netbox-nsm 0.2.0

A NetBox plugin for network security management, including object groups and security policies

netbox-nsm

Network Security Management for NetBox

Document zones, firewall rules, and object relationships — vendor-agnostic, inside your existing IPAM and DCIM inventory.

Full user guide · Using netbox-nsm · Architecture · Database · Changelog

Work in progress — not for production use.
netbox-nsm is a documentation plugin. It does not push rules to firewalls or replace Tufin, AlgoSec, or similar tools.

---

At a glance

Security Panel	Injected on every Prefix, IP, Device, VM, and Custom Object — assign zones, addresses, labels; see policy impact instantly
Rulebooks	Flexible column layout: zone-based, address-based, label-based, or mixed — side by side in one NetBox
Policy grid	AG Grid Community — Table / Group / Matrix views, filter syntax, staged load (50k+ rules). See Rules grid.
Zone matrix	AG Grid Community — source × destination heatmap
IP Analysis	Compare IP resolution across objects in two columns — with CSV export
Object Analyzer	@xyflow/react graph from any NetBox object to zones, links, and rulebooks

---

Why netbox-nsm?

Your network inventory already lives in NetBox. Security policy should live there too — not in spreadsheets or siloed tools.

• One source of truth — link a prefix to prod, a VM to an app zone, a device NIC to both
• Any object type — rule columns and Security Panel use TypeConfig; missing types? Create a Custom Object Type, then bind it in NSM
• Any vendor style — Palo Alto zones, AWS address groups, Illumio labels — each in its own Rulebook
• Bidirectional visibility — open a zone and see every prefix, VM, and rule that references it
• Audit-friendly — Journal and Changelog on rules, links, and configuration

---

Security Panel — the hub

The Security Panel is the core workflow for NSM. From any NetBox object detail page, use + Assign to open the Assign Link page — pick an NSM type, set Direct or Inherit to IPAM children, and create the ObjectLink.

Macro vs. micro zones — a single interface can carry multiple zone links:

Layer	Example	Purpose
Macro zone	prod	Datacenter segment, environment, TrustSec macro-segment
Micro zone	app-payroll, web-tier	Application or tier within the macro segment

A device NIC might be in prod and in a dedicated app zone — both visible in the Security Panel without duplicating IPAM data.

Prefix 10.1.0.0/16 — prod direct, trust inherited from 10.0.0.0/8

Assign Link — choose Inherit to IPAM children for macro zones on parent prefixes

Zone prod — reverse view: rulebooks, prefixes, groups, VMs (expandable rule tree)

Security Panel deep dive →

Extend with your own object types

NSM is not limited to the seven built-in types (Zones, Addresses, …):

1. Need a new security object class? Define it in netbox-custom-objects (schema, fields, UI).
2. Register it in NSM — Security → Type Config → + Add: pick the ContentType, set matching class, panel slugs, display template, and which NetBox objects may link it (Linkable in panel).
3. Use everywhere — add the TypeConfig to Rulebook → Fields (rule columns + picker) and assign instances from any allowed host object via + Assign in the Security Panel.

Rule columns reference TypeConfig records, not hard-coded COT names — so custom and native NetBox types share the same pipeline once configured.

Full guide: extending NSM →

---

Screenshots

Current demo environment (2026-06). Full walkthrough: Using netbox-nsm · Documentation home

Setup wizard — four sections, idempotent imports	Type Config list — matching class, panel slugs, linkable types
Type Config detail — Zones example	Rulebook list — All Rules + named rulebooks
Rulebook detail — Enterprise TrustSec Core, field hierarchy	Policy grid — grouping, filter query, pills
Add rule — Source / Destination / Service / Action tabs	Zone matrix — directed Permit/Deny
Matrix filters — corner query (dmz OR mgmt)	Custom Object Types — seven built-in NSM COTs
Prefix Security Panel — direct and inherited zones	Assign Link — Direct vs Inherit to IPAM children
Zone detail — reverse view, expandable rulebook tree	IP Analysis — two columns, CSV path export
Object Analyzer — xyflow graph from any NetBox object

---

Quick start

1. Install

pip install netbox-nsm

# configuration.py
PLUGINS = [
    "netbox_custom_objects",   # required
    "netbox_nsm",
]

./manage.py migrate netbox_custom_objects --no-input
./manage.py migrate netbox_nsm --no-input

2. Setup wizard

Security → Configuration → Setup — run sections 1 → 2 → 3 in order:

#	Section	Action
1	Menu & panel title	Labels for sidebar and Security card
2	Custom Objects	Add all Custom Object Types (7 built-in COTs)
3	TypeConfig	Add all TypeConfigs (matching, panels, display)
4	Demo	Starter demo (recommended) — or Enterprise DC when the IP database is empty

3. First links

Open any Prefix → Security Panel → + Assign → pick a Zone.
Open the Zone object → see the reverse view (prefixes, VMs, matching rules).

4. First rulebook

Security → Rulebooks → + Add — or run the Starter demo from Setup (Section 4) for ready-made sample rulebooks.

---

Configuration

PLUGINS_CONFIG = {
    "netbox_nsm": {
        "top_level_menu": True,              # Security top-level menu
        "setup_menu": True,                  # Setup under Configuration
        "setup_allow_destructive_actions": True,  # Demo imports (disable in prod)
        "assignments_menu": False,           # Rulebook Assignments menu entry
        "menu_label": "Security",
        "panel_label": "Security",
    }
}

Restart NetBox after changes.

---

Feature map

Custom Object Types — zones, addresses, labels, services, actions, apps

Seven built-in types via Setup Section 2. Managed under Custom Objects → NSM.

Custom Object Types →

Type Config — matching class, display template, panel slugs

Links each ContentType to NSM (built-in COTs or your own Custom Object Types): matching class, display template, panel sections, and Linkable in panel. Required before a type can appear in Rulebook fields or + Assign.

Type Configs → · Extend with custom types →

Rulebooks & rules — flexible columns, All Rules view, rule editor

• All Rules (/rulebooks/0/) — read-only aggregate across all rulebooks
• Rulebook detail — configurable field hierarchy (zone-based, address-based, …)
• Rules tab — AG Grid with Table / Group / Matrix views, filter syntax, staged load — Rules grid
• Add rule — Source / Destination / Service / Action tabs with object picker

 

Security Rulebooks →

Zone matrix — source × destination, directed / undirected

Corner filters (dmz OR mgmt), diagonal self-cells, axis limit 250 zones.

Zone Matrix →

IP Analysis — two-column IP resolution + CSV paths

Security → Analysis → IP Analysis

Add objects per column, Analyze, copy CSV paths from the tree.

IP Analysis →

Object Analyzer — explore links and rulebooks from any object

Security → Analysis → Demo – Object Analyzer

Pick Device, VM, IP, Prefix, or Zone → Analyse → expand the graph.

Object Analyzer →

---

REST API

Base path: /api/plugins/netbox-nsm/

Endpoint	Model
object-links/	ObjectLink
type-configs/	TypeConfig
rulebooks/	Rulebook
rules/	Rule
security-policy-assignments/	RulebookAssignment

Portable schema: POST /api/plugins/custom-objects/schema/apply/ with bundled nsm_portable_schema.json.

REST API reference →

---

Demo data

After Setup sections 1–3, use Section 4 (Demo) to load sample rulebooks. Requires setup_allow_destructive_actions: True in PLUGINS_CONFIG.

Starter demo (recommended)

The Starter demo is the primary entry point for exploring netbox-nsm. It runs synchronously in the browser (no RQ worker) and is always available at Security → Configuration → Setup → Demo → Create once section 3 is complete.

Created	Details
Prerequisites	Imports built-in Custom Object Types and TypeConfigs if missing; seeds default zones (trust, untrust, dmz, mgmt), actions (Permit, Deny), and services (HTTPS, SSH)
Demo - Zone Matrix	Zone-based rulebook with six example rules — use it for the Rules grid, grouping, and Zone matrix
Demo - Addresses	Address-based rulebook layout (zones + addresses in source/destination columns) — schema only, no pre-filled rules

Typical workflow: run Starter demo → open Security → Rulebooks → Demo - Zone Matrix → switch Table / Group / Matrix views → assign zones from any Prefix via the Security Panel.

Step-by-step matrix walkthrough: Demo - Zone Matrix example in the user guide.

Other demos

Demo	Availability
Enterprise DC	Visible in Setup; full DC scenario (DCIM + IPAM + 11 rulebooks, ~30–60 s). Disabled when IP addresses already exist
Scale test / Addresses demo	Not shown in the Setup UI — high-volume performance tests (~12k / ~6k rules, background RQ queue, ~1–2 min). CLI scripts under scripts/ if needed

---

Compatibility

NetBox	Plugin
4.5+	0.2.x

---

Third-party UI libraries

NSM embeds two open-source front-end libraries for interactive views:

Library	Used for	Version	License	Delivery
AG Grid Community	Rules tab, All Rules grid, Zone Matrix	33.2.4	MIT	Vendored under netbox_nsm/plugin_assets/vendor/ag-grid-community/ (offline, no Enterprise features)
@xyflow/react (React Flow)	Object Analyzer graph	12.x	MIT	Loaded from esm.sh on the Object Analyzer page only

Only AG Grid Community (MIT) is bundled — not AG Grid Enterprise (commercial).
The plugin itself is MIT licensed; third-party notices above apply to the embedded UI components.

---

License

See LICENSE.