- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Dear Valued Customer and Partner,
We are excited to share some great news with you, as a valued user of Expedition functionalities. We are currently in the process of transferring the core functionalities of the tool into new products. This strategic move aligns with our commitment to meet the evolving needs of our customers and enhance our range of product offerings. Starting from January 2025, Palo Alto Networks will no longer support the Expedition tool, including all versions of both Expedition1 and Expedition2 branches. We believe this transition will bring even more value and improved capabilities to our users.
To assist you in transitioning smoothly, we recommend exploring the following alternatives:
We understand this transition's impact on your operations and are committed to supporting you every step of the way. Should you have any questions or need further assistance, please do not hesitate to reach out via the Expedition community forum or by contacting our team directly through the previously mentioned email.
We appreciate your understanding and continued support as we strive to serve your needs better with our advanced product solutions.
Warm regards:
Palo Alto Networks
Yes, absolutely you can continue using Expedition, as both the tool and the repositories will remain accessible for your usage.
While you can technically continue using Expedition after its End of Life (EOL) date, there are several factors to consider:
Lack of Support and Limited Functionality:
Community Support:
Alternatives to Consider:
Given the limitations of using Expedition after EOL, you may want to consider alternative solutions for your migration projects. Professional Services including Migration Factory team: Palo Alto Networks offers professional services to assist with configuration migration. This can be a good option if you need expert help with the migration process.
Ultimately, the decision of whether or not to continue using Expedition after EOL is up to you. However, it is important to weigh the risks and limitations before making a decision. If you require ongoing support, access to new features, and compatibility with future versions of PAN-OS, you may want to consider using an alternative solution.
As stated in the Agreement disclaimer 5. Use Restrictions and Prohibitions:
Except as expressly specified in this Agreement, You may not, nor allow any third party, directly or indirectly to: Copy (except in the course of loading or installing), modify or create derivative works based on the Tool, including but not limited to adding new features or otherwise making adaptations that alter the functioning of the Tool.
Expedition is not an open-source project, therefore you cannot change or modify any code without the consent of Palo Alto Networks, as outlined in the terms and conditions.
While it's true that Expedition has a long history of stability and a wealth of documentation available, it's important to acknowledge the limitations associated with using a tool past its End of Life (EOL) date.
To assist you in transitioning smoothly, we recommend exploring the following alternatives:
Besides above consider these valuable resources that can help you address issues with Expedition:
Extensive Documentation:
Active Community Portal:
Leverage Existing Stability:
Remember, while Expedition may not receive official updates after EOL, its existing functionality and the supportive community can still be valuable assets for your migration projects.
Here's a summary of your options:
By utilizing these resources effectively, you can continue to leverage Expedition's strengths for your migration needs even after its EOL date.
Expedition played a crucial role in bridging the gap between customer needs and Palo Alto Networks' product offerings. As a free, community-supported tool, it provided valuable assistance with configuration migration.
However, with the introduction of enhanced capabilities within Strata Cloud Management (SCM) and enhanced migration services, a natural progression has occurred.
Palo Alto Networks is now focusing resources on these more comprehensive and officially supported solutions. Expedition's legacy as a valuable tool for configuration migration is acknowledged. However, the transition to SCM represents a natural progression towards a more comprehensive and officially supported solution. This shift aligns with Palo Alto Networks' commitment to providing customers with the best possible tools and resources for their policy posture management.
Did you all have ChatGPT write parts of this this? It's comical how out of touch Palo Alto is becoming with their clients. I personally didn't use Expedition because it was never actually "supported" to begin with, with little to no meaningful documentation. But framing this announcement as exciting news is just hilariously tone deaf for the people who maybe did use it or find value in it.
I used the tool heavily to migrate from other vendors to Palo. And it was a great selling point because it was free of charge.
I assume the Professional Services and Migration Factory is not free of charge.....
This are definitive not "excited" and also not "great news".
If you really gonna kill it (which seems like a "Broadcom move" but go on) at least make it open-source so the community can further develop it.
If going cloud or buying professional services are the only options for migration and in general bulk changes for Panorama are the only options (besides developing your own set of scripts/tools) selling will get difficult.
Customers are using this also for regularely cleaning up unused objects, applying bulk changes to rules etc...
I don't know what to say about this. We also use Expedition very successfully to migrate the configuration from other vendors, for mass changes and had relied on Expedition2 for additional features.
As the others have already written, i don't know where this is supposed to be "great news". I hope that the Strata Cloud Manager provides the functions, especially for migration, quickly and free of charge. Until now, it's a game changer when we talk with customers about the migration.
In the the last 9years another tool was developed under an OpenSource license by PANW PS people.
mass manipulation of Firewall/Panorama is available since years, and also a starting point to manipulate Strata Cloud Manager config.
this one is no longer maintained:
https://github.com/PaloAltoNetworks/pan-os-php
But there is one which is actively maintained by myself
https://github.com/swaschkut/pan-os-php
An incredibly bad decision, when will Palo Alto Networks dismantling of its partner relationships stop?!
Over the years I/we have used Expedition a lot, then and now. I don't know if Palo thinks the tool has only been used for migrations. Have used the tool in presale, migration, configuration adjustments, etc. Very useful.
During my 12 years of focusing solely on Palo Alto, Palo has grown a lot, which is nice. In the first years, Palo had events such as SKO, SE-summit, Ignite, tech summit and local events where Palo and we partners (in some cases also customers) received the same information at the same time about news. For a few years now, we partners are not welcome at SKO, the SE summit just didn't happen this year (zero info that that was the plan and it doesn't seem like anyone within Palo knew /know why…).
How do you plan to use us as partners in the future? Should all events be replaced with online variants? What events does Palo have in the next 12 months? Clarity please!
This is disconcerting news indeed.
We use Expedition extensively in our migration projects from competitor to PANW firewalls.
Do we now simply hand over the customers old competitor config to PANW PS and Migration factory? And get an "AI-parsed" PanOs xml in return? How is the quality control of the new config done?
Today there is a whole lot of tweaking done in expedition before the config is ready for use. Are your new methods better at handling the conversion process? How are You going to do all the communication with the customer to sort out all the kinks? Directly? Does Your personnel speak the local languages in the respective regions? Having a language barrier only compound problems in a migration process. How do You see the Partner engineer's role in the migration process going forward? Are You sending personnel all over the world when it comes time to go live with new firewall? Having the customer do this themselves is risky, nor is it the accepted norm in our region, when doing a migration.
What is the cost for the customer related to all this?
Are you moving away from the Partner model of doing business?
I can se the benefits of SCM and getting the cleanup and optimization features there, in addition to the other benefits. But I am skeptical in regards to migration processes in the future based on the sparse information above.
Are there any overlap in the people from Professional Services and the Support services?
Hopefully You have more information for Partners in addition to the single sentence describing "Professional Services and Migration Factory"
I hope You can alleviate our concerns.
With Regards,
Chriss Greve
Action speaks louder than words…
Another clear step towards reducing partners importance in the future.
Palo Alto seems to move away from us, that is unfortunately becoming more and more clear.
The Fortinet migration tool is going strong they seem to think it adds value to their story.
A Partner is someone you include in the story not exclude.
Regards,
Peter Levin
In my previous company (as a partner) we managed to sell more pricey PAN fw just because of Expedition and log analysis functionality.
As someone said:
"In the history of bad moves, this is one of the worst moves you could ever make for partner engineers. Congratulations."
But it is not just about partners, this is also affecting customers. I don't want to pay them their pricey services. Now I'm at a customer side, and my management wants to spend wants to spend as little money as possible. I'm building my case for PANs based on log analysis and creation of new rules. I'll have greenfield installation without any rules, and Expedition would be priceless. Now I don't have anything to hold on to and the most probably will stuck with bunch of Forti firewalls.
Expedition was the main and the greatest differentiator between PAN and rest of the vendors. You just give yourself an auto-goal. Congratulations!!!
"We are currently in the process of transferring the core functionalities of the tool into new products."
Is it safe to assume that configuration migration from other vendors to Palo is considered core functionality?
When will these products be available? Will there be a cost associated with these products?
So we pay you to migrate the data for us?
Hi,
We currently have deployed a server (Minemeld version 0.9.70), Company Systems requires us to upgrade the operating system of this server. It is running Ubuntu Linux 16.04. We are asked to deploy a version that runs Ubuntu Linux 22.04.
Is it possible to upgrade the system or deploy a new OVA with this need fulfilled?
Well, that stinks.
TL;DR
Wow - I'm shocked/not shocked. First Minemeld, BPA, and not being able to just call support. And now this.
How long before Live Community, KB articles, and documentation become an additional subscription fee? How long before talking to support and/or one's account team comes with an added "service fee" like restaurants can now charge?
How much money does PAN need? What a bunch of greedy poseurs.
And let's not forget the unattainable sales goals for account teams that has caused a mass exodus of very talented people including the SEs who used to run the PCNSE ***free*** ~6-week study/review bootcamps for a few years. Gone - they didn't even leave up the YouTube recordings of previous bootcamps (before anyone says it, yes I know they were under Rodger's account, but it was using his PAN email - they could've updated it and kept the channel).
Side note: pan-os-php is awesome - please do check it out. The irony of that is it started as a PAN product like the above and basically died at PAN when Sven left (but, as he noted above, he maintains his own repository quite well). The "funny" part about this is Sven used to be involved in some way with the Expedition team and sometimes he would ask why we used pan-os-php instead of Expedition for things.
Hmmm, I wonder if it has been discontinued because there's no one left who can develop/maintain it? It kind of reminds of of Netscreen firewalls when a lot of those folks left Juniper (to form/join PAN) and Juniper dropped it in favor of JUNOS firewalls.
Shocked as everyone else. We need to approach our PA sales guys to send a clear message, engineers will stop recommending PA FW!
As a partner, I use the Expedition tool extensively to convert configurations. In fact, it's one of the most advanced tools available for replacing other vendors.
But what gives it a huge advantage is its ability to analyze and propose flow matrices: no competitor has a tool for this at the moment.
I'm convinced that AIOPS will eventually be able to take over this function, but its cost (license and log retention) is prohibitive.
I can only agree with many of the comments, im not happy about this decision. I use expedition now and then to assist in identifying unused objects and rules, among other things. A cloudbased service is no option for us.
This has become so incredibly predictable and typical of the "new" palo alto networks. When I say "new" palo alto networks, what I mean is that over the past 5-6 years I've observed this strategic shift where palo seems to be trying to generate more revenue by forcing customers into service type agreements and/or additional subscriptions that may or may not be necessary. This discontinuation of expedition 'support' is one example. The bundling of strata cloud manager with aiops premium is another that comes to mind. They're one of the big boys now, so, gotta pay to play I suppose.
What a huge shame, I've been using Expedition 1.0 since 2018 and it's brought a lot of business to Palo from my main customer (millions in HW and support contracts) who are still in the process of transitioning from legacy firewalls in massive global networks.
I echo the statements and questions of all the other commenters above and I will be expressing this to our account managers and SE's.
Aside from that, i'd like to thank the fwmigrate team for the support over the years - it has not gone unnoticed.
We have started migrating to Palo Alto firewalls using expedition as we can do everything we need without having internet connectivity to connect to the cloud. Now you are removing this option so there will become a date in the reasonably near future where we will not be able to continue to migrate to Palo Alto as there will be no tools available and you have no other cost effective way to migrate. We cannot give you our firewall rules for you to do with as you wish we try where possible to run a secure system with multiple layers run by different vendors. It becomes a bit of a waste of money if we just upload all our configurations to your cloud so you can give them to whomever asks and charge us for the privilege.