Groups include different objects that are added both statically and dynamically, and can be used as the source and destination of a firewall rule.
Groups can be configured to contain a combination of virtual machines, IP sets, MAC sets, segment ports, segments, AD user groups, and other groups. Dynamic inclusion of groups can be based on tag, machine name, OS name, or computer name.
If Malicious IP Feed is enabled, a list of known malicious IPs are downloaded from NTICS cloud service. You can create groups to include these downloaded IPs and configure firewall rules to block access to them. A Generic or IP Addresses Only group cannot be converted to IP Addresses Only group with malicious IPs, and the reverse. However, a Generic group can be converted to an IP Addresses Only group without malicious IPs.
Groups can also be excluded from firewall rules, and there are a maximum of 100 groups that can be on the list. IP sets, MAC sets, and AD groups cannot be included as members in a group that is used in a firewall exclusion list. See Manage a Firewall Exclusion List for more information.
If you use Active Directory groups as the source, a single Active Directory group can be used. If both IP and Active Directory groups are needed at the source, create two separate firewall rules.
Groups consisting of only IP addresses, MAC addresses, or Active Directory groups cannot be used in the Applied to text box.For Policy Groups containing IPs or MAC addresses, the NSGroup listing API will NOT display the ‘members’ attribute. This applies to Groups containing a combination of static members also. For example, if a Policy Group contains IP and DVPG, the NSGroup listing API will not display the members attribute.
For Policy Groups not containing IPs, MAC addresses, or Identity Groups, the member attribute will be displayed in the NSGroup response. However new members and criteria introduced in NSX (such as DVPort and DVPG) will not be included in the MP group definition. Users can view the definition in Policy.
Tags in NSX are case-sensitive, but a group that is based on tags is "case- insensitive." For example, if the dynamic grouping membership criterion is VM Tag Equals 'quarantine'
, the group includes all VMs that contain either the tags 'quarantine' or 'QUARANTINE'.
If you are using NSX Cloud, see Group VMs using NSX and Public Cloud Tags for information on the how to use public cloud tags to group your workload VMs in NSX Manager.