The DFW exclusion list provides the ability to exclude virtual machines from DFW enforcement. NSX components such as NSX Manager, NSX controller nodes, NSX DLR control VMs, and NSX edge VMs are automatically excluded from the DFW. If the management cluster is prepared for NSX, such as in shared management/edge clusters, it is recommended to exclude the following virtual machines from the DFW:

• vCenter Server.
• Platform Services Controller.
• vCenter server's database server (if available).
• Virtual machines in promiscuous mode. Performance of virtual machines requiring promiscuous mode may be adversely affected behind NSX DFW.
• An NSX partner service virtual machine (SVM), such as a third-party layer 7 firewall or agentless anti-virus/malware virtual machine.
• A hyper-converged service virtual machine (SVM) such as Nutanix Controller VM (CVM).

If the vCenter server is blocked by DFW due to rule misconfiguration, the workaround is to restore the DFW rule to the default policy, which will set the default rule to allow and restore access to the vCenter server. The procedure to restore the DFW rule from the REST API is covered in VMware KB 2079620: vCenter server access is blocked after creating a deny all rule in DFW (https://kb.vmware.com/kb/2079620).