You can exclude a set of virtual machines from NSX distributed firewall protection.

About this task

NSX Manager, NSX Controllers, and NSX Edge virtual machines are automatically excluded from NSX distributed firewall protection. In addition, VMware recommends that you place the following service virtual machines in the Exclusion List to allow traffic to flow freely.

  • vCenter Server. It can be moved into a cluster that is protected by Firewall, but it must already exist in the exclusion list to avoid connectivity issues.

  • Partner service virtual machines.

  • Virtual machines that require promiscuous mode. If these virtual machines are protected by NSX distributed firewall, their performance may be adversely affected.

  • The SQL server that your Windows-based vCenter uses.

  • vCenter Web server, if you are running it separately.

Procedure

  1. In the vSphere Web Client, click Networking & Security.
  2. In Networking & Security Inventory, click NSX Managers.
  3. In the Name column, click an NSX Manager.
  4. Click the Manage tab and then click the Exclusion List tab.
  5. Click the Add (add icon) icon.
  6. Type the name of the virtual machine that you want to exclude and click Add.

    For example:

  7. Click OK.

Results

If a virtual machine has multiple vNICs, all of them are excluded from protection. If you add vNICs to a virtual machine after it has been added to the Exclusion List, Firewall is automatically deployed on the newly added vNICs. In order to exclude these vNICs from firewall protection, you must remove the virtual machine from the Exclusion List and then add it back to the Exclusion List. An alternative workaround is to power cycle (power off and then power on) the virtual machine, but the first option is less disruptive.