Search the VMware Knowledge Base (KB)
View by Article ID

UI Exported/saved DFW configuration does not store negated objects in NSX (2149047)

  • 0 Ratings


In a VMware NSX for vSphere 6.2.4/6.2.5 environment, you see this symptom:

User Interface (UI) is not passing "excludeSource"/"excludeDestination" true while saving the configuration for negated objects such as Security Group (SG) containers or individual objects such as virtual machines.


This issue is resolved in VMware NSX for vSphere 6.2.7, available at VMware Downloads.

To work around this issue if you do not want to upgrade:
  • Use the Autosaved configurations that are automatically triggered when publishing changes to the ESXi hosts.
  • Use Rest APIs.

    To work around this issue using Rest APIs:
  1. Extract the XML from the response body of the GET call and modify it as required.

    Rest API to query current configuration containing excluded source/destination objects:

    GET https://NSX-Manager-IP-Address/api/4.0/firewall/globalroot-0/config

  2. From the Response Header in Step 1, copy the Etag header value.
  3. Add the number as the If‐Match header in the PUT call.

    Rest API to modify DFW configuration:

    PUT https://NSX-Manager-IP-Address/api/4.0/firewall/globalroot-0/config

  4. Pass the modified XML as the Request Body in a PUT call.
Note: For more information, see the NSX for vSphere API Guide.

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.


  • 0 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)

Please enter the Captcha code before clicking Submit.
  • 0 Ratings