Firewall exclusion lists are made of groups that can be excluded from a firewall rule based on group membership.

NSX Manager supports system excluded groups, and user excluded groups:

  • System excluded groups are managed by the system, and are read-only for users. System excluded groups include Malware Prevention and Service Insertion SVMs together with NSX Managers and NSX Edge appliances that are deployed via a configured Compute Manager.
  • User excluded groups are managed by the user, and empty by default.

    Virtual machines such as load balancers, firewalls, virtual network functions (routing, switching, etc.), and any virtual machines that require promiscuous mode must be in a DFW Exclusion list. VMware does not support adding those virtual machines to DFW; they must be manually added to user excluded groups.

In NSX Manager cluster, the first node must be manually added to the Distributed Firewall Exclude List.

User-defined groups can be excluded from firewall rules, and there are a maximum of 100 groups that can be on the list. IP sets, MAC sets, and Active Directory groups cannot be included as members in a group that is used in a firewall exclusion list.

Exclude lists are supported on a Global Manager (GM) in NSX Federation. On a Local Manager (LM), there will be two exclude lists: one from the GM, and the LM's own exclude list. All members of both lists are excluded.

Antrea groups are not supported in a firewall exclusion list.

Procedure

  1. Navigate to Security > Distributed Firewall > Settings.
  2. To view the read-only exclusion list, select the System Excluded VMs tab.
  3. Select a specific local site NSX Manager to view. You can filter the system excluded VMs list by:
    • name
    • operating system
    • power state
    • source
    • tag
    • tag scope
  4. To view or edit the user excluded VMs, select the User Excluded Groups tab.
  5. To add a user-defined group to the firewall exclusion list click Manage Exclusion List.

    Groups consisting of only IP addresses, MAC Addresses, or Active Directory groups cannot be used in exclusion lists.

  6. Locate or create the group that needs to be excluded, ensure that the corresponding check box is selected and click Save. Note that adding/editing/deleting a group does not change exclusion list membership.
    1. To create a group, click Add Group. See Add a Group.
    2. To edit a group, click the checkbox next to the group you want to edit, and then click the three dot menu and select Edit.
    3. To delete a group, click the checkbox next to the group you want to delete, and then click the three dot menu and select Delete.
    4. To display group details, click the sideways arrow.
  7. Click Save.