Excluding Virtual Machines from DFW Protection
As explained in the introduction, the DFW feature is activated as soon as the host preparation is completed and all virtual machines that are part of the cluster are enforced by the DFW. This is also important when you are planning to change the any any allow default rule to any any deny, as this may inadvertently block access to the vCenter server.
In this recipe, we will learn how to exclude virtual machines from distributed firewall protection, so that no policy enforcement will be applied to any of the vNICs on those virtual machines.
Getting ready
Make sure you have Security Administrator or Enterprise Administrator access to NSX.
How to do it...
Follow these steps to exclude a VM from the DFW:
- From the vSphere web client, navigate to
Home
|Networking & Security
|Networking & Security Inventory
|NSX Managers
. - Select the NSX manager's IP address and in the center pane, choose theÂ
Manage
|Exclusion List
tab. Then click the plus sign...