Firewall exclusion lists are made of groups that can be excluded from a firewall rule based on group membership.

NSX-T Data Center has system excluded virtual machines, and user excluded groups. NSX Manager and NSX Edge node virtual machines are automatically added to the read-only the System Excluded VMs list. User-defined groups can be excluded from firewall rules, and there are a maximum of 100 groups that can be on the list. IP sets, MAC sets, and Active Directory groups cannot be included as members in a group that is used in a firewall exclusion list.

Users should not edit the system generated firewall exclusion list. If edited, traffic may be disrupted.


  1. Navigate to Security > Distributed Firewall > Actions > Exclusion List.
    A window appears listing available groups.
  2. To view the read-only automated exclusion list, select the System Excluded VMs tab. You can filter this list by:
    • name
    • operating system
    • power state
    • source
    • tag
    • tag scope
  3. To add a user-defined group to the firewall exclusion list, ensure that you are on the User Excluded Groups tab, click the check box next to any group. Then click Apply.
    1. To create a group, click Add Group. See Add a Group.
    2. To edit a group, click the three dot menu next to a group and select Edit.
    3. To delete a group, click the three dot menu and select Delete.
    4. To display group details, click Expand All.
  4. Click Close.