You can exclude policy groups consisting of members from being applied east-west security services.

Update the exclusion list, a list that references member groups to be excluded from the east-west service insertion policy. In the example API request, the parameter members determines the member groups that are added to the exclude list. These members will not be applied with any service insertion policy.
Note: An exclusion list does not support policy groups with IP Set, IP Addresses, or MAC Addresses as members.
  • Add a policy group to the exclusion list that must be excluded when a security service is applied to the system. Run the API command, along with the path to members that must be excluded:
    PUT https://<policy-mgr>/policy/api/v1/infra/settings/service-insertion/security/exclude-list 
    { "members": ["/infra/domains/default/groups/grp1"], "_revision": 1 }
    Example Response:
    	    "members": [
    	    "resource_type": "PolicySIExcludeList",
    	    "id": "exclude-list",
    	    "display_name": "/infra/settings/service-insertion/security/exclude-list",
    	    "path": "/infra/settings/service-insertion/security/exclude-list",
    	    "relative_path": "exclude-list",
    	    "marked_for_delete": false,
    	    "_create_user": "system",
    	    "_create_time": 1552908666342,
    	    "_last_modified_user": "admin",
    	    "_last_modified_time": 1553087794966,
    	    "_system_owned": false,
    	    "_protection": "NOT_PROTECTED",
    	    "_revision": 2