Skip to main content
Glama
zw008

vmware-nsx-security

by zw008
OverviewSchemaRelated ServersScoreDiscussions
Python
Remote

Server Configuration

Describes the environment variables required to run the server.

NameRequiredDescriptionDefault
VMWARE_NSX_SECURITY_CONFIGYesPath to the config.yaml file containing NSX Manager host and other settings.
VMWARE_NSX_SECURITY_NSX_PROD_PASSWORDYesThe password for the NSX Manager host. Credentials must be provided via environment variables as they are not stored in the config file.

Capabilities

Features and capabilities supported by this server

CapabilityDetails
tools
{
  "listChanged": false
}
prompts
{
  "listChanged": false
}
resources
{
  "subscribe": false,
  "listChanged": false
}
experimental
{}

Tools

Functions exposed to the LLM to take actions

NameDescription
list_dfw_policies

List all DFW security policies in the default domain.

Returns each policy's id, display_name, category, sequence_number, stateful flag, and rule count.

Args: target: Optional NSX Manager target name from config. Uses default if omitted.

get_dfw_policy

Get full details of a single DFW security policy.

Args: policy_id: Policy identifier (e.g. 'app-tier-policy'). target: Optional NSX Manager target name from config.

list_dfw_rules

List all rules in a DFW security policy.

Returns each rule's id, display_name, action, sources, destinations, services, direction, disabled flag, and sequence number.

Args: policy_id: Parent policy identifier. target: Optional NSX Manager target name from config.

get_dfw_rule_stats

Get packet/byte hit-count statistics for a DFW rule.

Returns packet_count, byte_count, session_count, and population_count (number of hosts where the rule is realised).

Args: policy_id: Parent policy identifier. rule_id: Rule identifier. target: Optional NSX Manager target name from config.

create_dfw_policy

Create a new DFW security policy.

Args: policy_id: Unique policy ID (alphanumeric, hyphens, underscores). display_name: Human-readable policy name. category: Policy category — Emergency, Infrastructure, Environment, or Application (default: Application). sequence_number: Priority order; lower number = higher priority (default: 10). stateful: Whether to track connection state (default: True). description: Optional description. target: Optional NSX Manager target name from config.

update_dfw_policy

Partially update a DFW security policy (PATCH — only provided fields change).

Args: policy_id: ID of the policy to update. display_name: New display name (optional). description: New description (optional). sequence_number: New sequence number (optional). stateful: New stateful flag (optional). target: Optional NSX Manager target name from config.

delete_dfw_policy

Delete a DFW security policy.

Raises ValueError if the policy still contains active rules. Delete all rules in the policy first before deleting the policy itself.

Args: policy_id: ID of the policy to delete. target: Optional NSX Manager target name from config.

create_dfw_rule

Create a DFW rule under the specified policy.

Args: policy_id: Parent policy identifier. rule_id: Unique rule identifier within the policy. display_name: Human-readable rule name. action: Firewall action — ALLOW, DROP, REJECT, or JUMP_TO_APPLICATION (default: ALLOW). sources: List of source group paths. Use ['ANY'] for any source (default: ANY). destinations: List of destination group paths. Use ['ANY'] for any destination (default: ANY). services: List of service paths. Use ['ANY'] for all services (default: ANY). scope: List of scope paths (groups/segments) limiting where the rule is applied. direction: Traffic direction — IN, OUT, or IN_OUT (default: IN_OUT). ip_protocol: IP version — IPV4, IPV6, or IPV4_IPV6 (default: IPV4_IPV6). logged: Log matched traffic (default: False). disabled: Create the rule in disabled state (default: False). sequence_number: Rule priority within the policy (default: 10). description: Optional description. target: Optional NSX Manager target name from config.

update_dfw_rule

Partially update a DFW rule (PATCH — only provided fields change).

Args: policy_id: Parent policy identifier. rule_id: Rule identifier to update. display_name: New display name (optional). action: New firewall action (optional). sources: New source groups (optional). destinations: New destination groups (optional). services: New services (optional). logged: New logged flag (optional). disabled: New disabled flag (optional). sequence_number: New sequence number (optional). description: New description (optional). target: Optional NSX Manager target name from config.

delete_dfw_rule

Delete a DFW rule from a policy.

Args: policy_id: Parent policy identifier. rule_id: ID of the rule to delete. target: Optional NSX Manager target name from config.

list_groups

List all NSX security groups in the default domain.

Returns each group's id, display_name, description, and expression count.

Args: target: Optional NSX Manager target name from config.

get_group

Get details of a security group including membership criteria and effective members.

Returns expression rules and up to 50 effective VirtualMachine members.

Args: group_id: Group identifier (e.g. 'web-tier-vms'). target: Optional NSX Manager target name from config.

create_group

Create an NSX security group with optional membership criteria.

Membership criteria are ANDed together when multiple are provided:

  • tag_scope / tag_value: include VMs matching the NSX tag

  • ip_addresses: include specific IP addresses or CIDRs

  • segment_paths: include all VMs on specified segments

Args: group_id: Unique group identifier (alphanumeric, hyphens, underscores). display_name: Human-readable group name. description: Optional description. tag_scope: NSX tag scope for VM membership (e.g. 'env'). tag_value: NSX tag value for VM membership (e.g. 'production'). ip_addresses: List of IP addresses or CIDRs (e.g. ['10.0.1.0/24']). segment_paths: List of NSX segment policy paths. target: Optional NSX Manager target name from config.

delete_group

Delete an NSX security group.

Raises ValueError if the group is referenced by any DFW policy rule as a source or destination group.

Args: group_id: ID of the group to delete. target: Optional NSX Manager target name from config.

list_vm_tags

List all NSX tags applied to a virtual machine.

Looks up the VM by display name and returns all scope/value tag pairs. Raises KeyError if no VM is found, ValueError if multiple VMs match.

Args: vm_display_name: Display name of the virtual machine. target: Optional NSX Manager target name from config.

apply_vm_tag

Apply an NSX tag to a virtual machine.

Existing tags on the VM are preserved — this operation is additive. Use list_vm_tags to get the vm_id (external_id) first.

Args: vm_id: VM external ID (fabric UUID, obtainable from list_vm_tags). tag_scope: Tag scope string (e.g. 'env', 'tier', 'owner'). tag_value: Tag value string (e.g. 'production', 'web'). target: Optional NSX Manager target name from config.

run_traceflow

Run a Traceflow to trace a packet's path through the NSX overlay.

Injects a synthetic probe packet from the source logical port and returns hop-by-hop observations including DFW rule hits and drop reasons.

Args: src_lport_id: Source logical port ID (attachment UUID of the VM NIC). src_ip: Source IP address for the probe packet. dst_ip: Destination IP address. protocol: IP protocol — TCP, UDP, or ICMP (default: TCP). dst_port: Destination port for TCP/UDP probes (default: 80). src_port: Source port for TCP/UDP probes (default: 1234). ttl: IP TTL value (default: 64). timeout_seconds: Maximum seconds to wait for completion (default: 20). target: Optional NSX Manager target name from config.

get_traceflow_result

Get the current status and observations of an existing Traceflow.

Use this to check a previously initiated traceflow without waiting.

Args: traceflow_id: Traceflow ID from a previous run_traceflow call. target: Optional NSX Manager target name from config.

list_idps_profiles

List all IDPS profiles configured in NSX.

Returns each profile's id, display_name, severity, criteria, and count of overridden signatures.

Args: target: Optional NSX Manager target name from config.

get_idps_status

Get the IDPS engine status across all transport nodes.

Returns global_status (ENABLED/DISABLED), signature_version, last_signature_update, and per-node status counts.

Args: target: Optional NSX Manager target name from config.

Prompts

Interactive templates invoked by user choice

NameDescription

No prompts

Resources

Contextual data attached and managed by the client

NameDescription

No resources

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/zw008/VMware-NSX-Security'

If you have feedback or need assistance with the MCP directory API, please join our Discord server