[READ] List DFW security policies in the default domain.

Returns each policy's id, display_name, category, sequence_number, stateful flag, and rule count. Defaults to the first 50 matches — use name_filter to narrow and offset to page on large estates.

Args: target: Optional NSX Manager target name from config. Uses default if omitted. name_filter: Optional substring/glob match on policy display_name. limit: Max policies to return (default 50). offset: Number of matched policies to skip (pagination).

[READ] Get full details of a single DFW security policy.

Args: policy_id: Policy identifier (e.g. 'app-tier-policy'). target: Optional NSX Manager target name from config.

[WRITE] Create a new DFW security policy.

Args: policy_id: Unique policy ID (alphanumeric, hyphens, underscores). display_name: Human-readable policy name. category: Policy category — Ethernet, Emergency, Infrastructure, Environment, or Application (default: Application). Controls DFW evaluation order (Ethernet first, Application last). sequence_number: Priority order; lower number = higher priority (default: 10). stateful: Whether to track connection state (default: True). description: Optional description. target: Optional NSX Manager target name from config.

[WRITE] Partially update a DFW security policy (PATCH — only provided fields change).

Args: policy_id: ID of the policy to update. display_name: New display name (optional). description: New description (optional). sequence_number: New sequence number (optional). stateful: New stateful flag (optional). target: Optional NSX Manager target name from config.

[WRITE] Delete a DFW security policy.

Raises ValueError if the policy still contains active rules. Delete all rules in the policy first before deleting the policy itself.

Args: policy_id: ID of the policy to delete. target: Optional NSX Manager target name from config.

[READ] List all rules in a DFW security policy.

Returns each rule's id, display_name, action, sources, destinations, services, direction, disabled flag, and sequence number.

Args: policy_id: Parent policy identifier. target: Optional NSX Manager target name from config.

[READ] Get packet/byte hit-count statistics for a DFW rule.

Returns packet_count, byte_count, session_count, hit_count, and popularity_index (real NSX RuleStatistics fields).

Args: policy_id: Parent policy identifier. rule_id: Rule identifier. target: Optional NSX Manager target name from config.

[WRITE] Create a firewall rule under an existing DFW security policy.

Creates via PUT, so calling again with the same rule_id replaces that rule's definition. The rule is enforced on the NSX data plane immediately unless disabled=True. Pick the policy_id with list_dfw_policies first; to change selected fields of an existing rule prefer update_dfw_rule, and to remove one use delete_dfw_rule. Calls are pre-checked by the vmware-policy engine (risk level: medium) and audited to ~/.vmware/audit.db.

Returns the created rule dict from the NSX API (id, path, action, sequence_number, ...). On failure returns {"error", "hint"}; an invalid action/direction/ip_protocol returns an error listing the valid values.

Args: policy_id: Parent policy ID (alphanumeric and hyphens), as returned by list_dfw_policies. rule_id: Unique rule ID within the policy (alphanumeric and hyphens). Reusing an existing ID overwrites that rule. display_name: Human-readable rule name. action: Firewall action — ALLOW, DROP, REJECT, or JUMP_TO_APPLICATION (default: ALLOW). JUMP_TO_APPLICATION is only valid in policies whose category is Environment. sources: Source group policy paths, e.g. ['/infra/domains/default/groups/web']. Use ['ANY'] or omit for any source (default: ANY). destinations: Destination group policy paths, same format as sources. Use ['ANY'] or omit for any destination (default: ANY). services: Service policy paths, e.g. ['/infra/services/HTTPS']. Use ['ANY'] or omit for all services (default: ANY). scope: Applied-to group/segment paths limiting where the rule is enforced. Omit to apply to the entire DFW. direction: Traffic direction — IN, OUT, or IN_OUT (default: IN_OUT). ip_protocol: IP version — IPV4, IPV6, or IPV4_IPV6 (default: IPV4_IPV6). logged: Log matched traffic (default: False). disabled: Create the rule disabled so it is not enforced (default: False). sequence_number: Rule priority within the policy; lower values match first (default: 10). description: Optional free-text description. target: Optional NSX Manager target name from config. Uses the default target if omitted.

[WRITE] Partially update a DFW rule (PATCH — only provided fields change).

Args: policy_id: Parent policy identifier. rule_id: Rule identifier to update. display_name: New display name (optional). action: New firewall action (optional). sources: New source groups (optional). destinations: New destination groups (optional). services: New services (optional). logged: New logged flag (optional). disabled: New disabled flag (optional). sequence_number: New sequence number (optional). description: New description (optional). target: Optional NSX Manager target name from config.

[WRITE] Permanently delete one DFW rule from its parent security policy.

Deletion is irreversible and takes effect immediately on the NSX data plane: traffic the rule matched falls through to lower-priority rules or the policy's default action. Confirm the rule_id with list_dfw_rules and check recent hits with get_dfw_rule_stats before deleting. To remove an entire policy use delete_dfw_policy (it refuses while rules remain); this tool deletes a single rule without that guard. Calls are pre-checked by the vmware-policy engine (risk level: high) and audited to ~/.vmware/audit.db; the CLI equivalent additionally requires double confirmation.

Returns {"status": "deleted", "message": ...} on success, or {"error", "hint"} on failure (e.g. rule not found, connectivity).

Args: policy_id: ID of the parent security policy (alphanumeric and hyphens), as returned by list_dfw_policies. rule_id: ID of the rule to delete within that policy, as returned by list_dfw_rules. target: Optional NSX Manager target name from config. Uses the default target if omitted.

[READ] List NSX security groups in the default domain.

Returns each group's id, display_name, description, and expression count. Defaults to the first 50 matches — use name_filter to narrow and offset to page on large estates.

Args: target: Optional NSX Manager target name from config. name_filter: Optional substring/glob match on group display_name. limit: Max groups to return (default 50). offset: Number of matched groups to skip (pagination).

[READ] Get details of a security group including membership criteria and effective members.

Returns expression rules and up to 50 effective VirtualMachine members.

Args: group_id: Group identifier (e.g. 'web-tier-vms'). target: Optional NSX Manager target name from config.

[WRITE] Create an NSX security group with optional membership criteria.

Multiple criteria are ORed together (NSX only permits AND between same-member-type Conditions, so heterogeneous expression types must join with OR):

• tag_scope / tag_value: include VMs matching the NSX tag (Condition with pipe-delimited value "scope|tag")

• ip_addresses: include specific IP addresses or CIDRs

• segment_paths: include all VMs on specified segments

Args: group_id: Unique group identifier (alphanumeric, hyphens, underscores). display_name: Human-readable group name. description: Optional description. tag_scope: NSX tag scope for VM membership (e.g. 'env'). tag_value: NSX tag value for VM membership (e.g. 'production'). ip_addresses: List of IP addresses or CIDRs (e.g. ['10.0.1.0/24']). segment_paths: List of NSX segment policy paths. target: Optional NSX Manager target name from config.

[WRITE] Delete an NSX security group.

Refuses deletion if any entity references the group, using NSX's own group-associations dependency API. This covers every reference class: DFW rules/policies, gateway-firewall policies, nested groups (another group referencing this one), and service-insertion/IDS-IPS policies. Also refuses if the reference check itself fails (fail-safe).

Args: group_id: ID of the group to delete. target: Optional NSX Manager target name from config.

[READ] List IDPS profiles configured in NSX.

Returns each profile's id, display_name, profile_severity (comma-joined list), criteria (filter_name/filter_value pairs such as ATTACK_TYPE or CVSS filters), and overridden signature count. Defaults to the first 50 matches — use name_filter to narrow and offset to page on large estates.

Args: target: Optional NSX Manager target name from config. name_filter: Optional substring/glob match on profile display_name. limit: Max profiles to return (default 50). offset: Number of matched profiles to skip (pagination).

[READ] Get IDPS signature status and global IDS settings.

Returns 'signature_status' (scalar fields of the signature bundle status resource, e.g. version/update state — field names vary by NSX release) and 'settings' (auto_update, ids_events_to_syslog).

Args: target: Optional NSX Manager target name from config.

[READ] List all NSX tags applied to a virtual machine.

Looks up the VM by display name and returns all scope/value tag pairs. Raises KeyError if no VM is found, ValueError if multiple VMs match.

Args: vm_display_name: Display name of the virtual machine. target: Optional NSX Manager target name from config.

[WRITE] Apply an NSX tag to a virtual machine.

Existing tags on the VM are preserved — this operation is additive. Use list_vm_tags to get the vm_id (external_id) first.

Args: vm_id: VM external ID (fabric UUID, obtainable from list_vm_tags). tag_scope: Tag scope string (e.g. 'env', 'tier', 'owner'). tag_value: Tag value string (e.g. 'production', 'web'). target: Optional NSX Manager target name from config.

[WRITE] Remove an NSX tag from a virtual machine.

Only the exact scope/value pair is removed — other tags on the VM are preserved. Removing a tag can change dynamic security group membership immediately (groups with tag Conditions stop matching the VM). Use list_vm_tags first to confirm the exact scope and value.

Args: vm_id: VM external ID (fabric UUID, obtainable from list_vm_tags). tag_scope: Tag scope string of the tag to remove (e.g. 'env'). tag_value: Tag value string of the tag to remove (e.g. 'production'). target: Optional NSX Manager target name from config.

[WRITE] Run a Traceflow to trace a packet's path through the NSX overlay.

Injects a synthetic probe packet from the source logical port and returns hop-by-hop observations including DFW rule hits and drop reasons. The result reports operation_state (IN_PROGRESS / FINISHED / FAILED) and observations discriminated by resource_type (e.g. TraceflowObservationForwarded, TraceflowObservationDroppedLogical — Dropped* entries carry reason and acl_rule_id).

Args: src_lport_id: Source logical port ID (attachment UUID of the VM NIC). src_ip: Source IP address for the probe packet. dst_ip: Destination IP address. protocol: IP protocol — TCP, UDP, or ICMP (default: TCP). dst_port: Destination port for TCP/UDP probes (default: 80). src_port: Source port for TCP/UDP probes (default: 1234). ttl: IP TTL value (default: 64). timeout_seconds: Maximum seconds to wait for completion (default: 20). target: Optional NSX Manager target name from config.

[READ] Get the current state and observations of an existing Traceflow.

Use this to check a previously initiated traceflow without waiting. Returns operation_state (IN_PROGRESS / FINISHED / FAILED) and observations discriminated by resource_type; Dropped* observations carry reason and acl_rule_id.

Args: traceflow_id: Traceflow ID from a previous run_traceflow call. target: Optional NSX Manager target name from config.