Dear Team,

In NSX3.2 we have a new step in the process called “Prepare Infrastructure”, we won't see this step in NSX-T 3.1 and earlier. This step would create temporary IP Sets in NSX-V to maintain security during the migration. When you migrate a VM from one vCenter (NSX-V) to another vCenter (NSX-T), the VM will no longer be included in the Security Groups in NSX-V since the object is no longer present there. Before NSX-T 3.2 we had to create these IP Sets manually in NSX-V. Please find the below NSX-T 3.2 docs for your reference.

Migrate the Distributed Firewall Configuration (vmware.com)

In the above link "You can skip the Prepare Infrastructure step. However, doing so may compromise security until the finalize infrastructure phase is complete." Just wanted to know once we migrate a VM from old to new environment, DFW will not take effect until we migrate all VMs (which we take several weeks) and  Finalize the infrastructure to finish the migration.

Post finalizing only, DFW for all VMs will start working?? Please let me know if my understanding is correct.

Thank you in advance