Unable to delete the User Excluded Groups in Distributed Firewall
Article ID: 430841
Updated On:
Products
VMware NSX
Issue/Introduction
- When attempting to delete a User Excluded Group within the Distributed Firewall (DFW) settings, the operation fails with the error message below
The object Group "<Group_Name>" cannot be deleted as either it has children or it is being referenced by other objects: Default: Exclusion List OR DfwFirewallConfiguration
Environment
VMware NSX
Cause
This issue occurs because the system maintains strict referential integrity. The group cannot be deleted for two primary reasons:
-
Active Membership: There are still virtual machines, IP sets, or other members nested within the group.
-
System Group Reference: The group is still explicitly linked to the Exclusion List or the global DfwFirewallConfiguration Groups.
Resolution
To successfully remove the User Excluded Groups, follow the steps below.
- Login to the NSX UI as admin -> Security -> Policy Management -> Distributed Firewall
-
Click on Manage Exclusion List -> Select the specific Group -> View Members
-
-
- Click on Edit.
-
- Remove all the members associated with this group by un-checking the specific members depending on the corresponding categories.
- Once all the members are removed, simply uncheck the group and Save.
- The group will now be removed from the Manage Exclusion List.
-
- Further, to remove the traces of the group from the Global Inventory, go to
Inventory Tab -> Groups -> Click on the 3 vertical dots next to the group and Delete
- Further, to remove the traces of the group from the Global Inventory, go to
Feedback
Yes
No
Powered by
