What can you do with this server?

This server provides 20 tools for managing VMware NSX distributed firewall (DFW) microsegmentation, security groups, VM tags, packet tracing, and intrusion detection (IDPS). DFW Policy Management * List, get, create, update (partial PATCH), and delete DFW security policies (category, priority, stateful settings) * Delete includes a safety check: rules must be removed first DFW Rule Management * List, create, update, and delete rules within a policy * Full control over sources, destinations, services, action (ALLOW/DROP/REJECT/JUMP_TO_APPLICATION), direction, and logging * Retrieve per-rule statistics (packet count, byte count, session count) Security Group Management * List, get, create, and delete NSX security groups * Membership criteria: VM tags (scope/value), IP addresses/CIDRs, or segment paths * Get effective VM members (up to 50); delete blocked if group is referenced by DFW rules VM Tag Management * List NSX tags on a VM by display name * Additively apply a tag (scope + value) to a VM by external ID (existing tags preserved) Traceflow (Packet Tracing) * Inject a synthetic probe packet from a source logical port and trace hop-by-hop through the NSX overlay, showing DFW rule hits and drop reasons * Retrieve status and observations of a previously initiated traceflow IDPS (Intrusion Detection & Prevention) * List configured IDPS profiles (severity, criteria, signature overrides) * Check global IDPS engine status: enable/disable state, signature version, last update, and per-node status

Which integrations are available for this server?

Provides tools for managing VMware NSX security, including distributed firewall (DFW) policies and rules, security groups, VM tags, Traceflow packet tracing, and Intrusion Detection and Prevention Systems (IDPS).

de en es ja ko ru zh

vmware-nsx-security

by zw008

Overview Schema Related Servers Score Discussions

Python

Remote

VMware NSX Security

Author: Wei Zhou, VMware by Broadcom — wei-wz.zhou@broadcom.com This is a community-driven project by a VMware engineer, not an official VMware product. For official VMware developer tools see developer.broadcom.com.

VMware NSX DFW microsegmentation and security MCP skill — 21 tools for distributed firewall policies/rules, security groups, VM tags, Traceflow packet tracing, and IDPS.

Companion skills: vmware-nsx (networking), vmware-aiops (VM lifecycle), vmware-monitor (monitoring)

Quick Start

uv tool install vmware-nsx-security

mkdir -p ~/.vmware-nsx-security
cp config.example.yaml ~/.vmware-nsx-security/config.yaml
# Edit config.yaml with your NSX Manager host

echo "VMWARE_NSX_SECURITY_NSX_PROD_PASSWORD=your_password" > ~/.vmware-nsx-security/.env
chmod 600 ~/.vmware-nsx-security/.env

vmware-nsx-security doctor

Related MCP server: vmware-vks

What It Does

Category	Tools
DFW Policy	list, get, create, update, delete, list rules
DFW Rules	create, update, delete, stats
Security Groups	list, get, create, delete
VM Tags	list tags, apply tag, remove tag
Traceflow	run trace, get result
IDPS	list profiles, signature status + settings

Total: 21 MCP tools (10 read-only + 11 write)

MCP Server Setup

After uv tool install vmware-nsx-security, start the MCP server with one command (v1.5.15+):

# Recommended — single command, no network re-resolve
vmware-nsx-security mcp

# With a custom config path
VMWARE_NSX_SECURITY_CONFIG=/path/to/config.yaml vmware-nsx-security mcp

Add to ~/.claude.json:

{
  "mcpServers": {
    "vmware-nsx-security": {
      "command": "vmware-nsx-security",
      "args": ["mcp"],
      "env": {
        "VMWARE_NSX_SECURITY_CONFIG": "~/.vmware-nsx-security/config.yaml"
      }
    }
  }
}

# Run without installing (requires PyPI access each launch)
uvx --from vmware-nsx-security vmware-nsx-security mcp

# Legacy entry point (still works, kept for backward compatibility)
vmware-nsx-security-mcp

Behind a corporate TLS proxy? uvx may fail with invalid peer certificate: UnknownIssuer. Use the recommended vmware-nsx-security mcp form above (no network needed), or set UV_NATIVE_TLS=true.

Common Workflows

Microsegment an Application

# 1. Create groups by tag — via the create_group MCP tool
#    (tag_scope=tier, tag_value=web → matched as Condition value "tier|web";
#     multiple criteria types — tag/IP/segment — are ORed)

# 2. Create DFW policy
vmware-nsx-security policy create web-app-policy --name "Web to App" --category Application

Tag a VM

# Find VM and its external ID
vmware-nsx-security tag list my-vm-01

# Apply tag using the external ID
vmware-nsx-security tag apply <external-id> --scope tier --value web

Trace a Packet

vmware-nsx-security traceflow run <src-lport-id> \
  --src-ip 10.0.1.5 --dst-ip 10.0.2.10 --proto TCP --dst-port 443

Output reports operation_state (IN_PROGRESS/FINISHED/FAILED), hop-by-hop observations discriminated by resource_type (Dropped* entries carry reason + acl_rule_id), and a dfw_hits summary.

Safety

Dependency checks: Cannot delete a policy with active rules, or a group referenced by DFW rules/scopes; group deletion aborts if the reference scan fails
Audit logging: All write ops logged to ~/.vmware-nsx-security/audit.log
Input validation: IDs validated; all API text sanitized against prompt injection
Dry-run mode: All CLI write commands support --dry-run
Credential safety: Passwords only from env vars, never in config files

Companion Skills

Skill	Scope	Tools	Install
vmware-aiops ⭐ entry point	VM lifecycle, deployment, guest ops, clusters	31	`uv tool install vmware-aiops`
vmware-monitor	Read-only monitoring, alarms, events, VM info	8	`uv tool install vmware-monitor`
vmware-nsx	NSX networking: segments, gateways, NAT, IPAM	31	`uv tool install vmware-nsx-mgmt`
vmware-storage	Datastores, iSCSI, vSAN	11	`uv tool install vmware-storage`
vmware-vks	Tanzu Namespaces, TKC cluster lifecycle	20	`uv tool install vmware-vks`
vmware-aria	Aria Ops metrics, alerts, capacity planning	18	`uv tool install vmware-aria`

Version Compatibility

NSX Version	Support	Notes
NSX 9.1 / VCF 9.1	✅ Full	DFW + Security Group + Traceflow + IDS/IPS via Policy API. VDS 7.0+ required (N-VDS removed in NSX 9).
NSX 9.0 / VCF 9.0	✅ Full	Same as 9.1. Bare-metal NSX agent removed.
NSX 4.x / VCF 5.x	✅ Full	All features supported.
NSX-T 3.2 / VCF 4.5	✅ Full	Policy API stable.

Official Broadcom References

SDKs: https://developer.broadcom.com/sdks — VMware NSX for Python SDK (future migration target)
REST APIs: https://developer.broadcom.com/xapis — NSX-T Data Center REST API
CLI Tools: https://developer.broadcom.com/tools — VCF PowerCLI 9.1

License

MIT

Install Server

license - permissive license

quality

maintenance

How are these scores calculated?

Maintenance

–Maintainers

4hResponse time

1dRelease cycle

47Releases (12mo)

Commit activity

Resources

GitHub Repository

Need Help?

Related Servers

Tools

View all tools

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/zw008/VMware-NSX-Security'

If you have feedback or need assistance with the MCP directory API, please join our Discord server