Cannot collect Edge cluster IPFIX data due to default NSX Distributed Firewall (DFW) exclusion list configuration in VCF Operations for Networks
search cancel

Cannot collect Edge cluster IPFIX data due to default NSX Distributed Firewall (DFW) exclusion list configuration in VCF Operations for Networks

book

Article ID: 441627

calendar_today

Updated On:

Products

VCF Operations for Networks

Issue/Introduction

  • IPFix for my NSX edge that are in Firewall Excluded list
  • When analyzing the path between two Virtual Machines (VMs) in VCF Operations for Networks, the traffic path may be displayed as Unknown Path when the flow traverses an NSX Edge cluster.
  • Upon reviewing the data sources, you will observe that the NSX Edge cluster Virtual Machines are automatically placed into the NSX Distributed Firewall (DFW) exclusion list.
  • The user interface does not provide an option to modify or remove these system-managed Edge appliances from the exclusion list, which prevents IPFIX data collection for these Edges and results in the incomplete path visibility.

Environment

VCF Operations for Networks  9.0.x

Cause

This behavior occurs due to two architectural and product limitations:

  1. System-Managed Exclusion: NSX automatically places system-deployed components—including NSX Managers, Malware Prevention VMs, Service Insertion SVMs, and NSX Edge appliances deployed via an active Compute Manager—into a read-only, system-excluded DFW group. Broadcom mandates this exclusion to prevent critical performance degradation and security loop risks.

  2. Feature Support Limitation: Edge IPFIX capability is not supported in the current architecture of VCF Operations for Networks 9.0.x.

Resolution

 

  1. For the DFW Exclusion List Requirement: Do not attempt to bypass or force-remove system virtual machines from the exclusion list, as filtering their traffic through DFW policies is unsupported. For any additional custom or unsupported virtual machines that require exclusion to maintain performance and safety baselines, manually add them to user-excluded groups within the DFW configurations. For detailed guidance on management workflows, review the official documentation: Manage a Firewall Exclusion List.

  2. For the Edge IPFIX Functionality Requirement: Edge IPFIX is an unsupported feature in VCF Operations for Networks 9.0.x. This capability requires a product enhancement. Status tracking and requirements management for this roadmap item are managed within the internal engineering tracking systems.

    Subscribe to this knowledge article to get updates on this issue.

Powered by Wolken Software