ravik3677
Contributor
Contributor

NSX Policy group object

Hi All

Is there a way to create a group object with an excluded list of IP addresses. It seems pretty easy request but I do not see an option to do that in my NSX-T env. I am running 3.1.1.

I want to create a groupp like the below

All subnets included but subnet 4, 5 and 6 should be in the exclude list in that group.

Is this possible? It is very easily possible in all the other FWs that i have worked with before. 

Would appreciate if someone can share how to do this in DFW on NSX-t 3.1.1

Thanks

 

 

0 Kudos
3 Replies
shank89
Expert
Expert

There is currently no exclude list, only the list of core vms that bypass the firewall. 

The option you have is the negate feature, if that will work for you. 

Shashank Mohan

VCAP-NV 2020 | VCP-DCV2019 | CCNP Specialist

https://lab2prod.com.au
0 Kudos
ravik3677
Contributor
Contributor

Thanks Shashank. By negate feature you mean the, negate feature that is under the policy section where you apply rules. You can negate based on source or destination. Is that what you mean?

 

thanks

 

0 Kudos
shank89
Expert
Expert

The negate function and a potential way to use it can be found here https://arabitnetwork.com/2019/02/15/nsx-how-to-prohibit-intra-traffic-for-tiered-app-vms/

Shashank Mohan

VCAP-NV 2020 | VCP-DCV2019 | CCNP Specialist

https://lab2prod.com.au
0 Kudos