• A virtual machine (VM) is excluded from Distributed Firewall (DFW) using the NSX UI.

• However, the change is not reflected on the ESXi host where the VM resides.

• The slot-2 DFW filter still appears for the VM NICs, and firewall rules may still appear to be applied.

• VMware NSX (formerly NSX-T)

• VMs connected to:

  • NSX-backed segments (Overlay or VLAN segments)

  • OR vCenter-only segments (DVPGs or Standard Portgroups)

NSX DFW exclusion logic is only enforced for NSX-backed segments. When a VM is connected to a vCenter-only segment (e.g., DVPG):

• The DFW slot-2 filter (used by vDefend) remains attached to the VM's NIC.

• However, no actual DFW rules are applied to that filter.

• This creates the illusion that exclusion has not taken effect when, in reality, NSX does not enforce rules on non-NSX segments.

To confirm whether a VM has been properly excluded from DFW:

Step 1: SSH into the ESXi Host

Log in to the ESXi host where the target VM is running.

Step 2: Identify DFW Filters and Slots

Run the following command to list dvfilter slots:

For VMs with multiple NICs, use:

• Look for slot-2 filters (named like nic-<ID>-ethX-vmware-sfw.2).

• If the filter is missing, the VM is successfully excluded on an NSX-backed segment.

• If the filter is present, note the filter name for the next step.

Step 3: Check DFW Rules on Filter

Use the vsipioctl command to check for any firewall rules applied:

Expected Outcome:

• If the command returns no rules, the VM is excluded correctly, even if slot-2 filter is still attached (common for VMs on DVPGs).

• If the command returns any rules, the exclusion is not fully effective, possibly due to misconfiguration or other issues. 

• Exclusion works only on NSX-managed segments. VMs on DVPGs or Standard Portgroups are not enforced by NSX, but slot-2 may still appear.

• Having slot-2 present does not always imply rule enforcement — rules must be explicitly confirmed using vsipioctl.