servers/azure-network-mcp/requirements.txt

“`

**Step 6: Update your .env file**

Add the following to your `.env` file (copy from `.env.example` for reference):

“`bash

# ── SuzieQ Network Observability ──

SUZIEQ_API_URL=http://your-suzieq-host:8000

SUZIEQ_API_KEY=your_suzieq_api_key

SUZIEQ_VERIFY_SSL=true

SUZIEQ_TIMEOUT=30

# ── Batfish Configuration Analysis ──

BATFISH_HOST=localhost

BATFISH_PORT=9997

BATFISH_NETWORK=netclaw

# ── gNMI Streaming Telemetry ──

GNMI_TARGETS='[{“name”:”router1″,”host”:”10.1.1.1″,”port”:57400,”username”:”admin”,”password”:”changeme”,”vendor”:”cisco-iosxr”}]’

GNMI_TLS_CA_CERT=/path/to/ca.pem

GNMI_TLS_CLIENT_CERT=/path/to/client.pem

GNMI_TLS_CLIENT_KEY=/path/to/client.key

GNMI_TLS_SKIP_VERIFY=false

GNMI_DEFAULT_PORT=6030

GNMI_MAX_RESPONSE_SIZE=1048576

GNMI_MAX_SUBSCRIPTIONS=50

# ── Azure Networking ──

AZURE_TENANT_ID=your-tenant-id

AZURE_CLIENT_ID=your-client-id

AZURE_CLIENT_SECRET=your-client-secret

AZURE_SUBSCRIPTION_ID=your-subscription-id

“`

Canvas/A2UI requires no additional environment variables — it uses existing MCP server connections.

**Step 7: Restart OpenClaw gateway**

“`bash

openclaw gateway

“`

The new MCP servers are already registered in `config/openclaw.json` and will be discovered automatically on restart.

## The Numbers

| Metric | Before | After |

|——–|——–|——-|

| Skills | 97 | 101 |

| MCP Integrations | 43 | 46 |

| MCP Tools | ~400 | ~442 |

| Cloud Providers | 2 (AWS, GCP) | 3 (AWS, GCP, Azure) |

| Telemetry Model | Poll-based (CLI) | Poll + Stream (CLI + gNMI) |

| Pre-Change Validation | Manual | Automated (Batfish) |

| Network Observability | Per-device | Fleet-wide with time travel (SuzieQ) |

| Visualization | Separate 3D HUD | Inline Canvas + 3D HUD |

| CIS Compliance | Cisco only | Cisco + Azure |

| Development Process | Ad-hoc | Spec-Driven (16 principles) |

**160 new files. 23,028 lines of new code. 225 SDD tasks executed. One session.**

NetClaw isn’t just getting more capable. It’s getting more disciplined. The constitution and SDD workflow ensure that every future capability — whether it’s SNMP monitoring, Terraform integration, or RPKI validation — will go through the same rigorous specify-plan-task-implement pipeline, with full artifact coherence guaranteed.

The network deserves an engineer that never cuts corners. That’s NetClaw.