Is there a way to create a group object with an excluded list of IP addresses. It seems pretty easy request but I do not see an option to do that in my NSX-T env. I am running 3.1.1.
I want to create a groupp like the below
All subnets included but subnet 4, 5 and 6 should be in the exclude list in that group.
Is this possible? It is very easily possible in all the other FWs that i have worked with before.
Would appreciate if someone can share how to do this in DFW on NSX-t 3.1.1
There is currently no exclude list, only the list of core vms that bypass the firewall.
The option you have is the negate feature, if that will work for you.
Thanks Shashank. By negate feature you mean the, negate feature that is under the policy section where you apply rules. You can negate based on source or destination. Is that what you mean?
The negate function and a potential way to use it can be found here https://arabitnetwork.com/2019/02/15/nsx-how-to-prohibit-intra-traffic-for-tiered-app-vms/