You can exclude a set of virtual machines from distributed firewall protection.

NSX Manager, NSX Controller, and NSX Edge virtual machines are automatically excluded from distributed firewall protection. In addition, place the following service virtual machines in the Exclusion List to allow traffic to flow freely.
  • vCenter Server. It can be moved into a cluster that is protected by Firewall, but it must already exist in the exclusion list to avoid connectivity issues.
    Note: It is important to add the vCenter Server to the exclusion list before changing the "any any" default rule from allow to block. Failure to do so will result in access to the vCenter Server being blocked after creating a Deny All rule (or modifying default rule to block action). If this occurs, use the API to change the default rule from deny to allow. For example, use GET /api/4.0/firewall/globalroot-0/config to retrieve the current configuration, and use PUT /api/4.0/firewall/globalroot-0/config to change the configuration. See "Working with Distributed Firewall Configuration" in the NSX API Guide for more information.
  • Partner service virtual machines.
  • Virtual machines that require promiscuous mode. If these virtual machines are protected by distributed firewall, their performance may be adversely affected.
  • The SQL server that your Windows-based vCenter uses.
  • vCenter Web server, if you are running it separately.


  1. Navigate to Exclusion List settings.
    • In NSX 6.4.1 and later, navigate to Networking & Security > Security > Firewall Settings > Exclusion List.
    • In NSX 6.4.0, navigate to Networking & Security > Security > Firewall > Exclusion List.
  2. Click Add.
  3. Move the VMs that you want to exclude to Selected Objects.
  4. Click OK.


If a virtual machine has multiple vNICs, all of them are excluded from protection. If you add vNICs to a virtual machine after it has been added to the Exclusion List, Firewall is automatically deployed on the newly added vNICs. To exclude the new vNICs from firewall protection, you must remove the virtual machine from the Exclusion List and then add it back to the Exclusion List. An alternative workaround is to power cycle (power off and then power on) the virtual machine, but the first option is less disruptive.