Summary
A community-built skill from a VMware engineer that wraps NSX Policy API with 20 tools for microsegmentation and security operations. You get distributed firewall policy and rule management, security group lifecycle, VM tagging, Traceflow packet tracing, and IDPS profile queries. It logs all writes to an audit file, validates dependencies before deletes, and pairs with companion skills for networking, VM lifecycle, and monitoring. Reach for this when you're automating DFW rule creation, building dynamic security groups by tag, or troubleshooting connectivity with Traceflow. Works with NSX 3.2 through 9.1 and VCF 4.5 through 9.1. Credentials live in environment variables, config stays in YAML.
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →
VMware NSX Security
Author: Wei Zhou, VMware by Broadcom — wei-wz.zhou@broadcom.com This is a community-driven project by a VMware engineer, not an official VMware product. For official VMware developer tools see developer.broadcom.com.
VMware NSX DFW microsegmentation and security MCP skill — 21 tools for distributed firewall policies/rules, security groups, VM tags, Traceflow packet tracing, and IDPS.
Companion skills: vmware-nsx (networking), vmware-aiops (VM lifecycle), vmware-monitor (monitoring)
Quick Start
uv tool install vmware-nsx-security
mkdir -p ~/.vmware-nsx-security
cp config.example.yaml ~/.vmware-nsx-security/config.yaml
# Edit config.yaml with your NSX Manager host
echo "VMWARE_NSX_SECURITY_NSX_PROD_PASSWORD=your_password" > ~/.vmware-nsx-security/.env
chmod 600 ~/.vmware-nsx-security/.env
vmware-nsx-security doctor
What It Does
| Category | Tools |
|---|---|
| DFW Policy | list, get, create, update, delete, list rules |
| DFW Rules | create, update, delete, stats |
| Security Groups | list, get, create, delete |
| VM Tags | list tags, apply tag, remove tag |
| Traceflow | run trace, get result |
| IDPS | list profiles, signature status + settings |
Total: 21 MCP tools (10 read-only + 11 write)
MCP Server Setup
After uv tool install vmware-nsx-security, start the MCP server with one command (v1.5.15+):
# Recommended — single command, no network re-resolve
vmware-nsx-security mcp
# With a custom config path
VMWARE_NSX_SECURITY_CONFIG=/path/to/config.yaml vmware-nsx-security mcp
Add to ~/.claude.json:
{
"mcpServers": {
"vmware-nsx-security": {
"command": "vmware-nsx-security",
"args": ["mcp"],
"env": {
"VMWARE_NSX_SECURITY_CONFIG": "~/.vmware-nsx-security/config.yaml"
}
}
}
}
Alternative: uvx (no install) or legacy entry point
# Run without installing (requires PyPI access each launch)
uvx --from vmware-nsx-security vmware-nsx-security mcp
# Legacy entry point (still works, kept for backward compatibility)
vmware-nsx-security-mcp
Behind a corporate TLS proxy? uvx may fail with
invalid peer certificate: UnknownIssuer. Use the recommendedvmware-nsx-security mcpform above (no network needed), or setUV_NATIVE_TLS=true.
Common Workflows
Microsegment an Application
# 1. Create groups by tag — via the create_group MCP tool
# (tag_scope=tier, tag_value=web → matched as Condition value "tier|web";
# multiple criteria types — tag/IP/segment — are ORed)
# 2. Create DFW policy
vmware-nsx-security policy create web-app-policy --name "Web to App" --category Application
Tag a VM
# Find VM and its external ID
vmware-nsx-security tag list my-vm-01
# Apply tag using the external ID
vmware-nsx-security tag apply <external-id> --scope tier --value web
Trace a Packet
vmware-nsx-security traceflow run <src-lport-id> \
--src-ip 10.0.1.5 --dst-ip 10.0.2.10 --proto TCP --dst-port 443
Output reports operation_state (IN_PROGRESS/FINISHED/FAILED),
hop-by-hop observations discriminated by resource_type (Dropped*
entries carry reason + acl_rule_id), and a dfw_hits summary.
Safety
- Dependency checks: Cannot delete a policy with active rules, or a group referenced by DFW rules/scopes; group deletion aborts if the reference scan fails
- Audit logging: All write ops logged to
~/.vmware-nsx-security/audit.log - Input validation: IDs validated; all API text sanitized against prompt injection
- Dry-run mode: All CLI write commands support
--dry-run - Credential safety: Passwords only from env vars, never in config files
Companion Skills
| Skill | Scope | Tools | Install |
|---|---|---|---|
| vmware-aiops ⭐ entry point | VM lifecycle, deployment, guest ops, clusters | 31 | uv tool install vmware-aiops |
| vmware-monitor | Read-only monitoring, alarms, events, VM info | 8 | uv tool install vmware-monitor |
| vmware-nsx | NSX networking: segments, gateways, NAT, IPAM | 31 | uv tool install vmware-nsx-mgmt |
| vmware-storage | Datastores, iSCSI, vSAN | 11 | uv tool install vmware-storage |
| vmware-vks | Tanzu Namespaces, TKC cluster lifecycle | 20 | uv tool install vmware-vks |
| vmware-aria | Aria Ops metrics, alerts, capacity planning | 18 | uv tool install vmware-aria |
Version Compatibility
| NSX Version | Support | Notes |
|---|---|---|
| NSX 9.1 / VCF 9.1 | ✅ Full | DFW + Security Group + Traceflow + IDS/IPS via Policy API. VDS 7.0+ required (N-VDS removed in NSX 9). |
| NSX 9.0 / VCF 9.0 | ✅ Full | Same as 9.1. Bare-metal NSX agent removed. |
| NSX 4.x / VCF 5.x | ✅ Full | All features supported. |
| NSX-T 3.2 / VCF 4.5 | ✅ Full | Policy API stable. |
Official Broadcom References
- SDKs: https://developer.broadcom.com/sdks — VMware NSX for Python SDK (future migration target)
- REST APIs: https://developer.broadcom.com/xapis — NSX-T Data Center REST API
- CLI Tools: https://developer.broadcom.com/tools — VCF PowerCLI 9.1
License
MIT
Featured
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →Categories
Registryactive
Packagevmware-nsx-security
TransportSTDIO
UpdatedJun 8, 2026
