Groups with static IP's as members will not appear in Manager Exclusion List
search cancel

Groups with static IP's as members will not appear in Manager Exclusion List

book

Article ID: 371006

calendar_today

Updated On:

Products

VMware vDefend Firewall

Issue/Introduction

Creating groups with static IP's as members will not show as an option to use in the Manager Exclusion. Even if the group has other criteria mixed in with static IP's. 

In Inventory > Groups > Add

We created 3 groups: 1 with only IP's, 1 with VM/VIF, and 1 that has both IP's and VM/VIF.

 

Migrating to the Security > Distributed Firewall > Settings > User Excluded Groups > Click-> Manage Exclusion List

We can only see the Test-Exclude-VM/Vif group

 

Going back to Inventory > Groups >

Let's remove the static IP's circled in red from other 2 Test-Exclude groups and click Apply (Test-Exclude-Static-IP and Test-Exclude-Both)

 

Migrating back to the Security > Distributed Firewall > Settings > User Excluded Groups > Click-> Manage Exclusion List

Now we can see all 3 groups in the Manager Exclusion List

You can see in the description was left unchanged and what criteria was in them to cause it not to be seen by the Manager Exclusion List.

Environment

NSX-T version 3.2.x and above

NSX-T version 4.x and above

Cause

This is a known restriction of DFW to prevent unallocated IP's that might not have a slot2 DFW nic interface match.

(Example nic = nic-2121080-eth0-vmware-sfw.2)

 

Resolution

While in SG membership remove the static IP's from the membership and click the refresh. That group will now be populated in the Manager Exclusion List option.

 

Powered by Wolken Software