When performing audits or environment migrations, administrators often need to export a comprehensive list of NSX-T Security Groups (Inventory Groups). While the Distributed Firewall (DFW) configuration can be exported directly from the NSX Manager UI, this export only displays groups that are actively applied to rules.

Currently, the NSX Manager UI does not provide a native "Export" button within the Inventory/Groups tab to download a list of all defined groups (including unused ones).

When performing a bulk export or retrieval of Security Groups (Inventory Groups) via the NSX-T or NSX 4.x Policy API, the response is limited to 1,000 entries despite the environment containing a significantly higher number of objects.

VMware NSX

The NSX-T Manager User Interface is designed for configuration and management rather than bulk data reporting. Consequently, the functionality to generate a CSV or PDF of the entire Inventory Group database is not exposed through the standard graphical interface.
Also NSX Policy API implements a hard-coded default results limit of 1,000 entries per request. This safeguard is in place to ensure system performance and prevent large memory overhead during API response serialization.

To retrieve a complete list of all security groups regardless of their usage, you must use the NSX-T Policy API. This provides the most granular data in a structured JSON format.

1. API Endpoint Details Use the following REST API call to target the default domain:

• Method: GET

• URL: https://<nsx-manager-ip>/policy/api/v1/infra/domains/default/groups

2. Execution via Command Line (Curl) From a terminal with network access to the NSX Manager, execute the following command to save the output to a local file:

3. Data Verification Once executed, the nsx_groups.json file will contain the display names, unique IDs, and membership criteria for every security group in the environment.

To retrieve more than 1,000 entries, you must use API pagination via the cursor parameter.

1. Initial Request: Execute the standard GET call for groups. GET https://<nsx-manager>/policy/api/v1/infra/domains/default/groups

2. Identify Cursor: Locate the "cursor" value at the end of the JSON response body.

3. Subsequent Request: Perform the next call using the cursor value as a query parameter. GET https://<nsx-manager>/policy/api/v1/infra/domains/default/groups?cursor=<cursor_value>

4. Repeat: Continue this process until the "cursor" property is no longer present in the response, indicating the end of the dataset.

Additional Data Retrieval

• To retrieve member IP addresses for a specific group: GET /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/ip-addresses

• To retrieve defined services: GET /policy/api/v1/infra/services

For more details on result pagination and API limits, refer to the VMware NSX-T Data Center REST API Guide.