Firewall exclusion lists are made of groups that can be excluded from a firewall rule based on group membership.

NSX-T Data Center supports system excluded groups, and user excluded groups:

  • System excluded groups are managed by the system, and are read-only for users. System excluded groups include Malware Prevention and Service Insertion SVMs together with NSX Managers and NSX Edge appliances that are deployed via a configured Compute Manager.
  • User excluded groups are managed by the user, and empty by default.

    Virtual machines such as load balancers, firewalls, virtual network functions (routing, switching, etc.), and any virtual machines that require promiscuous mode must be in a DFW Exclusion list. VMware does not support adding those virtual machines to DFW; they must be manually added to user excluded groups.

In NSX Manager cluster, the first node must be manually added to the Distributed Firewall Exclude List.

Procedure

  1. Navigate to Security > Distributed Firewall > Actions > Exclusion List.
    A window appears listing available groups.
  2. To view the read-only automated exclusion list, select the System Excluded VMs tab. You can filter this list by:
    • name
    • operating system
    • power state
    • source
    • tag
    • tag scope
  3. To add a user-defined group to the firewall exclusion list, ensure that you are on the User Excluded Groups tab, click the check box next to any group. Then click Apply. Note that adding/editing/deleting a group does not change exclusion list membership.
    1. To create a group, click Add Group. See Add a Group.
    2. To edit a group, click the checkbox next to the group you want to edit, then click the three dot menu and select Edit.
    3. To delete a group, click the checkbox next to the group you want to delete, then click the three dot menu and select Delete.
    4. To display group details, click Expand All.
  4. Click Close.