Skip to main content

A NetBox plugin for documenting network security policy: rulebooks, zones, and NSM object links

Project description

netbox-nsm

NetBox plugin for security policy documentation (zones, rulebooks, object links).
No firewall push — inventory and policy only.

⚠️ Work in progress — Not recommended for production use yet. Breaking changes possible (e.g. 0.4.5 permission migration).

Status: NetBox: 4.5–4.6 · Plugin: 0.4.9 · Requires: netbox-custom-objects

Features

  • Security Panel on prefix, IP, device, VM, custom objects — + Assign for zones, addresses, …
  • Bundles — deploy NSM schema and demo data from JSON bundles (Security → Configuration → Bundles)
  • Type Metadata — per-COT settings (nsm_config in type comments): role, display template, sort order
  • Rulebooks with flexible columns (zones, addresses, labels, …)
  • Rules — table, row grouping, grouped columns, zone matrix; Export JSON (bundle-compatible, re-import via Bundles)
  • IP Analyzer — address resolution via the IP Analyzer applet on rule pages (loupe icon)
  • Object Analyzer — graph from any NetBox object
  • Object Report — daily background audit of NSM addresses/groups; TOML export

Navigation

Group Items
Configuration Bundles, Type Metadata, Object Report
Rulebooks Rulebooks (+ Add)
Analysis Object Analyzer

Screenshots

Bundles — apply nsm_schema first, then optional demo bundles:

Bundles

Type Metadatansm_config per COT type (role, display template, sort order):

Type Metadata

Object Report — daily address/group audit with TOML export:

Object Report

Rulebooks — list and detail (fields, enforcement targets):

Rulebooks

Rulebook detail

Rules — row grouping, grouped columns, Export JSON:

Rules by zone

Zone matrix — permit/deny between zones:

Zone matrix

IP Analyzer — destination tree with merge/diff:

IP Analyzer

Installation

pip install netbox-nsm
PLUGINS = ["netbox_custom_objects", "netbox_nsm"]

PLUGINS_CONFIG = {
    "netbox_nsm": {
        "menu_label": "Security",
        "panel_label": "Security",
        "setup_menu": True,
        "setup_allow_destructive_actions": True,  # demos only; disable in prod
        # Optional: Jinja2 address naming — see docs/address_name_templates.md
        # "address_name_templates": [
        #     {"template": "h-{ipam>ip}", "match": "host"},
        #     {"template": "n-{ipam>prefix>network}-{ipam>prefix>cidr}", "match": "prefix"},
        # ],
    },
}
./manage.py migrate netbox_custom_objects --no-input
./manage.py migrate netbox_nsm --no-input

First run

  1. Security → Configuration → BundlesApply nsm_schema (required; imports built-in nsm_* COT types and writes nsm_config into each type's comments).
  2. Optional demo bundles: RB Demo Zone Matrix, RB Demo Zone/Address (Preview → Apply).
  3. Open a prefix → Security tab → + Assign → zone.
  4. Rulebooks under Security → Rulebooks.

Details: docs/using_netbox_nsm.md

Rules export / import

On a rulebook Rules tab, Export JSON downloads all rules matching the current filters (not just the visible page) as a bundle-compatible JSON document (objects[].records[] with portable refs like nsm_zone/zone_01). Import the file via Security → Configuration → Bundles (objects seeding).

API

/api/plugins/netbox-nsm/nsm-configs/<slug>/, object-links/, ip-analyzer/
Rules and policy objects: netbox-custom-objects API.

Demos

Demo Where Notes
NSM Schema Bundles → nsm_schema Required base import (types, choice sets, seed objects, metadata)
RB Demo Zone Matrix Bundles → nsm_demo_zone_matrix 30×30 zone matrix, 900 rules
RB Demo Zone/Address Bundles → nsm_demo_zone_address_adressgroup Zones, addresses, groups, 500 rules
Starter / Enterprise DC Legacy setup flows See docs/using_netbox_nsm.md

Documentation

File Topic
docs/using_netbox_nsm.md Operations
docs/DATABASE.md PostgreSQL tables
docs/RULE_DATA_STORAGE.md UI vs DB data model
docs/object_report.md Daily object report: job, checks, scaling
ARCHITECTURE.md Code (developers)
CHANGELOG.md Versions

License

LICENSE

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

netbox_nsm-0.4.9.tar.gz (515.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

netbox_nsm-0.4.9-py3-none-any.whl (674.0 kB view details)

Uploaded Python 3

File details

Details for the file netbox_nsm-0.4.9.tar.gz.

File metadata

  • Download URL: netbox_nsm-0.4.9.tar.gz
  • Upload date:
  • Size: 515.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for netbox_nsm-0.4.9.tar.gz
Algorithm Hash digest
SHA256 7ac90154902b39fc40f2376b6e51e0c12a951c03e9afb40a5dbd452d3e0a7f29
MD5 132b68850a75a6f685f1fb5f8c03a137
BLAKE2b-256 6edad7d56d3ed29d61ca20ad5bd2d93ff1e319b6c84b47381215efa6ee181cd5

See more details on using hashes here.

Provenance

The following attestation bundles were made for netbox_nsm-0.4.9.tar.gz:

Publisher: publish.yml on christianbur/netbox-nsm

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file netbox_nsm-0.4.9-py3-none-any.whl.

File metadata

  • Download URL: netbox_nsm-0.4.9-py3-none-any.whl
  • Upload date:
  • Size: 674.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for netbox_nsm-0.4.9-py3-none-any.whl
Algorithm Hash digest
SHA256 0bf6c0b71f777534b2591e1c0f0c7d4118d752541d17b6e2f6c51bb15a024559
MD5 144025937fae6bddeb1fc069e81e087c
BLAKE2b-256 2e914ac1b1ff907bfa67fab0f160da90667f4f563d259c1fe85f7705e3922af4

See more details on using hashes here.

Provenance

The following attestation bundles were made for netbox_nsm-0.4.9-py3-none-any.whl:

Publisher: publish.yml on christianbur/netbox-nsm

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page