According to the VMware Deployment Guide, the initial VMware NSX Manager node (VM) is deployed using the Deploy OVF Template wizard in vCenter. Additional VMware NSX Managers are then deployed directly from the NSX Manager UI using the Install Appliance workflow. As a result, the first VMware NSX Manager VM is classified as a Regular VM, whereas the subsequent manager VMs are designated as System/MP VMs

The issue has been identified in VMware NSX environments version 3.x and 4.x.

Ideally, all NSX Manager VMs should belong to the System VM default group and should not appear in user-defined groups. However, the initial manager VM, which is deployed as a Regular VM, does not fall under the System VM default group and can be added to user-defined groups. Additionally, this first manager VM is not listed in the 'System Excluded VMs' for Distributed Firewall (DFW) configuration.

Currently we can apply any one of the workaround based on the environment 

Workaround 1:

Procedure to Update the First NSX Manager VM Type to System

1. Browse to the first NSX manager virtual machine in the vSphere Client:

   • To find a virtual machine, select a data center, folder, cluster, resource pool, or host.

2. Power off the VM before setting advanced attributes.

3. Click the VMs tab.

4. Right-click the first NSX manager virtual machine and select Edit Settings.

   

5. Click VM Options.

6. Expand Advanced.

7. Under Configuration Parameters, click the Edit Configuration button.

   

8. In the dialog box that appears, click Add Row to enter a new parameter and its value:

   • Parameter Name: SystemVM

   • Value: MP

9. Click OK.

10. Power on the VM.

Post Update

• The first NSX manager VM type will be updated to 'MP' (System).
• The first NSX manager VM will not be visible on the NSX UI, as the UI doesn't show System VMs.
• The first NSX manager VM will be included in the System VM default group and will not be visible for user-defined groups.