If you deploy your NSX Manager into a cluster managed by Distributed Firewall (DFW) it will automatically be excluded from the DFW. NSX Controllers are also automatically excluded from the DFW as well as any Edge Service Gateways (ESG) and DLR Control VMs.
1 – Log into the vSphere Web Client.
2 – Click the Networking and Security icon, then click NSX Managers
3 – Select your NSX Manager and then click the Manage tab
4 – Click the Exclusion List tab
5 – Click the + sign to add a virtual machine to exclude, select your VMs and then click OK