This article addresses information on the Manager/Edge Nodes exclusion issues in NSX security-only clusters. It provides guidance for ensuring appropriate VM exclusions, especially when deploying NSX components by OVA and avoiding unintended impacts on systems, such as Nutanix.

VMware vDefend Firewall 

When deploying the first NSX Manager node or any NSX Edge by OVA, the deployed VM does not automatically appear in the exclusion list. This behavior is expected since NSX Manager cannot identify the VM as an NSX object when deployed outside the NSX Manager UI.

For deployments initiated through the UI, both Managers and Edges are automatically excluded from security policies. This difference is critical in security-only clusters (v4.1.x and below), where existing portgroups are converted to include DFW policies. For networking and security clusters (v4.2.0 and above), DFW policies do not affect Distributed Virtual Port Groups (DVPGs) unless the "NSX on DVPGs" option is selected.

This behavior can lead to unintended DFW rule applications on the Control Appliance’s vNIC, which, in turn, may cause storage related issues on Nutanix hosts.

• Ensure Exclusion of NSX Manager, Edge, and Nutanix VMs:

  • For OVA deployments, manually add the Manager and Edge VMs to the exclusion list to avoid security policy conflicts.
  • To prevent any interference with the Control Applieance's vNIC, ensure that Nutanix control VMs are also added to the NSX exclusion list. This step helps prevent NSX DFW policies from affecting storage operations.

• Avoid DFW Impacts on Nutanix Storage:

  • When configuring security-only clusters, be mindful of the DFW policies that are automatically applied to port groups. Excluding Nutanix VMs is essential to avoid potential disruptions to storage functionality.