Hello,
Our company has purchased Paloalto VM-Series ELA licenses to be deployed for microsegmentation. So we don't have any restriction on number of VM Firewalls or the size of them.
My boss wants to steer all the traffice to VM series firewalls and not use NSX DFW at all, considering two thing, having one single place to manage the traffic and firewall rules. and second because I am the only one with a little bit knowledge of NSX (VCP-NV) and the rest of the team only know PAN he wants to reduce the cost of education and relying only on one resource.
I know that when you vmotion a vm the current sessions won't be managed with the VMseries on the new host and they will continue to pass traffic until the session is ended, like a big file transfer or replication.
I also know that VRNI which we own as well makes life so easy by detecting traffic flows and suggesting security policies.
Other than the above is there any other reason we shouldn't steer all the traffic to VM series? and leave the NSX DFW to allow everything?
Regards