Network security is still one of the core mitigating controls in an overall cyber risk management strategy, and it is the most effective when applied with granular network segmentation – where network firewalls (both physical and NFV devices) are able to control a large proportion of traffic in a target environment.
As network security progresses toward more granular segmentation, building actual network access policies manually becomes a nightmare, especially if network firewalls are inserted in the existing production data centers with thousands of live applications. You must have intimate knowledge about the application network needs, and the resulting access policies tend to be complex and huge and, therefore, difficult to provision and manage. The manual creation and maintenance of such policies is typically only feasible in small - or greenfield - environments.