<!-- mcp-name: io.github.zw008/vmware-nsx-security -->

VMware NSX Security

Author: Wei Zhou, VMware by Broadcom — wei-wz.zhou@broadcom.com This is a community-driven project by a VMware engineer, not an official VMware product. For official VMware developer tools see developer.broadcom.com.

VMware NSX DFW microsegmentation and security MCP skill — 21 tools for distributed firewall policies/rules, security groups, VM tags, Traceflow packet tracing, and IDPS.

Companion skills: vmware-nsx (networking), vmware-aiops (VM lifecycle), vmware-monitor (monitoring)

Quick Start

uv tool install vmware-nsx-security

mkdir -p ~/.vmware-nsx-security
cp config.example.yaml ~/.vmware-nsx-security/config.yaml
# Edit config.yaml with your NSX Manager host

echo "VMWARE_NSX_SECURITY_NSX_PROD_PASSWORD=your_password" > ~/.vmware-nsx-security/.env
chmod 600 ~/.vmware-nsx-security/.env

vmware-nsx-security doctor

What It Does

| Category | Tools | |----------|-------| | DFW Policy | list, get, create, update, delete, list rules | | DFW Rules | create, update, delete, stats | | Security Groups | list, get, create, delete | | VM Tags | list tags, apply tag, remove tag | | Traceflow | run trace, get result | | IDPS | list profiles, signature status + settings |

Total: 21 MCP tools (10 read-only + 11 write)

MCP Server Setup

After uv tool install vmware-nsx-security, start the MCP server with one command (v1.5.15+):

# Recommended — single command, no network re-resolve
vmware-nsx-security mcp

# With a custom config path
VMWARE_NSX_SECURITY_CONFIG=/path/to/config.yaml vmware-nsx-security mcp

Add to ~/.claude.json:

{
  "mcpServers": {
    "vmware-nsx-security": {
      "command": "vmware-nsx-security",
      "args": ["mcp"],
      "env": {
        "VMWARE_NSX_SECURITY_CONFIG": "~/.vmware-nsx-security/config.yaml"
      }
    }
  }
}

<details> <summary>Alternative: uvx (no install) or legacy entry point</summary>

# Run without installing (requires PyPI access each launch)
uvx --from vmware-nsx-security vmware-nsx-security mcp

# Legacy entry point (still works, kept for backward compatibility)
vmware-nsx-security-mcp

Behind a corporate TLS proxy? uvx may fail with invalid peer certificate: UnknownIssuer. Use the recommended vmware-nsx-security mcp form above (no network needed), or set UV_NATIVE_TLS=true.

</details>

Common Workflows

Microsegment an Application

# 1. Create groups by tag — via the create_group MCP tool
#    (tag_scope=tier, tag_value=web → matched as Condition value "tier|web";
#     multiple criteria types — tag/IP/segment — are ORed)

# 2. Create DFW policy
vmware-nsx-security policy create web-app-policy --name "Web to App" --category Application

Tag a VM

# Find VM and its external ID
vmware-nsx-security tag list my-vm-01

# Apply tag using the external ID
vmware-nsx-security tag apply <external-id> --scope tier --value web

Trace a Packet

vmware-nsx-security traceflow run <src-lport-id> \
  --src-ip 10.0.1.5 --dst-ip 10.0.2.10 --proto TCP --dst-port 443

Output reports operation_state (IN_PROGRESS/FINISHED/FAILED), hop-by-hop observations discriminated by resource_type (Dropped* entries carry reason + acl_rule_id), and a dfw_hits summary.

Safety

• Dependency checks: Cannot delete a policy with active rules, or a group referenced by DFW rules/scopes; group deletion aborts if the reference scan fails
• Audit logging: All write ops logged to ~/.vmware-nsx-security/audit.log
• Input validation: IDs validated; all API text sanitized against prompt injection
• Dry-run mode: All CLI write commands support --dry-run
• Credential safety: Passwords only from env vars, never in config files

Companion Skills

| Skill | Scope | Tools | Install | |-------|-------|:-----:|---------| | vmware-aiops ⭐ entry point | VM lifecycle, deployment, guest ops, clusters | 31 | uv tool install vmware-aiops | | vmware-monitor | Read-only monitoring, alarms, events, VM info | 8 | uv tool install vmware-monitor | | vmware-nsx | NSX networking: segments, gateways, NAT, IPAM | 31 | uv tool install vmware-nsx-mgmt | | vmware-storage | Datastores, iSCSI, vSAN | 11 | uv tool install vmware-storage | | vmware-vks | Tanzu Namespaces, TKC cluster lifecycle | 20 | uv tool install vmware-vks | | vmware-aria | Aria Ops metrics, alerts, capacity planning | 18 | uv tool install vmware-aria |

Version Compatibility

| NSX Version | Support | Notes | |-------------|---------|-------| | NSX 9.1 / VCF 9.1 | ✅ Full | DFW + Security Group + Traceflow + IDS/IPS via Policy API. VDS 7.0+ required (N-VDS removed in NSX 9). | | NSX 9.0 / VCF 9.0 | ✅ Full | Same as 9.1. Bare-metal NSX agent removed. | | NSX 4.x / VCF 5.x | ✅ Full | All features supported. | | NSX-T 3.2 / VCF 4.5 | ✅ Full | Policy API stable. |

Official Broadcom References

• SDKs: <https://developer.broadcom.com/sdks> — VMware NSX for Python SDK (future migration target)
• REST APIs: <https://developer.broadcom.com/xapis> — NSX-T Data Center REST API
• CLI Tools: <https://developer.broadcom.com/tools> — VCF PowerCLI 9.1

License

MIT