Issue 1: Make configuration changes in Exclusion List are getting the error message "Invalid group with Ipset/MACAddress in FW Exclusion List (Error code:514051)"

Issue 2: In cases, where Groups with IP Sets, IP Addresses, MAC addresses are added to exclusion list in versions prior to 3.0.2, and then, if there is an upgrade to version 4.2.0.1 or above, you may see the NSX Manager proton service restarting repeatedly. This results in the NSX Manager cluster being in the DEGRADED state. 

In the NSX Manager's /var/log/proton/proton-tomcat-wrapper.log:

1. The following exception is seen repeatedly:
   proton-tomcat-wrapper.log
INFO   | jvm 784  | 2024/10/07 18:33:30 | com.vmware.nsx.management.common.exceptions.InvalidArgumentException: Invalid group with IPSet/MACAddress in ExclusionList path=[/infra/domains/default/groups/<GroupID>]
INFO   | jvm 785  | 2024/10/07 18:39:51 | com.vmware.nsx.management.common.exceptions.InvalidArgumentException: Invalid group with IPSet/MACAddress in ExclusionList path=[/infra/domains/default/groups/<GroupID>]
INFO   | jvm 786  | 2024/10/07 18:45:44 | com.vmware.nsx.management.common.exceptions.InvalidArgumentException: Invalid group with IPSet/MACAddress in ExclusionList path=[/infra/domains/default/groups/<GroupID>]
INFO   | jvm 787  | 2024/10/07 18:52:45 | com.vmware.nsx.management.common.exceptions.InvalidArgumentException: Invalid group with IPSet/MACAddress in ExclusionList path=[/infra/domains/default/groups/<GroupID>]
INFO   | jvm 788  | 2024/10/07 18:59:21 | com.vmware.nsx.management.common.exceptions.InvalidArgumentException: Invalid group with IPSet/MACAddress in ExclusionList path=[/infra/domains/default/groups/<GroupID>]
2. Proton service is repeatedly restarted due to the above exception:
   proton-tomcat-wrapper.log
STATUS | wrapper  | 2024/10/07 18:28:31 | Launching a JVM...
STATUS | wrapper  | 2024/10/07 18:34:16 | Launching a JVM...
STATUS | wrapper  | 2024/10/07 18:40:39 | Launching a JVM...
STATUS | wrapper  | 2024/10/07 18:46:31 | Launching a JVM...
STATUS | wrapper  | 2024/10/07 18:53:32 | Launching a JVM...

VMware NSX-T Data Center 3.0.2 or later
VMware NSX 4.x

1. Groups with IP Sets, IP Addresses, MAC addresses as members are not supported in Exclusion List. Before NSX 3.0.2, groups with unsupported objects (i.e. IP Sets. IP addresses, MAC addresses, etc) are allowed to add in Exclusion List. Starting with version 3.0.2, a check on unsupported object is added when Exclusion List configuration is changed. If there are existing groups with unsupported objects in the Exclusion List, changes will not be allowed.
2. In 4.2.0, a change was made to force validation of exclusion list members in the NSX manager initialization task. This caused the Manager process to restart continuously when unsupported objects (i.e. IP Sets. IP addresses, MAC addresses, etc) were present in the Exclusion List.

Workaround is the same for both issues. 

1. Compare the member of Exclusion List in UI and GET /policy/api/v1/infra/settings/firewall/security/exclude-list. The members show up in the later and not in the former are groups with unsupported objects.
   Then, do either step (2.), or step (3.):
2. Update the groups in #1 and remove the unsupported objects through UI:
   1.  Navigate to Inventory > Group > Edit > Members.
   2. Remove the unsupported configuration like IP addresses, MAC Address etc.
   3. Save the configuration.
      Note: You can also check "show Deleted Entities" and hit remove all.
      
3. Remove the groups in #1 from the exclusion list through rest API PATCH /policy/api/v1/infra/settings/firewall/security/exclude-list. Below is a sample of the body:
   {
    "members": [
     //Comma-separated list of valid group paths
    ]
}
   Or alternatively, you can use the DELETE API to delete the IPAddressExpression objects from the group:
   /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/ip-address-expressions/{expression-id}