Firewall exclusion lists are made of groups that can be excluded from a firewall rule based on group membership.

User excluded groups are managed by the user, and empty by default.

Virtual machines such as load balancers, firewalls, virtual network functions (routing, switching, etc.), and any virtual machines that require promiscuous mode must be in a DFW Exclusion list. VMware does not support adding those virtual machines to DFW; they must be manually added to user excluded groups.

In NSX Manager cluster, the first node must be manually added to the Distributed Firewall Exclude List.

User-defined groups can be excluded from firewall rules, and there are a maximum of 100 groups that can be on the list. IP sets, MAC sets, and Active Directory groups cannot be included as members in a group that is used in a firewall exclusion list.

Note: NSX-T Data Center automatically adds NSX Edge node virtual machines to the firewall exclusion list.


  1. Navigate to Security > Distributed Firewall > Actions > Exclusion List.
    A window appears listing available groups.
  2. To add a group to the exclusion list, click the check box next to any group. Then click Apply.
  3. To create a group, click Add Group. See Add a Group.
  4. To edit a group, click the three dot menu next to a group and select Edit.
  5. To delete a group, click the three dot menu and select Delete.
  6. To display group details, click Expand All.