vmware-nsx-security
This server provides 20 tools for managing VMware NSX distributed firewall (DFW) microsegmentation, security groups, VM tags, packet tracing, and intrusion detection (IDPS).
DFW Policy Management
List, get, create, update (partial PATCH), and delete DFW security policies (category, priority, stateful settings)
Delete includes a safety check: rules must be removed first
DFW Rule Management
List, create, update, and delete rules within a policy
Full control over sources, destinations, services, action (ALLOW/DROP/REJECT/JUMP_TO_APPLICATION), direction, and logging
Retrieve per-rule statistics (packet count, byte count, session count)
Security Group Management
List, get, create, and delete NSX security groups
Membership criteria: VM tags (scope/value), IP addresses/CIDRs, or segment paths
Get effective VM members (up to 50); delete blocked if group is referenced by DFW rules
VM Tag Management
List NSX tags on a VM by display name
Additively apply a tag (scope + value) to a VM by external ID (existing tags preserved)
Traceflow (Packet Tracing)
Inject a synthetic probe packet from a source logical port and trace hop-by-hop through the NSX overlay, showing DFW rule hits and drop reasons
Retrieve status and observations of a previously initiated traceflow
IDPS (Intrusion Detection & Prevention)
List configured IDPS profiles (severity, criteria, signature overrides)
Check global IDPS engine status: enable/disable state, signature version, last update, and per-node status
Provides tools for managing VMware NSX security, including distributed firewall (DFW) policies and rules, security groups, VM tags, Traceflow packet tracing, and Intrusion Detection and Prevention Systems (IDPS).
VMware NSX Security
Author: Wei Zhou, VMware by Broadcom — wei-wz.zhou@broadcom.com This is a community-driven project by a VMware engineer, not an official VMware product. For official VMware developer tools see developer.broadcom.com.
VMware NSX DFW microsegmentation and security MCP skill — 20 tools for distributed firewall policies/rules, security groups, VM tags, Traceflow packet tracing, and IDPS.
Companion skills: vmware-nsx (networking), vmware-aiops (VM lifecycle), vmware-monitor (monitoring)
Quick Start
uv tool install vmware-nsx-security
mkdir -p ~/.vmware-nsx-security
cp config.example.yaml ~/.vmware-nsx-security/config.yaml
# Edit config.yaml with your NSX Manager host
echo "VMWARE_NSX_SECURITY_NSX_PROD_PASSWORD=your_password" > ~/.vmware-nsx-security/.env
chmod 600 ~/.vmware-nsx-security/.env
vmware-nsx-security doctorWhat It Does
Category | Tools |
DFW Policy | list, get, create, update, delete, list rules |
DFW Rules | create, update, delete, stats |
Security Groups | list, get, create, delete |
VM Tags | list tags, apply tag |
Traceflow | run trace, get result |
IDPS | list profiles, engine status |
Total: 20 MCP tools (10 read-only + 10 write)
MCP Server Setup
After uv tool install vmware-nsx-security, start the MCP server with one command (v1.5.15+):
# Recommended — single command, no network re-resolve
vmware-nsx-security mcp
# With a custom config path
VMWARE_NSX_SECURITY_CONFIG=/path/to/config.yaml vmware-nsx-security mcpAdd to ~/.claude.json:
{
"mcpServers": {
"vmware-nsx-security": {
"command": "vmware-nsx-security",
"args": ["mcp"],
"env": {
"VMWARE_NSX_SECURITY_CONFIG": "~/.vmware-nsx-security/config.yaml"
}
}
}
}# Run without installing (requires PyPI access each launch)
uvx --from vmware-nsx-security vmware-nsx-security mcp
# Legacy entry point (still works, kept for backward compatibility)
vmware-nsx-security-mcpBehind a corporate TLS proxy? uvx may fail with
invalid peer certificate: UnknownIssuer. Use the recommendedvmware-nsx-security mcpform above (no network needed), or setUV_NATIVE_TLS=true.
Common Workflows
Microsegment an Application
# 1. Create groups by tag
vmware-nsx-security group create web-vms --name "Web VMs" --tag-scope tier --tag-value web
vmware-nsx-security group create app-vms --name "App VMs" --tag-scope tier --tag-value app
# 2. Create DFW policy
vmware-nsx-security policy create web-app-policy --name "Web to App" --category ApplicationTag a VM
# Find VM and its external ID
vmware-nsx-security tag list my-vm-01
# Apply tag using the external ID
vmware-nsx-security tag apply <external-id> --scope tier --value webTrace a Packet
vmware-nsx-security traceflow run <src-lport-id> \
--src-ip 10.0.1.5 --dst-ip 10.0.2.10 --proto TCP --dst-port 443Safety
Dependency checks: Cannot delete a policy with active rules, or a group referenced by DFW rules
Audit logging: All write ops logged to
~/.vmware-nsx-security/audit.logInput validation: IDs validated; all API text sanitized against prompt injection
Dry-run mode: All CLI write commands support
--dry-runCredential safety: Passwords only from env vars, never in config files
Companion Skills
Skill | Scope | Tools | Install |
vmware-aiops ⭐ entry point | VM lifecycle, deployment, guest ops, clusters | 31 |
|
Read-only monitoring, alarms, events, VM info | 8 |
| |
NSX networking: segments, gateways, NAT, IPAM | 31 |
| |
Datastores, iSCSI, vSAN | 11 |
| |
Tanzu Namespaces, TKC cluster lifecycle | 20 |
| |
Aria Ops metrics, alerts, capacity planning | 18 |
|
License
MIT
Maintenance
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/zw008/VMware-NSX-Security'
If you have feedback or need assistance with the MCP directory API, please join our Discord server