When a user or a service attempts to modify the DFW the follow error is reported:

Error occurred: Invalid group with IPSET/MACAddress in Exclusionlist path=[/infra/domains/default/groups/XXXXXXX]

This issue can be observed when performing any of the following operations in NSX:

1. Making configuration changes to the Exclusion List manually via the UI fails due to the unsupported group.
2. Deploying / redeploying Service Insertion fails as the NSX manager is unable to add the SVM to the exclusion list.
3. The vCenter vpxd.log reports "InsufficientAgentVmsDeployed"  for the ESXi where the deployment is failing.
4. The Proton service on the NSX manager repeatedly restarted resulting the the NSX cluster being in a DEGRADED state.

Logs findings:

• The nsxapi.log shows NSX management plane starting in every 5- 6 minutes.

2024-10-07T18:39:50.257Z  INFO WrapperStartStopAppMain ApplicationContextManager 227639 - [nsx@6876 comp="nsx-manager" level="INFO" starting NSX management plane application context.

• The proton-tomcat-wrapper.log shows the JVM received a kill signal and is restarting. 

STATUS | wrapper  | 2024/10/07 18:39:51| JVM received a signal SIGKILL (9).

• The Proton service is repeatedly restarting in /var/log/proton/proton-tomcat-wrapper.log:

STATUS | wrapper  | 2024/10/07 18:28:31 | Launching a JVM...

• The following exception is seen repeatedly on the NSX manager's in /var/log/proton/proton-tomcat-wrapper.log

INFO   | jvm 784  | 2024/10/07 18:33:30 | com.vmware.nsx.management.common.exceptions.InvalidArgumentException: Invalid group with IPSet/MACAddress in ExclusionList path=[/infra/domains/default/groups/<GroupID>]

Checking the DFW exclusion list in the UI, the unsupported group illustrated in the error is not visible in the exclusion list.

Using API call lists the unsupported group(s) is in the exclusion list: GET /policy/api/v1/infra/settings/firewall/security/exclude-list

NOTE: The preceding log excerpts are only examples. Date, time and environmental variables may vary depending on your environment.

VMware NSX-T Data Center 3.0.2 or later

VMware NSX 4.x

VMware vDefend Firewall

The NSX manager is unable to edit the exclusion list as the exclusion list currently includes unsupported groups.

Groups with IP Sets, IP Addresses, MAC addresses as members are not supported in exclusion list as per this page of the administration guide: https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/4-0/administration-guide/security/distributed-firewall/manage-a-firewall-exclusion-list.html 

Before NSX 4.X groups with unsupported objects (i.e. IP Sets, IP addresses, MAC addresses, etc) are allowed to be added to the exclusion list. In NSX 4.2, a change was made to force validation of exclusion list members. The validation errors in the exclusion list must be rectified before changes can be made.

Compare the members of the Exclusion List in UI and using the GET API /policy/api/v1/infra/settings/firewall/security/exclude-list.

The additional members listed in the API call are groups with unsupported objects.

There are 2 options to resolve the above issue:

1. Remove the unsupported group from the exclusions list.
2. Remove the unsupported configuration from the group used in the exclusion list.

Option 1: Remove the unsupported group from the exclusions list.

Below is a sample of the body:

{
    "members": [
     //Comma-separated list of valid group paths
    ]
}

See below example: API GET /policy/api/v1/infra/settings/firewall/security/exclude-list reports member NSX_Group_A, NSX_Group_B, NSX_Group_C, and NSX_Group_D.

{
    "members": [
        "/infra/domains/default/groups/NSX_Group_A",
        "/infra/domains/default/groups/NSX_Group_B",
        "/infra/domains/default/groups/NSX_Group_C",
        "/infra/domains/default/groups/NSX_Group_D"
    ]

}

To remove a group, remove it from the API PATCH /policy/api/v1/infra/settings/firewall/security/exclude-list body:

{
    "members": [
        "/infra/domains/default/groups/NSX_Group_A",
        "/infra/domains/default/groups/NSX_Group_B",
        "/infra/domains/default/groups/NSX_Group_D"
    ]

}

Option 2: Remove the unsupported configuration from the group used in the exclusion list.

This can be done via UI or API.

UI Method:

1. 1. Navigate to Inventory > Group > Edit > Members.
   2. Remove the unsupported configuration like IP addresses, MAC Address etc.
   3. Save the configuration.

Note: You can also check "show Deleted Entities" and hit remove all.

API Method:

Obtain the IP-address expressions using API - GET /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/ 

Example: GET https://<nsx_manager_IP/FQDN>/policy/api/v1/infra/domains/default/groups/NSX_Group_E

{
    "expression": [
        {
            "ip_addresses": [
                "192.168.10.10"
            ],
            "resource_type": "IPAddressExpression",
            "id": "389#####-9##9-4##2-9##2-9####20####6",
            "path": "/infra/domains/default/groups/NSX_Group_E/ip-address-expressions/389#####-9##9-4##2-9##2-9####20####6", <<<<<<<<< This is a list of the expressions to delete
            "relative_path": "389#####-9##9-4##2-9##2-9####20####6",
            "parent_path": "/infra/domains/default/groups/NSX_Group_E",
            "remote_path": "",
            "marked_for_delete": false,
            "overridden": false,
            "_protection": "NOT_PROTECTED"
        }

Use the DELETE API to remove to expression(s):

Example: DELETE https://<nsx_manager_IP/FQDN>/policy/api/v1/infra/domains/default/groups/NSX_Group_E/ip-address-expressions/389#####-9##9-4##2-9##2-9####20####6   <<<<<<<< The above expression