A NetBox plugin for documenting network security policy: rulebooks, zones, and NSM object links
Project description
netbox-nsm
NetBox plugin for security policy documentation (zones, rulebooks, object links).
No firewall push — inventory and policy only.
⚠️ Work in progress — Not recommended for production use yet. Breaking changes possible (e.g. 0.4.5 permission migration).
Status: NetBox: 4.5–4.6 · Plugin: 0.4.9 · Requires: netbox-custom-objects
Features
- Security Panel on prefix, IP, device, VM, custom objects —
+ Assignfor zones, addresses, … - Bundles — deploy NSM schema and demo data from JSON bundles (
Security → Configuration → Bundles) - Type Metadata — per-COT settings (
nsm_configin type comments): role, display template, sort order - Rulebooks with flexible columns (zones, addresses, labels, …)
- Rules — table, row grouping, grouped columns, zone matrix; Export JSON (bundle-compatible, re-import via Bundles)
- IP Analyzer — address resolution via the IP Analyzer applet on rule pages (loupe icon)
- Object Analyzer — graph from any NetBox object
- Object Report — daily background audit of NSM addresses/groups; TOML export
Navigation
| Group | Items |
|---|---|
| Configuration | Bundles, Type Metadata, Object Report |
| Rulebooks | Rulebooks (+ Add) |
| Analysis | Object Analyzer |
Screenshots
Bundles — apply nsm_schema first, then optional demo bundles:
Type Metadata — nsm_config per COT type (role, display template, sort order):
Object Report — daily address/group audit with TOML export:
Rulebooks — list and detail (fields, enforcement targets):
Rules — row grouping, grouped columns, Export JSON:
Zone matrix — permit/deny between zones:
IP Analyzer — destination tree with merge/diff:
Installation
pip install netbox-nsm
PLUGINS = ["netbox_custom_objects", "netbox_nsm"]
PLUGINS_CONFIG = {
"netbox_nsm": {
"menu_label": "Security",
"panel_label": "Security",
"setup_menu": True,
"setup_allow_destructive_actions": True, # demos only; disable in prod
# Optional: Jinja2 address naming — see docs/address_name_templates.md
# "address_name_templates": [
# {"template": "h-{ipam>ip}", "match": "host"},
# {"template": "n-{ipam>prefix>network}-{ipam>prefix>cidr}", "match": "prefix"},
# ],
},
}
./manage.py migrate netbox_custom_objects --no-input
./manage.py migrate netbox_nsm --no-input
First run
- Security → Configuration → Bundles — Apply
nsm_schema(required; imports built-innsm_*COT types and writesnsm_configinto each type's comments). - Optional demo bundles: RB Demo Zone Matrix, RB Demo Zone/Address (Preview → Apply).
- Open a prefix → Security tab →
+ Assign→ zone. - Rulebooks under Security → Rulebooks.
Details: docs/using_netbox_nsm.md
Rules export / import
On a rulebook Rules tab, Export JSON downloads all rules matching the current filters (not just the visible page) as a bundle-compatible JSON document (objects[].records[] with portable refs like nsm_zone/zone_01). Import the file via Security → Configuration → Bundles (objects seeding).
API
/api/plugins/netbox-nsm/ — nsm-configs/<slug>/, object-links/, ip-analyzer/
Rules and policy objects: netbox-custom-objects API.
Demos
| Demo | Where | Notes |
|---|---|---|
| NSM Schema | Bundles → nsm_schema |
Required base import (types, choice sets, seed objects, metadata) |
| RB Demo Zone Matrix | Bundles → nsm_demo_zone_matrix |
30×30 zone matrix, 900 rules |
| RB Demo Zone/Address | Bundles → nsm_demo_zone_address_adressgroup |
Zones, addresses, groups, 500 rules |
| Starter / Enterprise DC | Legacy setup flows | See docs/using_netbox_nsm.md |
Documentation
| File | Topic |
|---|---|
| docs/using_netbox_nsm.md | Operations |
| docs/DATABASE.md | PostgreSQL tables |
| docs/RULE_DATA_STORAGE.md | UI vs DB data model |
| docs/object_report.md | Daily object report: job, checks, scaling |
| ARCHITECTURE.md | Code (developers) |
| CHANGELOG.md | Versions |
License
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file netbox_nsm-0.4.9.tar.gz.
File metadata
- Download URL: netbox_nsm-0.4.9.tar.gz
- Upload date:
- Size: 515.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
7ac90154902b39fc40f2376b6e51e0c12a951c03e9afb40a5dbd452d3e0a7f29
|
|
| MD5 |
132b68850a75a6f685f1fb5f8c03a137
|
|
| BLAKE2b-256 |
6edad7d56d3ed29d61ca20ad5bd2d93ff1e319b6c84b47381215efa6ee181cd5
|
Provenance
The following attestation bundles were made for netbox_nsm-0.4.9.tar.gz:
Publisher:
publish.yml on christianbur/netbox-nsm
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
netbox_nsm-0.4.9.tar.gz -
Subject digest:
7ac90154902b39fc40f2376b6e51e0c12a951c03e9afb40a5dbd452d3e0a7f29 - Sigstore transparency entry: 2044507097
- Sigstore integration time:
-
Permalink:
christianbur/netbox-nsm@b22de08af204dc1922512244cec1c3a3c8c6ccd9 -
Branch / Tag:
refs/tags/v0.4.9 - Owner: https://github.com/christianbur
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@b22de08af204dc1922512244cec1c3a3c8c6ccd9 -
Trigger Event:
release
-
Statement type:
File details
Details for the file netbox_nsm-0.4.9-py3-none-any.whl.
File metadata
- Download URL: netbox_nsm-0.4.9-py3-none-any.whl
- Upload date:
- Size: 674.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0bf6c0b71f777534b2591e1c0f0c7d4118d752541d17b6e2f6c51bb15a024559
|
|
| MD5 |
144025937fae6bddeb1fc069e81e087c
|
|
| BLAKE2b-256 |
2e914ac1b1ff907bfa67fab0f160da90667f4f563d259c1fe85f7705e3922af4
|
Provenance
The following attestation bundles were made for netbox_nsm-0.4.9-py3-none-any.whl:
Publisher:
publish.yml on christianbur/netbox-nsm
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
netbox_nsm-0.4.9-py3-none-any.whl -
Subject digest:
0bf6c0b71f777534b2591e1c0f0c7d4118d752541d17b6e2f6c51bb15a024559 - Sigstore transparency entry: 2044507125
- Sigstore integration time:
-
Permalink:
christianbur/netbox-nsm@b22de08af204dc1922512244cec1c3a3c8c6ccd9 -
Branch / Tag:
refs/tags/v0.4.9 - Owner: https://github.com/christianbur
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@b22de08af204dc1922512244cec1c3a3c8c6ccd9 -
Trigger Event:
release
-
Statement type: