Firewall exclusion lists are made of groups that can be excluded from a firewall rule based on group membership.
Virtual machines such as load balancers, firewalls, virtual network functions (routing, switching, etc.), and any virtual machines that require promiscuous mode must be in a DFW Exclusion list. VMware does not support adding those virtual machines to DFW; they must be manually added to user excluded groups.
In NSX Manager cluster, the first node must be manually added to the Distributed Firewall Exclude List.
User-defined groups can be excluded from firewall rules, and there are a maximum of 100 groups that can be on the list. IP sets, MAC sets, and Active Directory groups cannot be included as members in a group that is used in a firewall exclusion list.