VMware NSX DFW microsegmentation and security: distributed firewall, security groups, tags, traceflow, IDPS
Project description
VMware NSX Security
Author: Wei Zhou, VMware by Broadcom — wei-wz.zhou@broadcom.com This is a community-driven project by a VMware engineer, not an official VMware product. For official VMware developer tools see developer.broadcom.com.
VMware NSX DFW microsegmentation and security MCP skill — 20 tools for distributed firewall policies/rules, security groups, VM tags, Traceflow packet tracing, and IDPS.
Companion skills: vmware-nsx (networking), vmware-aiops (VM lifecycle), vmware-monitor (monitoring)
Quick Start
uv tool install vmware-nsx-security
mkdir -p ~/.vmware-nsx-security
cp config.example.yaml ~/.vmware-nsx-security/config.yaml
# Edit config.yaml with your NSX Manager host
echo "VMWARE_NSX_SECURITY_NSX_PROD_PASSWORD=your_password" > ~/.vmware-nsx-security/.env
chmod 600 ~/.vmware-nsx-security/.env
vmware-nsx-security doctor
What It Does
| Category | Tools |
|---|---|
| DFW Policy | list, get, create, update, delete, list rules |
| DFW Rules | create, update, delete, stats |
| Security Groups | list, get, create, delete |
| VM Tags | list tags, apply tag |
| Traceflow | run trace, get result |
| IDPS | list profiles, engine status |
Total: 20 MCP tools (10 read-only + 10 write)
MCP Server Setup
Add to ~/.claude.json:
{
"mcpServers": {
"vmware-nsx-security": {
"command": "vmware-nsx-security-mcp",
"env": {
"VMWARE_NSX_SECURITY_CONFIG": "~/.vmware-nsx-security/config.yaml"
}
}
}
}
Common Workflows
Microsegment an Application
# 1. Create groups by tag
vmware-nsx-security group create web-vms --name "Web VMs" --tag-scope tier --tag-value web
vmware-nsx-security group create app-vms --name "App VMs" --tag-scope tier --tag-value app
# 2. Create DFW policy
vmware-nsx-security policy create web-app-policy --name "Web to App" --category Application
Tag a VM
# Find VM and its external ID
vmware-nsx-security tag list my-vm-01
# Apply tag using the external ID
vmware-nsx-security tag apply <external-id> --scope tier --value web
Trace a Packet
vmware-nsx-security traceflow run <src-lport-id> \
--src-ip 10.0.1.5 --dst-ip 10.0.2.10 --proto TCP --dst-port 443
Safety
- Dependency checks: Cannot delete a policy with active rules, or a group referenced by DFW rules
- Audit logging: All write ops logged to
~/.vmware-nsx-security/audit.log - Input validation: IDs validated; all API text sanitized against prompt injection
- Dry-run mode: All CLI write commands support
--dry-run - Credential safety: Passwords only from env vars, never in config files
Companion Skills
| Skill | Scope | Tools | Install |
|---|---|---|---|
| vmware-aiops ⭐ entry point | VM lifecycle, deployment, guest ops, clusters | 31 | uv tool install vmware-aiops |
| vmware-monitor | Read-only monitoring, alarms, events, VM info | 8 | uv tool install vmware-monitor |
| vmware-nsx | NSX networking: segments, gateways, NAT, IPAM | 31 | uv tool install vmware-nsx-mgmt |
| vmware-storage | Datastores, iSCSI, vSAN | 11 | uv tool install vmware-storage |
| vmware-vks | Tanzu Namespaces, TKC cluster lifecycle | 20 | uv tool install vmware-vks |
| vmware-aria | Aria Ops metrics, alerts, capacity planning | 18 | uv tool install vmware-aria |
License
MIT
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file vmware_nsx_security-1.5.5.tar.gz.
File metadata
- Download URL: vmware_nsx_security-1.5.5.tar.gz
- Upload date:
- Size: 94.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.10.0 {"installer":{"name":"uv","version":"0.10.0","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
bf0f89073703ca3ce8df12752f48eba78e6b23820af8fcc40231a1c194a8f7d0
|
|
| MD5 |
5f10a25a66da4fdc906c43274a64fbc4
|
|
| BLAKE2b-256 |
de50dc25e7f87d758565f30f44434337dec7b8bea48003ba7d470092a2378bdb
|
File details
Details for the file vmware_nsx_security-1.5.5-py3-none-any.whl.
File metadata
- Download URL: vmware_nsx_security-1.5.5-py3-none-any.whl
- Upload date:
- Size: 34.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.10.0 {"installer":{"name":"uv","version":"0.10.0","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
3969b20bd3d5f37d789fa7fd70acc913fb7614bc2d283a60cf67e9b0b461bbf6
|
|
| MD5 |
6534421ef4f655ee54e1a650e65d26e9
|
|
| BLAKE2b-256 |
f2c174fa9c826d0844fa012384901ee3b83348beb1106ce3e1b3b39122b9f283
|
