Vmware Nsx Security
by @zw008
Use this skill whenever the user needs to manage VMware NSX security — distributed firewall (DFW) policies, security groups, microsegmentation, and IDS/IPS....
clawhub install vmware-nsx-security📖 About This Skill
name: vmware-nsx-security description: > Use this skill whenever the user needs to manage VMware NSX security — distributed firewall (DFW) policies, security groups, microsegmentation, and IDS/IPS. Directly handles: create/manage DFW policies and rules, security groups, VM tags, network traceflow diagnostics, IDPS profiles and status. Always use this skill for "create firewall rule", "set up microsegmentation", "add VM to security group", "run traceflow", "check IDS status", or any NSX security/DFW task. Do NOT use for NSX networking operations like segments, gateways, NAT, or routing (use vmware-nsx), or VM lifecycle (use vmware-aiops). For load balancing/AVI/AKO use vmware-avi. installer: kind: uv package: vmware-nsx-security allowed-tools: - Bash metadata: {"openclaw":{"requires":{"env":["VMWARE_NSX_SECURITY_CONFIG"],"bins":["vmware-nsx-security"],"config":["~/.vmware-nsx-security/config.yaml","~/.vmware-nsx-security/.env"]},"optional":{"env":["VMWARE_
VMware NSX Security
> Disclaimer: This is a community-maintained open-source project and is not affiliated with, endorsed by, or sponsored by VMware, Inc. or Broadcom Inc. "VMware" and "NSX" are trademarks of Broadcom. Source code is publicly auditable at github.com/zw008/VMware-NSX-Security under the MIT license.
VMware NSX DFW microsegmentation and security — 20 MCP tools for distributed firewall, security groups, VM tags, Traceflow, and IDPS.
> Domain-focused security skill for NSX-T / NSX 4.x Policy API. > Companion skills: vmware-nsx (networking), vmware-aiops (VM lifecycle), vmware-monitor (read-only monitoring), vmware-avi (AVI/ALB/AKO), vmware-harden (compliance baselines). > | vmware-pilot (workflow orchestration) | vmware-policy (audit/policy)
What This Skill Does
| Category | Tools | Count | |----------|-------|:-----:| | DFW Policy | list, get, create, update, delete, list rules | 6 | | DFW Rules | create, update, delete, get stats | 4 | | Security Groups | list, get, create, delete | 4 | | VM Tags | list VM tags, apply tag | 2 | | Traceflow | run trace, get result | 2 | | IDPS | list profiles, get status | 2 |
Total: 20 tools (10 read-only + 10 write)
Quick Install
uv tool install vmware-nsx-security
vmware-nsx-security doctor
When to Use This Skill
Use companion skills for:
vmware-nsxvmware-aiopsvmware-monitorvmware-storagevmware-vksvmware-aviRelated Skills — Skill Routing
| User Intent | Recommended Skill |
|-------------|-------------------|
| NSX security: DFW rules, security groups, IDS/IPS | vmware-nsx-security ← this skill |
| NSX networking: segments, gateways, NAT, routing | vmware-nsx |
| Read-only vSphere monitoring, alarms, events | vmware-monitor |
| VM lifecycle, deployment, guest ops | vmware-aiops |
| Storage: iSCSI, vSAN, datastores | vmware-storage |
| Tanzu Kubernetes | vmware-vks |
| Multi-step workflows with approval | vmware-pilot |
| Compliance baselines (CIS / 等保 / PCI-DSS), drift detection, LLM remediation advisor | vmware-harden (uv tool install vmware-harden) |
| Load balancer, AVI, ALB, AKO, Ingress | vmware-avi (uv tool install vmware-avi) |
| Audit log query | vmware-policy (vmware-audit CLI) |
Common Workflows
Implement App-Tier Microsegmentation
Pre-flight (judgment — DFW changes can lock everyone out):
tag list ). A group based on a non-existent tag matches zero VMs — the policy will appear "applied" but enforce nothing.Application for app-tier microseg (rules evaluated late, after Infrastructure rules pass through). Using Emergency for routine rules will starve real incident-response capacity.Steps:
1. Tag the VMs first (see workflow below) — empty groups = no enforcement
2. group create web-vms --tag-scope tier --tag-value web (and app-vms)
3. policy create app-microseg --category Application
4. Add rules in order: ALLOW management → ALLOW intra-tier → ALLOW web→app on app-port → DROP any-any with logging
5. Verify with traceflow (see below) before enabling default-deny
Apply NSX Tags to VMs
Judgment: tags drive group membership which drives DFW enforcement. A misspelled tag silently excludes a VM from protection. Always re-list after applying.
1. tag list my-web-vm-01 → record the VM external ID, also see what tags already exist (avoid duplicates / typo collisions)
2. tag apply
3. Verify: tag list my-web-vm-01 again → confirm the new tag is present AND no unexpected ones
Trace a Packet with Traceflow
Judgment: traceflow is your verification mechanism for any DFW change. Run it before enabling deny rules and after every rule modification. Don't trust "looks right in the UI."
1. Get source VM's logical port ID via vmware-nsx troubleshoot vm-segment
2. traceflow run
3. Inspect the DFW hit chain: which rule matched, ALLOW or DROP, and at which transport node
4. Common failure: rule matches at category Application but is shadowed by an earlier DROP at category Environment — read the trace top-to-bottom, not just the final verdict
Check DFW Policy Hit Counts
vmware-nsx-security policy list
vmware-nsx-security rule list
vmware-nsx-security rule stats
Multi-Target Operations
All commands accept --target to operate against a specific NSX Manager:
# Default target
vmware-nsx-security policy listSpecific target
vmware-nsx-security policy list --target nsx-prod
vmware-nsx-security group list --target nsx-lab
Usage Mode
| Scenario | Recommended | Why | |----------|:-----------:|-----| | Local/small models (Ollama, Qwen) | CLI | ~2K tokens vs ~8K for MCP | | Cloud models (Claude, GPT-4o) | Either | MCP gives structured JSON I/O | | Automated pipelines | MCP | Type-safe parameters, structured output |
MCP Tools (20 — 10 read, 10 write)
All MCP tools accept an optional target parameter.
| Category | Tool | Type | Description |
|----------|------|:----:|-------------|
| DFW Policy | list_dfw_policies | Read | List all DFW security policies with category, sequence, and rule count |
| | get_dfw_policy | Read | Get policy details: category, stateful, locked, scope, tags |
| | create_dfw_policy | Write | Create a new DFW policy with category and sequence number |
| | update_dfw_policy | Write | Partial update: display_name, description, sequence_number, stateful |
| | delete_dfw_policy | Write | Delete policy — refuses if active rules exist |
| | list_dfw_rules | Read | List rules in a policy: action, sources, destinations, services |
| DFW Rules | create_dfw_rule | Write | Create rule with sources/destinations/services/action/scope |
| | update_dfw_rule | Write | Partial update rule fields |
| | delete_dfw_rule | Write | Delete a rule from a policy |
| | get_dfw_rule_stats | Read | Get packet/byte hit counts for a rule |
| Security Groups | list_groups | Read | List all security groups with expression count |
| | get_group | Read | Get group details: expression criteria + up to 50 effective VM members |
| | create_group | Write | Create group with tag/IP/segment membership criteria |
| | delete_group | Write | Delete group — refuses if referenced by DFW rules |
| VM Tags | list_vm_tags | Read | List NSX tags on a VM by display name |
| | apply_vm_tag | Write | Apply a scope/value tag to a VM (additive, preserves existing tags) |
| Traceflow | run_traceflow | Write | Inject probe packet and return hop-by-hop observations |
| | get_traceflow_result | Read | Check status/observations of an existing traceflow |
| IDPS | list_idps_profiles | Read | List IDPS profiles with severity and criteria |
| | get_idps_status | Read | Get IDPS engine status: enabled/disabled, signature version, per-node counts |
CLI Quick Reference
# DFW Policy
vmware-nsx-security policy list [--target ]
vmware-nsx-security policy get
vmware-nsx-security policy create --name "Display Name" --category Application [--dry-run]
vmware-nsx-security policy delete [--dry-run]DFW Rules
vmware-nsx-security rule list
vmware-nsx-security rule stats
vmware-nsx-security rule delete [--dry-run]Security Groups
vmware-nsx-security group list
vmware-nsx-security group get
vmware-nsx-security group delete [--dry-run]Tags
vmware-nsx-security tag list
vmware-nsx-security tag apply --scope env --value production [--dry-run]Traceflow
vmware-nsx-security traceflow run --src-ip <src-ip> --dst-ip <dst-ip>IDPS
vmware-nsx-security idps profiles
vmware-nsx-security idps statusDiagnostics
vmware-nsx-security doctor [--skip-auth]
Troubleshooting
"Cannot delete policy — active rules exist"
delete_dfw_policy checks for active rules before deleting. Use vmware-nsx-security rule list to see which rules need to be removed first. Then delete each rule individually before retrying the policy deletion.
"Cannot delete group — referenced by DFW rules"
delete_group scans all policies for rules that reference the group in source_groups or destination_groups. Remove the group from those rules first (via update_dfw_rule replacing the group path with 'ANY' or another group), then retry.
"No virtual machine found with display_name"
list_vm_tags looks up VMs by display name via the NSX fabric API. Common causes:
1. Display name mismatch — the name in NSX Manager may differ from vCenter. Check vmware-monitor vm list for the exact NSX fabric display name.
2. VM not registered — newly deployed VMs may take a minute to appear in the NSX fabric.
3. Multiple VMs with the same name — use apply_vm_tag with the specific external_id.
Traceflow returns empty observations
1. Verify the src_lport_id is the correct logical port attachment UUID — not the segment port path. Get it from vmware-nsx troubleshoot vm-segment .
2. The source VM must be powered on and connected to an NSX overlay segment.
3. If the VM is on a VLAN-backed segment, Traceflow is not supported.
4. NSX Manager requires the transport node hosting the source VM to be reachable. Check vmware-nsx health transport-nodes.
DFW rule stats show zero hits
A newly created rule will have zero hit counts until traffic matches it. If expected traffic still shows zero:
1. Confirm the rule is not disabled (disabled: false in list_dfw_rules output).
2. Check that source/destination group membership is correct using get_group.
3. Verify rule sequence number — a lower-sequence rule with ALLOW/DROP may be matching first.
"Password not found" error
Password variable convention: VMWARE_NSX_SECURITY_
where hyphens are replaced by underscores. For target nsx-prod:
VMWARE_NSX_SECURITY_NSX_PROD_PASSWORD. Check ~/.vmware-nsx-security/.env.
invalid peer certificate: UnknownIssuer (uvx)
Corporate TLS proxy not trusted by uv's bundled cert store. Use the v1.5.15+
single-command form vmware-nsx-security mcp (no PyPI re-resolve), or
export UV_NATIVE_TLS=true to make uv use the system cert store.
Safety
~/.vmware/audit.db (SQLite WAL, via vmware-policy) with timestamp, user, target, operation, parameters, and resultdelete_dfw_policy checks for active rules; delete_group checks for DFW rule references — prevents accidental cascade failures--dry-run to preview API calls without executing.env file), never from config.yamlvmware-nsx_sanitize() before inclusion in tool outputSetup
uv tool install vmware-nsx-security
mkdir -p ~/.vmware-nsx-security
cp config.example.yaml ~/.vmware-nsx-security/config.yaml
Edit config.yaml with your NSX Manager targets
Add to ~/.vmware-nsx-security/.env (create if missing, chmod 600):
VMWARE_NSX_SECURITY_NSX_PROD_PASSWORD=
chmod 600 ~/.vmware-nsx-security/.envvmware-nsx-security doctor
> All tools are automatically audited via vmware-policy. Audit logs: vmware-audit log --last 20
> Full setup guide: see references/setup-guide.md
Architecture
User (natural language)
|
AI Agent (Claude Code / Goose / Cursor)
| reads SKILL.md
vmware-nsx-security CLI or MCP server (stdio transport)
| NSX Policy API (REST/JSON over HTTPS)
NSX Manager
|
DFW Policies / Rules / Security Groups / Tags / IDPS
The MCP server uses stdio transport (local only, no network listener). All connections to NSX Manager use HTTPS on port 443.
Audit & Safety
All operations are automatically audited via vmware-policy (@vmware_tool decorator):
~/.vmware/audit.db (SQLite, framework-agnostic)~/.vmware/rules.yaml (deny rules, maintenance windows, risk levels)vmware-audit log --last 20vmware-audit log --status deniedvmware-policy is automatically installed as a dependency — no manual setup needed.
License
⚙️ Configuration
uv tool install vmware-nsx-security
mkdir -p ~/.vmware-nsx-security
cp config.example.yaml ~/.vmware-nsx-security/config.yaml
Edit config.yaml with your NSX Manager targets
Add to ~/.vmware-nsx-security/.env (create if missing, chmod 600):
VMWARE_NSX_SECURITY_NSX_PROD_PASSWORD=
chmod 600 ~/.vmware-nsx-security/.envvmware-nsx-security doctor
> All tools are automatically audited via vmware-policy. Audit logs: vmware-audit log --last 20
> Full setup guide: see references/setup-guide.md
📋 Tips & Best Practices
"Cannot delete policy — active rules exist"
delete_dfw_policy checks for active rules before deleting. Use vmware-nsx-security rule list to see which rules need to be removed first. Then delete each rule individually before retrying the policy deletion.
"Cannot delete group — referenced by DFW rules"
delete_group scans all policies for rules that reference the group in source_groups or destination_groups. Remove the group from those rules first (via update_dfw_rule replacing the group path with 'ANY' or another group), then retry.
"No virtual machine found with display_name"
list_vm_tags looks up VMs by display name via the NSX fabric API. Common causes:
1. Display name mismatch — the name in NSX Manager may differ from vCenter. Check vmware-monitor vm list for the exact NSX fabric display name.
2. VM not registered — newly deployed VMs may take a minute to appear in the NSX fabric.
3. Multiple VMs with the same name — use apply_vm_tag with the specific external_id.
Traceflow returns empty observations
1. Verify the src_lport_id is the correct logical port attachment UUID — not the segment port path. Get it from vmware-nsx troubleshoot vm-segment .
2. The source VM must be powered on and connected to an NSX overlay segment.
3. If the VM is on a VLAN-backed segment, Traceflow is not supported.
4. NSX Manager requires the transport node hosting the source VM to be reachable. Check vmware-nsx health transport-nodes.
DFW rule stats show zero hits
A newly created rule will have zero hit counts until traffic matches it. If expected traffic still shows zero:
1. Confirm the rule is not disabled (disabled: false in list_dfw_rules output).
2. Check that source/destination group membership is correct using get_group.
3. Verify rule sequence number — a lower-sequence rule with ALLOW/DROP may be matching first.
"Password not found" error
Password variable convention: VMWARE_NSX_SECURITY_
where hyphens are replaced by underscores. For target nsx-prod:
VMWARE_NSX_SECURITY_NSX_PROD_PASSWORD. Check ~/.vmware-nsx-security/.env.
invalid peer certificate: UnknownIssuer (uvx)
Corporate TLS proxy not trusted by uv's bundled cert store. Use the v1.5.15+
single-command form vmware-nsx-security mcp (no PyPI re-resolve), or
export UV_NATIVE_TLS=true to make uv use the system cert store.