You can exclude a set of virtual machines from firewall protection. If a virtual machine has multiple vNICs, all of them are excluded from protection.

NSX Manager and service virtual machines are automatically excluded from firewall protection. In addition, you should exclude the vCenter server and partner service virtual machines to allow traffic to flow freely.

Excluding virtual machines from firewall protection is useful for instances where vCenter Server resides in the same cluster where firewall is being utilized. After enabling this feature, no traffic from excluded virtual machines will go through the Firewall.


vCenter Server can be moved to a cluster that is protected by firewall, but it must already exist in the exclusion list to avoid any connection issues.


Log in to the vSphere Web Client.


Click Networking & Security and then click Firewall.


Click NSX Managers.


In the Name column, click an NSX Manager.


Click the Manage tab and then click the Exclusion List tab.


Click the Add (add icon) icon.


Type the name of the virtual machine you want to exclude and click Add.


Click OK.