A logical port, logical switch, or NSGroup can be excluded from a firewall rule.

After you've created a section with firewall rules you may want to exclude an NSX-T Data Center appliance port from the firewall rules.

Note: NSX-T Data Center automatically adds NSX Edge node virtual machines to the firewall exclusion list.


Verify that Manager mode is selected in the NSX Manager user interface. See NSX Manager. If you do not see the Policy and Manager mode buttons, see Configure the User Interface Settings.


  1. Select Security > Distributed Firewall > Exclusion List > Add.
  2. Select a type and an object.
    The available types are Logical Port, Logical Switch, and NSGroup.
  3. Click OK.
  4. To remove an object from the exclusion list, select the object and click Delete on the menu bar.