<h2>I. Introduction: New Cybersecurity Challenges in the Agentic AI Era</h2><h3>1.1 Background and Motivation</h3><p>From 2024 to 2025, artificial intelligence technology is undergoing a profound paradigm shift from "large language model dialogue" to "autonomous agent collaboration." AI agents are no longer merely tools responding to user queries but intelligent entities capable of autonomous planning, tool invocation, and collaborative work. According to industry forecasts, by 2026, over 80% of enterprises will deploy AI agent applications in production environments, presenting unprecedented cybersecurity challenges.</p><p>Core characteristics of AI agents include: autonomous decision-making capabilities, multi-tool invocation, multi-system coordination, and complex data flow. These features pose severe challenges to traditional cybersecurity defense systems—agents can autonomously access sensitive data, invoke external APIs, and exchange information with other agents, behaviors that are often difficult to identify and audit within traditional network monitoring systems.</p><p>In this context, Fortinet pioneered the introduction of native support for two agent communication protocols—<strong>MCP (Model Context Protocol)</strong> and <strong>A2A (Agent-to-Agent Protocol)</strong>—in FortiOS 8.0. This marks mainstream network security vendors formally incorporating AI agent protocols into enterprise security defense systems, providing critical technical support for addressing emerging AI workloads.</p><h3>1.2 FortiOS 8.0 Agentic AI Protocol Support Overview</h3><p>FortiOS 8.0's Agentic AI protocol support functionality is built upon the mature <strong>Application Control</strong> module, implementing deep detection and monitoring of MCP and A2A protocols through a newly added GenAI (Generative AI) application signature database. The core value of this functionality is reflected in the following dimensions:</p><p><strong>Protocol-level visibility</strong>: Capable of identifying and recording all key operations of agent protocols, including method invocations, parameter passing, and message content, providing unprecedented AI traffic visualization capabilities for security teams.</p><p><strong>Risk assessment capabilities</strong>: Based on protocol characteristics and contextual information, FortiGate can assess the risk level of agent communications, helping security teams identify anomalous behaviors and potential security threats.</p><p><strong>Audit and compliance support</strong>: Through enhanced log fields and FortiView visualization features, enterprises can meet AI application audit and compliance requirements, establishing complete AI traffic audit trails.</p><h3>1.3 Article Structure</h3><p>This article provides deep technical analysis of FortiOS 8.0's MCP/A2A protocol support from four dimensions: protocol principles, detection mechanisms, configuration details, and business scenarios. We will first analyze the technical architecture and communication mechanisms of MCP and A2A protocols, then delve into FortiGate's detection principles and signature system, followed by detailed configuration guides, and finally demonstrate the application's value through real business scenarios.</p><h2>II. Deep Analysis of Protocol Principles</h2><h3>2.1 Model Context Protocol (MCP) Technical Architecture</h3><h4>2.1.1 MCP Protocol Positioning and Design Goals</h4><p>Model Context Protocol is an open standard protocol led by Anthropic, designed to provide unified specifications for connections between AI models and external tools and data sources. MCP's design philosophy can be summarized as "the USB standard for AI applications"—just as USB interfaces unified connections for various peripherals, MCP attempts to establish unified communication specifications for AI model interactions with various tool resources.</p><p>Core design goals of the MCP protocol include:</p><p><strong>Standardized interfaces</strong>: Defining unified interface specifications for interactions between AI applications and tools/data sources, reducing integration complexity and promoting ecosystem prosperity.</p><p><strong>Security-first</strong>: The protocol includes a built-in authentication and authorization framework, supporting token-based authentication to ensure fine-grained control over AI access to external resources.</p><p><strong>Extensible architecture</strong>: Adopting modular design, supporting selective implementation of different functional components based on application requirements, facilitating differentiated deployment for lightweight and complex applications.</p><h4>2.1.2 Protocol Layered Architecture</h4><p>The MCP protocol uses a layered architecture design, from bottom to top:</p><p><strong>Transport Layer</strong></p><p>MCP supports multiple transport mechanisms, with mainstream implementations including:</p><ul><li><strong>STDIO Transport</strong>: Suitable for local inter-process communication, using standard input/output for data exchange when AI applications and tool services run on the same host.</li><li><strong>HTTP/SSE Transport</strong>: Suitable for networked deployment, where clients send requests via HTTP POST and servers push responses via Server-Sent Events (SSE), supporting real-time bidirectional communication.</li></ul><p>In FortiOS 8.0 detection scenarios, HTTP transport MCP traffic is primarily involved, with typical endpoint paths including /mcp, /sse, etc.</p><p><strong>Message Layer</strong></p><p>MCP defines message formats based on JSON-RPC 2.0 specification, with all protocol messages conforming to JSON-RPC 2.0 structure requirements. The protocol defines three message types:</p><figure class="table">
| Message Type | Direction | Characteristics | Description |
|---|---|---|---|
| Request | Bidirectional | Contains id field | Operations requiring response from the other party |
| Response | Bidirectional | Contains same id as request | Reply to a request |
| Notification | Bidirectional | Does not contain id field | One-way information delivery, no response required |
Server → Client: initialized (serverInfo, capabilities)</p><p>The client first sends an
initialize request, declaring supported protocol versions and client capabilities; the server replies with an initialized notification, confirming the negotiated capability set. This is the necessary handshake process for MCP communication, corresponding to Protocol.MCP signature in FortiGate logs with a risk level marked as "elevated".</p><p><strong>Capability Discovery Phase</strong></p><p>The client can query the list of features supported by the server:</p><ul><li>tools/list: Get available tools list</li><li>resources/list: Get available resources list</li><li>prompts/list: Get available prompt templates list</li></ul><p><strong>Tool Invocation Phase</strong></p><p>This is the core application scenario for MCP. A typical tool invocation flow is as follows:</p><p>Client → Server: tools/call (name, arguments)
Server → Client: tools/list_changed (notification)
Server → Client: tools/call (result)</p><p>The AI model constructs tool invocation requests based on task requirements, and the server executes corresponding operations and returns results. The
Protocol.MCP.Tools signature in FortiGate logs corresponds to such operations, recording tool names (such as echo) and invocation parameters (such as {"message":"message mcp 1"}).</p><p><strong>Prompt Retrieval Phase</strong></p><p>Client → Server: prompts/get (name, arguments)
Server → Client: prompts/get (messages)</p><p>Clients can retrieve predefined prompt templates provided by the server. The
Protocol.MCP.Prompts signature in FortiGate logs corresponds to such operations.</p><h4>2.1.4 MCP Security Model</h4><p>The MCP protocol includes a built-in HTTP-based authentication framework with the following main mechanisms:</p><p><strong>Bearer Token Authentication</strong>: Clients carry Bearer tokens in request headers, and servers verify token validity before deciding whether to authorize access.</p><p><strong>Capability Negotiation</strong>: Servers declare their supported capability subsets during the initialization phase, and clients decide which features they can use based on server capabilities.</p><p><strong>Parameter Validation</strong>: Tool invocation parameters must conform to predefined schemas, with servers responsible for parameter validation and type conversion.</p><p>However, it should be noted that the MCP protocol itself does not provide end-to-end encryption—it relies on the security guarantees of the underlying transport layer. This means that in HTTPS environments, MCP communication can obtain transport layer encryption protection; but in HTTP environments, MCP messages are transmitted in plaintext, posing risks of eavesdropping and tampering. FortiOS 8.0's deep inspection functionality can decrypt and analyze encrypted traffic content when SSL deep inspection is enabled.</p><h3>2.2 Agent-to-Agent Protocol (A2A) Technical Architecture</h3><h4>2.2.1 A2A Protocol Positioning and Design Background</h4><p>Agent-to-Agent Protocol (A2A) is an open protocol led by Google, officially donated to the Linux Foundation as an open-source project in early 2025. A2A's core mission is to solve interoperability problems between AI agents built by different vendors using different frameworks.</p><p>Unlike MCP, which focuses on "agent-tool" interaction, A2A focuses on "agent-agent" communication. The relationship between the two can be compared as: MCP is the agent's "hand" for interacting with the external world; A2A is the agent's "mouth" for talking with other agents.</p><h4>2.2.2 A2A Protocol Core Concepts</h4><p><strong>Agent Card</strong></p><p>A2A protocol defines Agent Card as metadata description for agents, hosted at .well-known/agent-card.json endpoint. Each Agent Card contains the following key information:</p><ul><li><strong>Identification information</strong>: Agent name, version, provider</li><li><strong>Capability declaration</strong>: Task types supported by the agent</li><li><strong>Endpoint information</strong>: A2A service address of the agent</li><li><strong>Authentication requirements</strong>: Authentication methods required to access the agent</li></ul><p>{
"name": "Research Agent",
"version": "1.0.0",
"capabilities": ["web_search", "document_analysis"],
"endpoint": "https://agent.example.com/a2a"
}</p><p>In FortiGate logs, requests accessing
.well-known/agent-card.json endpoint correspond to Protocol.A2A signature.</p><p><strong>Task</strong></p><p>A2A organizes workflows with "tasks" as basic units. Each task has a unique identifier and lifecycle states:</p><figure class="table">| State | Description |
|---|---|
working | Task is being processed |
input-required | Requires human input to continue |
completed | Task completed successfully |
failed | Task execution failed |
canceled | Task has been canceled |
Protocol.A2A.Message signature, with endpoint path /v1/message:stream.</p><h4>2.2.3 A2A Communication Flow</h4><p>A typical A2A communication flow contains the following steps:</p><p><strong>Step 1: Agent Discovery</strong></p><p>Client Agent → Server Agent: GET /.well-known/agent-card.json
Server Agent → Client Agent: Agent Card (JSON)</p><p>The client learns about the target agent's capabilities and access requirements by obtaining its Agent Card. This is the starting point of A2A communication, corresponding to
Protocol.A2A signature in FortiGate logs.</p><p><strong>Step 2: Establishing Connection</strong></p><p>The client establishes an A2A connection based on information in the Agent Card, which may involve obtaining and exchanging authentication tokens.</p><p><strong>Step 3: Task Submission</strong></p><p>Client Agent → Server Agent: POST /v1/message
{
"method": "tasks/send",
"params": {
"taskId": "uuid",
"message": {...}
}
}</p><p>The client submits a task request to the server, containing task identifier and message content.</p><p><strong>Step 4: Result Retrieval</strong></p><p>// Synchronous mode
Server Agent → Client Agent: tasks/send$result
// Streaming mode
Server Agent → Client Agent: POST /v1/message:stream (SSE)
event: result
data: {...chunk1...}
event: result
data: {...chunk2...}</p><p>The server returns results after completing the task, or pushes intermediate results in real-time through the streaming interface.</p><h3>2.3 Complementary Relationship Between MCP and A2A</h3><h4>2.3.1 Protocol Positioning Differences</h4><p>Although both MCP and A2A are AI agent-related protocols, they solve problems at different levels:</p><figure class="table">
| Dimension | MCP | A2A |
|---|---|---|
| Communication Direction | Agent → Tool/Resource | Agent ↔ Agent |
| Core Function | Tool invocation, data retrieval | Task collaboration, information exchange |
| Typical Scenarios | Database queries, email sending, API invocations | Multi-agent collaboration, task decomposition |
| Protocol Layer | Focus on interface standardization | Focus on interoperability protocol |
│ AI Agent │
├─────────────────────────────────────────────────────────┤
│ │
│ ┌───────────┐ ┌───────────┐ │
│ │ MCP │ │ A2A │ │
│ │ (Tool Layer)│ │ (Collab Layer)│ │
│ └─────┬─────┘ └─────┬─────┘ │
│ │ │ │
│ ▼ ▼ │
│ ┌───────────┐ ┌───────────┐ │
│ │ Tools/ │ │ Collaborating│ │
│ │ Data Sources│ │ Agents │ │
│ └───────────┘ └───────────┘ │
│ │
└─────────────────────────────────────────────────────────┘</p><p>For example, an "intelligent research assistant" might:</p><ul><li>Use MCP to invoke search engine APIs to retrieve information</li><li>Use MCP to access local document databases</li><li>Use A2A to collaborate with other specialized agents (such as data analysis agents)</li><li>Use A2A to request confirmation from human experts</li></ul><p>FortiOS 8.0 supports both MCP and A2A protocol detection, enabling complete monitoring of the two core communication behaviors of agents.</p><h2>III. Deep Analysis of FortiOS 8.0 Detection Mechanisms</h2><h3>3.1 Detection Architecture Overview</h3><p>FortiOS 8.0's detection of MCP/A2A protocols is built upon the mature application control framework, implementing protocol identification through the newly added <strong>GenAI application signature database</strong>. This design brings the following advantages:</p><p><strong>Unified management</strong>: MCP/A2A detection shares the policy framework with application control, URL filtering, and other security functions, facilitating unified management.</p><p><strong>Performance optimization</strong>: Reuses the high-performance detection engine of application control without introducing additional processing overhead.</p><p><strong>Feature extension</strong>: Can be linked with IPS, SSL deep inspection, and other modules to provide multi-dimensional security protection.</p><h3>3.2 GenAI Application Signature System</h3><h4>3.2.1 Signature Classification</h4><p>FortiGate defines the following application signatures for MCP and A2A protocols:</p><p><strong>MCP-related signatures</strong>:</p><figure class="table">
| Signature Name | Description | Risk Level | Detection Content |
|---|---|---|---|
Protocol.MCP | General MCP protocol detection | Elevated | Protocol initialization handshake |
Protocol.MCP.Tools | MCP tool invocations | Low | Tool names, invocation parameters |
Protocol.MCP.Prompts | MCP prompt templates | Low | Prompt names, template parameters |
| Signature Name | Description | Risk Level | Detection Content |
|---|---|---|---|
Protocol.A2A | General A2A protocol detection | Low | Agent Card retrieval |
Protocol.A2A.Message | A2A message transmission | Low | Message content, streaming events |
GenAI (Generative AI) application classification with classification ID 36. In application control policies, all GenAI-related protocols can be matched through the following methods:</p><p>config application list
edit "GenAI"
config entries
edit 1
set category 36
set action pass
next
end
next
end</p><h4>3.2.3 Signature Update Mechanism</h4><p>The GenAI signature database is updated through the FortiGuard security subscription service. Database version can be checked with the following command:</p><p># diagnose autoupdate versions | grep -A 6 GenAI
GenAI Application Definitions
Version: 33.00033 signed
Contract Expiry Date: Thu Jan 3 2030
Last Updated using scheduled update on Tue Jun 24 20:59:43 2025
Last Update Attempt: Tue Jun 24 23:10:03 2025
Result: No Updates</p><p>Note that GenAI database updates require the following conditions:</p><ul><li>Device holds a valid FMWR (FortiGuard Web Security) contract</li><li>At least one firewall policy has application control profile enabled</li><li>Device can access FortiGuard update servers</li></ul><h3>3.3 Deep Inspection and Extended Logging</h3><h4>3.3.1 SSL Deep Inspection Dependency</h4><p>Some GenAI signatures require enabling SSL deep inspection for complete detection. Method to determine if a signature requires deep inspection:</p><ol><li>Access <strong>Security Profiles → Application Signatures</strong></li><li>Locate the target signature (such as
DevCycle_MCP.Tools)</li><li>Hover to view signature details popup</li><li>Check if <strong>Requirements</strong> field contains <strong>SSL Deep Inspection</strong></li></ol><p>┌─────────────────────────────────┐
│ DevCycle_MCP.Tools │
├─────────────────────────────────┤
│ Category: GenAI │
│ Risk Rating: Low │
│ Requirements: SSL Deep... │ ← Requires deep inspection
│ │
│ [View Details] [Create Rule] │
└─────────────────────────────────┘</p><p>After enabling deep inspection, FortiGate can decrypt MCP/A2A communication content in HTTPS traffic, extracting key information such as AI method names, function names, and parameters.</p><h4>3.3.2 Extended Log Fields</h4><p>After enabling <strong>Extended Log</strong>, application control logs will contain rich AI protocol information. The following are MCP-related extended log fields:</p><figure class="table">
| Field Name | Description | Example Value |
|---|---|---|
aimethod | AI method name | tools/call, initialize, prompts/get |
aifunc | AI function name | echo, simple-prompt |
aiargs | AI parameters (JSON format) | "message":"message mcp 1" |
cloudaiagent | Aggregated AI information | Contains application, use case, method, function, etc. |
usecase | Use case classification | Utility_Tools |
appcat | Application category | GenAI |
apprisk | Application risk level | low, elevated |
| Field Name | Description | Example Value |
|---|---|---|
aimethod | AI method name | message/stream, tasks/send |
aimessage | Message content | message a2a 2 |
cloudaiagent | Aggregated AI information | Contains application, use case, method, etc. |
logid="1059028704" type="utm" subtype="app-ctrl"
eventtype="signature" level="information" vd="vd1"
appid=59072 srcip=10.1.100.126 dstip=172.16.200.214
srcport=60037 dstport=3333
srcintf="port2" dstintf="port1"
proto=6 service="HTTP" direction="outgoing"
policyid=1 sessionid=439
applist="g-default" action="pass"
appcat="GenAI" app="Protocol.MCP.Tools"
hostname="172.16.200.214" url="/mcp"
httpmethod="POST"
msg="GenAI: Protocol.MCP.Tools"
usecase="Utility_Tools"
aimethod="tools/call"
aifunc="echo"
aiargs=""message":"message mcp 1""
cloudaiagent="APP=Protocol MCP, UseCase=Utility_Tools,
Method=tools/call, Function=echo,
Arguments='"message":"message mcp 1"'"
apprisk="low"</p><p><strong>A2A message transmission log</strong>:</p><p>date=2026-02-27 time=11:09:10 eventtime=1772219349846174869
logid="1059028704" type="utm" subtype="app-ctrl"
eventtype="signature" level="information" vd="vd1"
appid=59162 srcip=10.1.100.126 dstip=172.16.200.195
srcport=60174 dstport=10101
srcintf="port2" dstintf="port1"
proto=6 service="HTTP" direction="outgoing"
policyid=1 sessionid=828
applist="g-default" action="pass"
appcat="GenAI" app="Protocol.A2A.Message"
hostname="172.16.200.195" url="/v1/message:stream"
httpmethod="POST"
msg="GenAI: Protocol.A2A.Message"
usecase="Utility_Tools"
aimethod="message/stream"
aimessage="message a2a 2"
cloudaiagent="APP=Protocol A2A, UseCase=Utility_Tools,
Method=message/stream, Message='message a2a 2'"
apprisk="low"</p><h3>3.4 FortiView AI Application Visualization</h3><p>FortiOS 8.0 has added <strong>AI Applications</strong> and <strong>AI Use Cases</strong> views in the FortiView module, providing security analysts with intuitive AI traffic analysis capabilities.</p><h4>3.4.1 FortiView AI Applications</h4><p><strong>Access path</strong>: Dashboard → FortiView → FortiView AI Applications</p><p>This view displays AI traffic statistics by application, containing the following information dimensions:</p><ul><li><strong>Protocol distribution</strong>: MCP vs A2A traffic ratio</li><li><strong>Session count</strong>: Session counts for each protocol</li><li><strong>Source/Target analysis</strong>: Endpoints initiating AI communications and target servers</li></ul><p><strong>Drill-down analysis</strong> supports viewing detailed session lists for individual protocols, with key fields including:</p><figure class="table">
| Field | Description |
|---|---|
| AI Agent | Agent identifier |
| AI Function | Invoked function name |
| AI Method | Invoked method name |
| AI Arguments | Invoked parameters |
| Hostname | Target hostname |
| AI URI | Accessed URI path |
Utility_Tools (tool category) use case classification. This design reflects the primary classification method for AI agent application scenarios, facilitating security teams' understanding and analysis of AI traffic by business scenarios.</p><h3>3.5 Detection Limitations and Known Constraints</h3><h4>3.5.1 Proxy Mode Inline IPS Limitation</h4><p>When firewall policies use <strong>Proxy Mode</strong>, <strong>MCP and A2A protocol deep detection is not supported</strong>. This is because inline IPS processing under proxy mode conflicts with GenAI signature detection.</p><p>Solution: For scenarios requiring proxy mode, disable inline IPS:</p><p>config ips settings
set proxy-inline-ips disable
end</p><p>This configuration applies to all firewall policies using proxy mode and explicit proxy policies.</p><h4>3.5.2 NGFW Security Policy Limitation</h4><p><strong>NGFW (Next-Generation Firewall) security policy</strong> mode does not support MCP and A2A protocol detection. Enterprises needing advanced NGFW security policy features (such as user-based policy control) will be unable to enable GenAI protocol detection simultaneously.</p><h4>3.5.3 Signature Coverage</h4><p>The current GenAI signature database primarily covers mainstream AI framework and tool MCP/A2A implementations. Non-standard or proprietary protocol extensions may not be accurately identified. For special AI application requirements, it is recommended to contact Fortinet support team for signature customization.</p><h2>IV. Configuration Details and Best Practices</h2><h3>4.1 Basic Configuration Process</h3><h4>4.1.1 Configuration Prerequisites</h4><p>Before starting configuration, ensure the following conditions are met:</p><ol><li><strong>System version</strong>: FortiGate running FortiOS 8.0.0 or higher</li><li><strong>License status</strong>: Device has valid FortiGuard service subscription</li><li><strong>SSL certificate</strong>: CA certificate configured for deep inspection</li></ol><h4>4.1.2 Configuration Steps Overview</h4><p>┌─────────────────────────────────────────────────────────┐
│ Configuration Flow Overview │
├─────────────────────────────────────────────────────────┤
│ │
│ Step 1: Create Application Control Sensor │
│ ↓ │
│ Step 2: Enable Extended Logging (Optional but Recommended) │
│ ↓ │
│ Step 3: Configure SSL Deep Inspection Profile │
│ ↓ │
│ Step 4: Apply Configuration to Firewall Policy │
│ ↓ │
│ Step 5: Verify Detection Effect │
│ │
└─────────────────────────────────────────────────────────┘</p><h3>4.2 GUI Configuration Guide</h3><h4>4.2.1 Creating GenAI Application Control Sensor</h4><p><strong>Operation path</strong>: Security Profiles → Application Control</p><ol><li>Click <strong>Create New</strong> to create a new sensor</li><li>Configure basic parameters:<ul><li><strong>Name</strong>: Fill in sensor name (such as
GenAI-Monitoring)</li><li><strong>Comments</strong>: Add description</li></ul></li><li>Find the <strong>Generative AI</strong> category in the <strong>Categories</strong> area</li><li>Set this category to <strong>Monitor</strong> mode</li><li>Click <strong>OK</strong> to save configuration</li></ol><p><strong>Configuration notes</strong>:</p><ul><li>The reason for selecting <strong>Monitor</strong> instead of <strong>Block</strong>: During initial deployment of new features, it is recommended to first observe AI traffic characteristics and confirm detection accuracy before considering blocking policies.</li><li>Application control supports fine-grained configuration, allowing different actions for specific signatures.</li></ul><h4>4.2.2 Enabling Extended Logging</h4><p>When creating or editing an application control sensor:</p><ol><li>Expand the <strong>Extended Logging</strong> option</li><li>Set it to <strong>Enable</strong></li></ol><p>Extended logging is crucial for obtaining complete AI protocol information and is recommended to always be enabled.</p><h4>4.2.3 Configuring SSL Deep Inspection</h4><p><strong>Operation path</strong>: Security Profiles → SSL/SSH Inspection</p><ol><li>Create or edit SSL inspection profile</li><li>Select <strong>Deep Inspection</strong> mode</li><li>Ensure CA certificate is correctly imported and distributed to clients</li><li>Configure whitelists, exclusion lists, etc., as needed</li></ol><p><strong>Notes</strong>:</p><ul><li>Deep inspection involves SSL/TLS decryption and may introduce performance overhead</li><li>For known trusted AI services, exclusion rules can be configured to bypass decryption</li><li>Some AI services (such as scenarios with mandatory certificate pinning) may conflict with deep inspection</li></ul><h4>4.2.4 Applying Configuration to Firewall Policy</h4><p><strong>Operation path</strong>: Policy & Objects → Firewall Policy</p><ol><li>Create or edit target firewall policy</li><li>In the <strong>Security Profiles</strong> area:<ul><li>Enable <strong>UTM Status</strong></li><li>Select the created <strong>Application List</strong> (such as GenAI-Monitoring)</li><li>Select <strong>SSL/SSH Inspection</strong> profile (such as new-deep-inspection)</li></ul></li><li>Ensure <strong>Action</strong> is set to <strong>Accept</strong></li><li>Configure other necessary parameters (source/destination interface, address, service, etc.)</li><li>Click <strong>OK</strong> to save</li></ol><h3>4.3 CLI Configuration Details</h3><h4>4.3.1 Creating GenAI Application Control Configuration</h4><p>config application list
edit "GenAI-Monitoring"
set extended-log enable
config entries
edit 1
set category 36
set action pass
next
end
next
end</p><p><strong>Command description</strong>:</p><ul><li>
edit "GenAI-Monitoring": Creates application control configuration named GenAI-Monitoring</li><li>set extended-log enable: Enables extended log recording</li><li>config entries: Configures matching signature entries</li><li>set category 36: Matches GenAI (Generative AI) category with ID 36</li><li>set action pass: Action is to pass</li></ul><h4>4.3.2 Applying to Firewall Policy</h4><p>config firewall policy
edit 1
set uuid 13a56522-b12b-51f0-1d35-f6ecfe4e2568
set srcintf "port2"
set dstintf "port1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "new-deep-inspection"
set application-list "GenAI-Monitoring"
set nat enable
next
end</p><p><strong>Command description</strong>:</p><ul><li>
set utm-status enable: Enables UTM security features</li><li>set ssl-ssh-profile "new-deep-inspection": Applies SSL deep inspection</li><li>set application-list "GenAI-Monitoring": Applies GenAI monitoring configuration</li></ul><h4>4.3.3 Configuring Proxy Mode Exception (If Required)</h4><p>For scenarios using proxy mode:</p><p>config ips settings
set proxy-inline-ips disable
end</p><p>This configuration disables inline IPS under proxy mode, allowing GenAI signatures to work normally.</p><h3>4.4 Advanced Configuration Scenarios</h3><h4>4.4.1 Fine-Grained Signature Control</h4><p>If different policies need to be set for specific MCP/A2A signatures, signature IDs can be used for configuration:</p><p>config application list
edit "GenAI-Detailed"
set extended-log enable
config entries
edit 1
set category 36
set action pass
next
edit 2
set signature "Protocol.MCP"
set action monitor
set log enable
next
edit 3
set signature "Protocol.MCP.Tools"
set action pass
set log enable
next
end
next
end</p><h4>4.4.2 Blocking Specific AI Services</h4><p>For AI services that need to be blocked, stricter policies can be created:</p><p>config application list
edit "GenAI-Blocked"
set extended-log enable
config entries
edit 1
set category 36
set action block
next
end
next
end</p><h4>4.4.3 User-Based AI Access Control</h4><p>Combining FortiGate's user authentication functionality, user-based AI access control can be implemented:</p><p>config firewall policy
edit 100
set srcintf "port2"
set dstintf "port1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "deep-inspection"
set application-list "GenAI-Monitoring"
set groups "AI-Developer-Group"
set nat enable
next
end</p><p>This configuration only monitors and records traffic for members of the
AI-Developer-Group.</p><h3>4.5 Verification and Troubleshooting</h3><h4>4.5.1 Verifying Configuration Effectiveness</h4><ol><li><strong>Check application control status</strong>:</li></ol><p>diagnose application appctrl list</p><ol><li><strong>Check signature database status</strong>:</li></ol><p>diagnose autoupdate versions | grep GenAI</p><ol><li><strong>Trigger test traffic</strong>: Start an MCP client application in the network to access the MCP server</li><li><strong>Check logs</strong>:</li></ol><p># GUI path
Log & Report → Security Events → Application Control Logs
CLI command
fnsort -l | grep -E "MCP|A2A|GenAI"</p><h4>4.5.2 Common Problem Troubleshooting</h4><p><strong>Problem 1: Extended fields missing in logs</strong></p><p>Possible causes:</p><ul><li>Extended logging not enabled</li><li>SSL deep inspection not enabled</li><li>Signature does not require deep inspection</li></ul><p>Solution: Confirm that
extended-log is enabled in application control configuration and that the firewall policy is associated with SSL deep inspection configuration.</p><p><strong>Problem 2: MCP traffic not identified</strong></p><p>Possible causes:</p><ul><li>GenAI signature database version too old</li><li>MCP server uses non-standard ports or paths</li><li>Traffic matched by another policy first</li></ul><p>Solution: Update GenAI signature database, check MCP server configuration, confirm firewall policy order.</p><p><strong>Problem 3: Detection fails under proxy mode</strong></p><p>This is a known limitation. Refer to the "Detection Limitations and Known Constraints" section for configuration adjustments.</p><h2>V. Deep Analysis of Business Scenarios</h2><h3>5.1 Enterprise AI Workload Security Monitoring</h3><h4>5.1.1 Scenario Description</h4><p>A large technology company is deploying an AI agent-based software development platform. Development teams use various AI tools to assist with code writing, testing, and deployment. These AI tools connect to internal code repositories, CI/CD systems, and document libraries through the MCP protocol.</p><p><strong>Security challenges</strong>:</p><ul><li>Need to monitor how developers use AI tools</li><li>Need to audit which internal resources AI tools accessed</li><li>Need to detect anomalous AI behaviors (such as large-scale data downloads)</li></ul><p><strong>FortiOS 8.0 solution</strong>:</p><p>Deployment Architecture:
┌──────────────┐ MCP/A2A ┌──────────────┐
│ Developer │ ───────────────→│ AI Agent │
│ Endpoint │ │ Server │
└──────────────┘ └──────────────┘
↑ │
│ │
│ FortiGate │
│ (MCP/A2A Detection + Logging) │
│ │
└───────────────────────────────────┘</p><p><strong>Implementation effects</strong>:</p><ul><li>Records all MCP tool invocations, including invoked function names and parameters</li><li>Identifies anomalous AI behavior patterns (such as large file reads within short time periods)</li><li>Generates AI usage audit reports meeting compliance requirements</li></ul><h4>5.1.2 Key Configuration</h4><p># Create AI monitoring policy for development network
config firewall policy
edit 50
set name "DevNet-GenAI-Monitoring"
set srcintf "dev-segment"
set dstintf "ai-server-segment"
set action accept
set srcaddr "all"
set dstaddr "ai-servers"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "deep-inspection"
set application-list "GenAI-Monitoring"
set nat disable
next
end</p><h3>5.2 Multi-Agent Collaboration Security</h3><h4>5.2.1 Scenario Description</h4><p>A financial institution has deployed multiple specialized AI agents to collaboratively process customer requests:</p><ul><li><strong>Customer Service Agent</strong>: Receives customer inquiries, initially understands requirements</li><li><strong>Risk Control Agent</strong>: Evaluates transaction risks</li><li><strong>Product Agent</strong>: Provides product information</li><li><strong>Compliance Agent</strong>: Ensures operations comply with regulatory requirements</li></ul><p>These agents collaborate through the A2A protocol, exchanging customer information and decision recommendations.</p><p><strong>Security challenges</strong>:</p><ul><li>Data exchanged between agents may contain sensitive customer information</li><li>Need to ensure agent collaboration complies with regulatory requirements</li><li>Need to track complete agent collaboration chains for auditing</li></ul><p><strong>FortiOS 8.0 solution</strong>:</p><p>FortiGate deployed at agent network boundary, implementing through A2A protocol detection:</p><ol><li><strong>Message content recording</strong>: Records basic information of all A2A messages</li><li><strong>Collaboration topology visualization</strong>: Displays communication relationships between agents through FortiView</li><li><strong>Anomalous behavior detection</strong>: Identifies anomalous agent communication patterns</li></ol><h4>5.2.2 FortiView Collaboration Topology Analysis</h4><p>Through FortiView AI Use Cases view, security teams can:</p><ul><li>Identify which agents frequently communicate with each other</li><li>Discover unexpected agent collaboration relationships</li><li>Track agent collaboration chains for specific customer requests</li></ul><h3>5.3 AI Data Leakage Prevention</h3><h4>5.3.1 Scenario Description</h4><p>A healthcare organization uses AI agents to assist doctors with diagnosis. AI agents need to access patient Electronic Health Records (EHR), but must ensure:</p><ul><li>Only access records of patients currently seeking treatment</li><li>Diagnostic conclusions cannot be obtained by unauthorized personnel</li><li>AI usage complies with HIPAA compliance requirements</li></ul><p><strong>Security challenges</strong>:</p><ul><li>AI may "inadvertently" access large amounts of sensitive data</li><li>Need to prevent data exfiltration through AI channels</li><li>Need to establish complete AI data access audit trails</li></ul><p><strong>FortiOS 8.0 solution</strong>:</p><p>Combining application control and SSL inspection, FortiGate can:</p><ol><li><strong>Enhanced visibility</strong>: Identify when AI agents access systems containing sensitive data</li><li><strong>Behavior baseline</strong>: Establish AI normal behavior baseline, detect anomalous access patterns</li><li><strong>Log traceability</strong>: Provide complete AI data access logs to meet compliance audit requirements</li></ol><h4>5.3.2 Deep Inspection and Data Protection Integration</h4><p>┌─────────────────────────────────────────────────────────┐
│ Protection Policy Layers │
├─────────────────────────────────────────────────────────┤
│ │
│ L7: Application Control - MCP/A2A Protocol ID & Logging│
│ ↓ │
│ L7: DLP - Sensitive Data Detection & Masking │
│ ↓ │
│ L4: SSL Inspection - Encrypted Traffic Content Analysis│
│ ↓ │
│ L3: Firewall - Network Layer Access Control │
│ │
└─────────────────────────────────────────────────────────┘</p><h3>5.4 Compliance and Audit Support</h3><h4>5.4.1 Scenario Description</h4><p>A multinational enterprise needs to meet AI regulatory requirements across multiple jurisdictions:</p><ul><li>EU AI Act transparency requirements for high-risk AI systems</li><li>AI data localization requirements of various countries</li><li>Industry-specific AI usage reporting requirements</li></ul><p><strong>FortiOS 8.0 compliance value</strong>:</p><figure class="table">
| Compliance Requirement | FortiOS Support | Description |
|---|---|---|
| AI activity records | ✅ | Complete AI operations recorded through extended logging |
| Audit trail retention | ✅ | Supports Syslog/SIEM export |
| Risk assessment reports | ✅ | FortiView provides visual reports |
| Anomalous behavior alerts | ✅ | Application control signature linked alerts |
config log syslogd setting
set status enable
set server "syslog.example.com"
set port 514
end
Configure log filter, export GenAI-related logs only
config log syslogd filter
set filter "subtype app-ctrl AND appcat GenAI"
end</p><h3>5.5 Smart Home and IoT AI Integration</h3><h4>5.5.1 Scenario Description</h4><p>A smart home platform uses a local AI assistant to coordinate various IoT devices. The AI assistant connects to the following through MCP protocol:</p><ul><li>Smart lighting systems</li><li>Thermostat systems</li><li>Security cameras</li><li>Voice assistants</li></ul><p><strong>Security challenges</strong>:</p><ul><li>AI traffic in home networks needs identification</li><li>Prevent malicious AI applications from exploiting IoT device vulnerabilities</li><li>Parental controls need to identify AI interaction content</li></ul><p>Although this is a consumer scenario, FortiOS's enterprise security philosophy equally applies—by enabling AI protocol detection at the network edge, providing additional security safeguards for home users.</p><h2>VI. Security Considerations and Best Practices</h2><h3>6.1 Deployment Strategy Recommendations</h3><h4>6.1.1 Gradual Deployment</h4><p>Given that MCP/A2A protocol detection is a new feature, a gradual deployment strategy is recommended:</p><p><strong>Phase 1: Monitoring Only</strong></p><ul><li>Configure as Monitor/Pass mode</li><li>Only record logs, do not block any traffic</li><li>Collect baseline data, understand AI traffic characteristics within the organization</li></ul><p><strong>Phase 2: Alert-Driven</strong></p><ul><li>Configure alerts for key signatures (such as
Protocol.MCP elevated risk events)</li><li>Security team reviews alerts, adjusts strategies</li></ul><p><strong>Phase 3: Policy Optimization</strong></p><ul><li>Refine policy configuration based on observed patterns</li><li>Consider implementing blocking for specific scenarios</li></ul><h4>6.1.2 Network Segmentation Recommendations</h4><p>It is recommended to deploy AI servers in independent network segments:</p><p>┌─────────────────────────────────────────────────────────┐
│ Network Segmentation Architecture │
├─────────────────────────────────────────────────────────┤
│ │
│ [User Network] ──┬── [FortiGate] ── [AI Server Network]│
│ │ │ │
│ │ └── MCP/A2A Detection │
│ │ └── Log Recording │
│ │ │
│ └── Regular Internet Traffic │
│ │
└─────────────────────────────────────────────────────────┘</p><h3>6.2 Privacy Protection Considerations</h3><h4>6.2.1 Data Minimization</h4><p>When enabling deep inspection, FortiGate will decrypt and inspect AI communication content. Consider:</p><ul><li>Only enable deep inspection for necessary traffic</li><li>Configure automatic masking or exclusion rules for sensitive data</li><li>Clearly inform users about policies that AI communications may be inspected</li></ul><h4>6.2.2 Log Data Protection</h4><p>AI logs may contain sensitive information and need proper protection:</p><ul><li>Restrict permissions for log access</li><li>Configure log encrypted storage</li><li>Regularly clean up expired logs</li></ul><h3>6.3 Performance Optimization</h3><h4>6.3.1 Deep Inspection Performance Impact</h4><p>SSL deep inspection introduces some performance overhead. Recommendations:</p><ul><li>Only enable deep inspection on necessary policies</li><li>Use hardware acceleration (such as FortiGate's SSL acceleration chip)</li><li>Monitor CPU/memory usage to ensure normal business is not affected</li></ul><h4>6.3.2 Log Volume Management</h4><p>After enabling extended logging, log volume may increase significantly:</p><ul><li>Configure log disk space alerts</li><li>Enable automatic log archiving and cleanup</li><li>Consider log sampling or aggregation strategies</li></ul><h3>6.4 Integration with Other Security Functions</h3><h4>6.4.1 Integration with IPS</h4><p>┌─────────────────────────────────────────────────────────┐
│ Security Function Integration Architecture │
├─────────────────────────────────────────────────────────┤
│ │
│ MCP/A2A Detection ──→ Threat ID ──→ IPS Signature Block│
│ │ │
│ ├──→ Risk Assessment ──→ Application Control Block │
│ │ │
│ └──→ Compliance Record ──→ Logs/SIEM │
│ │
└─────────────────────────────────────────────────────────┘</p><h4>6.4.2 Integration with Threat Intelligence</h4><p>Combining AI protocol detection with Fortinet FortiGuard threat intelligence:</p><ul><li>Automatically identify malicious AI servers</li><li>Block known malicious MCP/A2A endpoints</li><li>Receive latest AI threat intelligence updates</li></ul><h2>VII. Summary and Outlook</h2><h3>7.1 Functional Value Summary</h3><p>The MCP/A2A agent protocol support introduced in FortiOS 8.0 marks the formal entry of enterprise network security into the AI-native security era. Core values of this functionality are:</p><p><strong>Improved visibility</strong>: Achieved complete identification and monitoring of AI agent communication protocols at the network layer for the first time, filling the blind spots of traditional security tools.</p><p><strong>Risk identification</strong>: Through signature matching and risk assessment, helps security teams identify anomalous AI behaviors and prevent problems before they occur.</p><p><strong>Compliance support</strong>: Provides technical means for AI activity auditing for regulated industries, meeting increasingly strict AI regulatory requirements.</p><p><strong>Ecosystem integration</strong>: As part of the FortiGate security architecture, can seamlessly integrate with other security functions to provide comprehensive security protection.</p><h3>7.2 Technology Development Trends</h3><p>Looking ahead, AI agent protocol support functionality is expected to develop in the following directions:</p><p><strong>Expanded protocol coverage</strong>: As the AI agent ecosystem evolves, new communication protocols will continue to emerge. Fortinet is expected to continuously expand the GenAI signature database, covering more protocol variants.</p><p><strong>Enhanced detection capabilities</strong>: Developing from current application signature detection toward deeper semantic analysis, such as identifying AI prompt injection attacks (Prompt Injection).</p><p><strong>Automated response</strong>: Combined with SOAR (Security Orchestration, Automation and Response) capabilities, achieving automatic threat response based on AI protocol detection.</p><p><strong>Integration with AI security</strong>: Integrating with enterprise AI governance platforms to unify network layer detection with enterprise AI usage policies.</p><h3>7.3 Implementation Recommendations</h3><p>For enterprises planning to deploy FortiOS 8.0 MCP/A2A detection functionality, recommendations:</p><ol><li><strong>Thorough assessment</strong>: Before deployment, assess AI agent usage within the organization and determine monitoring scope.</li><li><strong>Phased implementation</strong>: Adopt gradual deployment strategy, starting from monitoring mode and gradually transitioning to policy control.</li><li><strong>Team preparation</strong>: Security teams need to understand the basic principles of AI agent protocols to effectively interpret detection results.</li><li><strong>Process optimization</strong>: Establish response processes and responsibility matrix for AI protocol detection events.</li><li><strong>Continuous improvement</strong>: Regularly review the effectiveness of detection policies and continuously optimize based on business development and technology evolution.</li></ol><h3>7.4 Limitations Statement</h3><p>This article's analysis is based on publicly available documentation for FortiOS 8.0.0. Actual functionality may vary depending on specific versions and configurations. For support status of certain advanced features (such as NGFW security policy integration), it is recommended to refer to the latest updates in Fortinet official documentation or consult technical support for confirmation.</p><h2>Appendix: Quick Configuration Reference</h2><h3>A.1 Minimum Configuration (Monitoring Only)</h3><p># 1. Create application control configuration
config application list
edit "GenAI-Monitor"
set extended-log enable
config entries
edit 1
set category 36
set action pass
next
end
next
end
2. Apply to firewall policy
config firewall policy
edit 99
set srcintf "internal"
set dstintf "external"
set action accept
set utm-status enable
set ssl-ssh-profile "deep-inspection"
set application-list "GenAI-Monitor"
next
end</p><h3>A.2 Check GenAI Signature Database Status</h3><p>diagnose autoupdate versions | grep -A 6 GenAI</p><h3>A.3 View AI Protocol Logs</h3><p># View recent MCP/A2A logs
fnsort -l | grep -E "Protocol\.MCP|Protocol\.A2A"
Statistics by AI method
fnsort -l | grep aimethod | awk -F'aimethod=' '{print $2}' | awk '{print $1}' | sort | uniq -c</p><h3>A.4 FortiView AI Application Access</h3><p>GUI path: Dashboard → FortiView → FortiView AI Applications</p>
Why it Matters
AI agents are becoming core components in enterprise production environments, making MCP/A2A protocol visibility and security control essential. Fortinet pioneered incorporating AI agent protocols into enterprise security defense systems, providing critical support for addressing emerging AI workloads.
DECISION
For enterprises that have deployed or plan to deploy AI agent applications, it is recommended to enable FortiOS 8.0's GenAI protocol detection feature, adopt a gradual deployment strategy, start with monitoring as the primary approach, and gradually establish AI traffic baselines and security policies.
PREDICT
As the AI agent ecosystem evolves, the GenAI signature database will continue to expand, covering more protocol variants. Fortinet is expected to continue investing in advanced features such as AI protocol semantic analysis and prompt injection detection.
Get 3-5 key AI infrastructure signals weekly →
💬 Comments (0)