• The NSX-T Distributed Firewall supports the use of excluding/negating source or destination objects in firewall rules.
• The NSX-T Gateway Firewall does not support the use of excluding/negating source or destination objects in firewall rules.
• If attempting to create firewall rules excluding/negating source or destination objects the below expected error is encountered:

Source or Destination exclusion is not supported when only identity policy group is used in Security Policy Rules