You can exclude a set of virtual machines from NSX distributed firewall protection.

NSX Manager, NSX Controllers, and NSX Edge virtual machines are automatically excluded from NSX distributed firewall protection. In addition, VMware recommends that you place the following service virtual machines in the Exclusion List to allow traffic to flow freely.
  • vCenter Server. It can be moved into a cluster that is protected by Firewall, but it must already exist in the exclusion list to avoid connectivity issues.
    Note: It is important to add the vCenter Server to the exclusion list before changing the "any any" default rule from allow to block. Failure to do so will result in access to the vCenter Server being blocked after creating a Deny All rule (or modifying default rule to block action). If this occurs, roll back the DFW to the default firewall rule set by running the following API command: https://NSX_Manager_IP/api/4.0/firewall/globalroot-0/config. The request must return a status of 204. This restores the default policy (with a default rule of allow) for DFW and re-enables access to vCenter Server and the vSphere Web Client.
  • Partner service virtual machines.
  • Virtual machines that require promiscuous mode. If these virtual machines are protected by NSX distributed firewall, their performance may be adversely affected.
  • The SQL server that your Windows-based vCenter uses.
  • vCenter Web server, if you are running it separately.


  1. In the vSphere Web Client, click Networking & Security.
  2. In Networking & Security Inventory, click NSX Managers.
  3. In the Name column, click an NSX Manager.
  4. Click the Manage tab and then click the Exclusion List tab.
  5. Click the Add (add icon) icon.
  6. Select the virtual machines that you want to exclude and click Add.
  7. Click OK.


If a virtual machine has multiple vNICs, all of them are excluded from protection. If you add vNICs to a virtual machine after it has been added to the Exclusion List, Firewall is automatically deployed on the newly added vNICs. In order to exclude these vNICs from firewall protection, you must remove the virtual machine from the Exclusion List and then add it back to the Exclusion List. An alternative workaround is to power cycle (power off and then power on) the virtual machine, but the first option is less disruptive.