Important Update: End of Life Announcement for Palo Alto Networks Expedition

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
L4 Transporter
20% helpful (1/5)

End of Life Announcement for Palo Alto Networks Expedition

 

Dear Valued Customer and Partner,

We are excited to share some great news with you, as a valued user of Expedition functionalities. We are currently in the process of transferring the core functionalities of the tool into new products. This strategic move aligns with our commitment to meet the evolving needs of our customers and enhance our range of product offerings. Starting from January 2025, Palo Alto Networks will no longer support the Expedition tool, including all versions of both Expedition1 and Expedition2 branches. We believe this transition will bring even more value and improved capabilities to our users.

 

What This Means for You:

 

  • No Further Development: Expedition will have no new features or updates.
  • Support Changes: Technical support for Expedition will be discontinued. We encourage you to utilize the Expedition community on our live portal for ongoing discussions and access to all previously created documentation.
  • Email and Community Transition: The distribution list fwmigrate@paloaltonetworks.com will be archived, but the Expedition community will remain active on our live portal.

 

Transition Support and Alternatives:

 

To assist you in transitioning smoothly, we recommend exploring the following alternatives:

  • SCM Features: Cleanup and optimization features with many enhancements to functionality in Expedition will be available in Strata Cloud Manager (SCM) for configs managed in SCM. Stay tuned for updates on these exciting developments.
  • Professional Services and Migration Factory: Our expert team is available to support your configuration migration to Palo Alto Networks products. By leveraging automation, tactical scripts, and custom solutions, our Migration Factory team can provide scalable and efficient migration services.

We understand this transition's impact on your operations and are committed to supporting you every step of the way. Should you have any questions or need further assistance, please do not hesitate to reach out via the Expedition community forum or by contacting our team directly through the previously mentioned email.

We appreciate your understanding and continued support as we strive to serve your needs better with our advanced product solutions.

 

Warm regards:

Palo Alto Networks

 

FAQs

 

Could I keep using Expedition for my migration projects?

 

Yes, absolutely you can continue using Expedition, as both the tool and the repositories will remain accessible for your usage.

While you can technically continue using Expedition after its End of Life (EOL) date, there are several factors to consider:

Lack of Support and Limited Functionality:

  • No further development or updates: This means Expedition will not receive any bug fixes, security patches, or new features. This could make it not compatible with all features in future versions of PAN-OS.
  • Technical support unavailable: If you encounter any issues with Expedition, you will not be able to receive assistance from Palo Alto Networks. You will need to use the open live community and that could lead to delays and frustration in resolving problems.

Community Support:

  • Limited community resources: Although the Expedition community forum will remain accessible, it will not be actively moderated or updated. This means you may have difficulty finding answers to your questions or solutions to your problems.
  • Declining community activity: As Expedition becomes less popular While Expedition users transition to features consumption in products,, the community around it may dwindle. This could make it harder to find help and support from other users.

Alternatives to Consider:

Given the limitations of using Expedition after EOL, you may want to consider alternative solutions for your migration projects. Professional Services including Migration Factory team: Palo Alto Networks offers professional services to assist with configuration migration. This can be a good option if you need expert help with the migration process.

 

Ultimately, the decision of whether or not to continue using Expedition after EOL is up to you. However, it is important to weigh the risks and limitations before making a decision. If you require ongoing support, access to new features, and compatibility with future versions of PAN-OS, you may want to consider using an alternative solution.

 

Could I modify the code and maintain it?

 

As stated in the Agreement disclaimer 5. Use Restrictions and Prohibitions:

Except as expressly specified in this Agreement, You may not, nor allow any third party, directly or indirectly to: Copy (except in the course of loading or installing), modify or create derivative works based on the Tool, including but not limited to adding new features or otherwise making adaptations that alter the functioning of the Tool.

Expedition is not an open-source project, therefore you cannot change or modify any code without the consent of Palo Alto Networks, as outlined in the terms and conditions.

 

What can I do if I have some issue?

 

While it's true that Expedition has a long history of stability and a wealth of documentation available, it's important to acknowledge the limitations associated with using a tool past its End of Life (EOL) date.

To assist you in transitioning smoothly, we recommend exploring the following alternatives:

  • SCM Features: We are integrating clean-up and optimization features into SCM. This integration will preserve key functionalities and introduce new enhancements. Stay tuned for updates on these exciting developments.
  • Professional Services and Migration Factory: Our expert team is available to support your configuration migration to Palo Alto Networks products. By leveraging automation, tactical scripts, and custom solutions, our Migration Factory team can provide scalable and efficient migration services.

Besides above consider these valuable resources that can help you address issues with Expedition:

Extensive Documentation:

  • Expedition's live portal contains a comprehensive library of documentation, including user guides, FAQs, and troubleshooting tips. This wealth of information can often provide solutions to common issues.
  • Take advantage of the search functionality within the documentation to find relevant articles addressing your specific problem.

Active Community Portal:

  • Although Expedition is no longer officially supported, the community portal remains an active hub for users seeking assistance.
  • Post your issue on the community portal. The community comprises experienced users who may have encountered similar problems and can offer valuable insights and solutions.
  • Search the portal for existing discussions. Chances are, someone has already faced the same issue and documented a solution.

Leverage Existing Stability:

  • Expedition has been in the field for many years and has proven to be a stable tool. Unless you encounter critical bugs, it can still reliably perform migrations.
  • Focus on addressing specific issues rather than abandoning the entire tool. This approach can save time and resources while maintaining your migration workflow.

Remember, while Expedition may not receive official updates after EOL, its existing functionality and the supportive community can still be valuable assets for your migration projects.

Here's a summary of your options:

  • Consult the extensive documentation on the live portal.
  • Post your issue on the community portal and seek help from other users.
  • Focus on resolving specific issues rather than abandoning the entire tool.

By utilizing these resources effectively, you can continue to leverage Expedition's strengths for your migration needs even after its EOL date.

 

Why stop supporting Expedition?

 

Expedition played a crucial role in bridging the gap between customer needs and Palo Alto Networks' product offerings. As a free, community-supported tool, it provided valuable assistance with configuration migration.

However, with the introduction of enhanced capabilities within Strata Cloud Management (SCM) and enhanced migration services, a natural progression has occurred. 

Palo Alto Networks is now focusing resources on these more comprehensive and officially supported solutions. Expedition's legacy as a valuable tool for configuration migration is acknowledged. However, the transition to SCM represents a natural progression towards a more comprehensive and officially supported solution. This shift aligns with Palo Alto Networks' commitment to providing customers with the best possible tools and resources for their policy posture management.

Rate this article:
(51)
Comments
L0 Member

How is it great news that you are discontinuing a popular product?

L0 Member

Did you all have ChatGPT write parts of this this? It's comical how out of touch Palo Alto is becoming with their clients. I personally didn't use Expedition because it was never actually "supported" to begin with, with little to no meaningful documentation. But framing this announcement as exciting news is just hilariously tone deaf for the people who maybe did use it or find value in it.

L0 Member

I used the tool heavily to migrate from other vendors to Palo. And it was a great selling point because it was free of charge.

I assume the Professional Services and Migration Factory is not free of charge.....

 

This are definitive not "excited" and also not "great news".

L0 Member

If you really gonna kill it (which seems like a "Broadcom move" but go on) at least make it open-source so the community can further develop it.

If going cloud or buying professional services are the only options for migration and in general bulk changes for Panorama are the only options (besides developing your own set of scripts/tools) selling will get difficult.
Customers are using this also for regularely cleaning up unused objects, applying bulk changes to rules etc...

L2 Linker

I don't know what to say about this. We also use Expedition very successfully to migrate the configuration from other vendors, for mass changes and had relied on Expedition2 for additional features.

 

As the others have already written, i don't know where this is supposed to be "great news". I hope that the Strata Cloud Manager provides the functions, especially for migration, quickly and free of charge. Until now, it's a game changer when we talk with customers about the migration.

L0 Member

In the the last 9years another tool was developed under an OpenSource license by PANW PS people.

 

mass manipulation of Firewall/Panorama is available since years, and also a starting point to manipulate Strata Cloud Manager config.

 

this one is no longer maintained:
https://github.com/PaloAltoNetworks/pan-os-php

 



But there is one which is actively maintained by myself

https://github.com/swaschkut/pan-os-php

 

 

L0 Member

You either die a hero, or live long enough to see yourself become the villain.

L3 Networker

In the history of bad moves, this is one of the worst moves you could ever make for partner engineers. Congratulations.

L0 Member

An incredibly bad decision, when will Palo Alto Networks dismantling of its partner relationships stop?!

 

Over the years I/we have used Expedition a lot, then and now. I don't know if Palo thinks the tool has only been used for migrations. Have used the tool in presale, migration, configuration adjustments, etc. Very useful.

 

During my 12 years of focusing solely on Palo Alto, Palo has grown a lot, which is nice. In the first years, Palo had events such as SKO, SE-summit, Ignite, tech summit and local events where Palo and we partners (in some cases also customers) received the same information at the same time about news. For a few years now, we partners are not welcome at SKO, the SE summit just didn't happen this year (zero info that that was the plan and it doesn't seem like anyone within Palo knew /know why…).

 

How do you plan to use us as partners in the future? Should all events be replaced with online variants? What events does Palo have in the next 12 months? Clarity please!

L0 Member

This is disconcerting news indeed.
We use Expedition extensively in our migration projects from competitor to PANW firewalls.
Do we now simply hand over the customers old competitor config to PANW PS and Migration factory? And get an "AI-parsed" PanOs xml in return? How is the quality control of the new config done?


Today there is a whole lot of tweaking done in expedition before the config is ready for use. Are your new methods better at handling the conversion process? How are You going to do all the communication with the customer to sort out all the kinks? Directly? Does Your personnel speak the local languages in the respective regions? Having a language barrier only compound problems in a migration process. How do You see the Partner engineer's role in the migration process going forward? Are You sending personnel all over the world when it comes time to go live with new firewall? Having the customer do this themselves is risky, nor is it the accepted norm in our region, when doing a migration.
What is the cost for the customer related to all this?

Are you moving away from the Partner model of doing business?

I can se the benefits of SCM and getting the cleanup and optimization features there, in addition to the other benefits. But I am skeptical in regards to migration processes in the future based on the sparse information above.
Are there any overlap in the people from Professional Services and the Support services?

Hopefully You have more information for Partners in addition to the single sentence describing "Professional Services and Migration Factory"

 

I hope You can alleviate our concerns.
With Regards,
Chriss Greve

L1 Bithead

Action speaks louder than words…

Another clear step towards reducing partners importance in the future.

Palo Alto seems to move away from us, that is unfortunately becoming more and more clear.

The Fortinet migration tool is going strong they seem to think it adds value to their story.

 

A Partner is someone you include in the story not exclude.

 

Regards,

Peter Levin

 

 

L0 Member

In my previous company (as a partner) we managed to sell more pricey PAN fw just because of Expedition and log analysis functionality. 

As someone said:

"In the history of bad moves, this is one of the worst moves you could ever make for partner engineers. Congratulations."

 

But it is not just about partners, this is also affecting customers. I don't want to pay them their pricey services. Now I'm at a customer side, and my management wants to spend wants to spend as little money as possible. I'm building my case for PANs based on log analysis and creation of new rules. I'll have greenfield installation without any rules, and Expedition would be priceless. Now I don't have anything to hold on to and the most probably will stuck with bunch of Forti firewalls. 

 

Expedition was the main and the greatest differentiator between PAN and rest of the vendors. You just give yourself an auto-goal. Congratulations!!!

 

L1 Bithead

"We are currently in the process of transferring the core functionalities of the tool into new products."

 

Is it safe to assume that configuration migration from other vendors to Palo is considered core functionality?

When will these products be available? Will there be a cost associated with these products?

L1 Bithead

 

  • Professional Services and Migration Factory: Our expert team is available to support your configuration migration to Palo Alto Networks products. By leveraging automation, tactical scripts, and custom solutions, our Migration Factory team can provide scalable and efficient migration services.

 

So we pay you to migrate the data for us?

 

L4 Transporter

Hi,

We currently have deployed a server (Minemeld version 0.9.70), Company Systems requires us to upgrade the operating system of this server. It is running Ubuntu Linux 16.04. We are asked to deploy a version that runs Ubuntu Linux 22.04.

 

Is it possible to upgrade the system or deploy a new OVA with this need fulfilled?

L4 Transporter

Well, that stinks.

 

TL;DR

 

Wow - I'm shocked/not shocked.  First Minemeld, BPA, and not being able to just call support.  And now this.

 

How long before Live Community, KB articles, and documentation become an additional subscription fee?  How long before talking to support and/or one's account team comes with an added "service fee" like restaurants can now charge?

 

How much money does PAN need?  What a bunch of greedy poseurs.

 

And let's not forget the unattainable sales goals for account teams that has caused a mass exodus of very talented people including the SEs who used to run the PCNSE ***free*** ~6-week study/review bootcamps for a few years.  Gone - they didn't even leave up the YouTube recordings of previous bootcamps (before anyone says it, yes I know they were under Rodger's account, but it was using his PAN email - they could've updated it and kept the channel).

 

Side note: pan-os-php is awesome - please do check it out.  The irony of that is it started as a PAN product like the above and basically died at PAN when Sven left (but, as he noted above, he maintains his own repository quite well).  The "funny" part about this is Sven used to be involved in some way with the Expedition team and sometimes he would ask why we used pan-os-php instead of Expedition for things.

 

Hmmm, I wonder if it has been discontinued because there's no one left who can develop/maintain it?  It kind of reminds of of Netscreen firewalls when a lot of those folks left Juniper (to form/join PAN) and Juniper dropped it in favor of JUNOS firewalls.

L1 Bithead

Shocked as everyone else. We need to approach our PA sales guys to send a clear message, engineers will stop recommending PA FW! 

L0 Member

As a partner, I use the Expedition tool extensively to convert configurations. In fact, it's one of the most advanced tools available for replacing other vendors.
But what gives it a huge advantage is its ability to analyze and propose flow matrices: no competitor has a tool for this at the moment.
I'm convinced that AIOPS will eventually be able to take over this function, but its cost (license and log retention) is prohibitive.

 

L1 Bithead

Palo Alto might be "excited", but I'm not.....

 

"We believe this transition will bring even more value and improved capabilities to our users."

 

"more value" than free? I find that hard to believe....

L1 Bithead

I can only agree with many of the comments, im not happy about this decision. I use expedition now and then to assist in identifying unused objects and rules, among other things. A cloudbased service is no option for us. 

L0 Member

This has become so incredibly predictable and typical of the "new" palo alto networks.  When I say "new" palo alto networks, what I mean is that over the past 5-6 years I've observed this strategic shift where palo seems to be trying to generate more revenue by forcing customers into service type agreements and/or additional subscriptions that may or may not be necessary.  This discontinuation of expedition 'support' is one example.  The bundling of strata cloud manager with aiops premium is another that comes to mind.  They're one of the big boys now, so, gotta pay to play I suppose.

L1 Bithead

What a huge shame, I've been using Expedition 1.0 since 2018 and it's brought a lot of business to Palo from my main customer (millions in HW and support contracts) who are still in the process of transitioning from legacy firewalls in massive global networks. 


I echo the statements and questions of all the other commenters above and I will be expressing this to our account managers and SE's. 

 

Aside from that, i'd like to thank the fwmigrate team for the support over the years - it has not gone unnoticed.

 

 

L0 Member

We have started migrating to Palo Alto firewalls using expedition as we can do everything we need without having internet connectivity to connect to the cloud. Now you are removing this option so there will become a date in the reasonably near future where we will not be able to continue to migrate to Palo Alto as there will be no tools available and you have no other cost effective way to migrate. We cannot give you our firewall rules for you to do with as you wish we try where possible to run a secure system with multiple layers run by different vendors. It becomes a bit of a waste of money if we just upload all our configurations to your cloud so you can give them to whomever asks and charge us for the privilege.

L0 Member

Now I realize that my profile is going outdated when I read this News.. it's made me remember one quote that adopting the changes & accepting the changes else if we adamant to adopt the new technology we will be gone out of the career...

 

As a presales Engineer, I convenience may customer and did 100s of bulk migration using expedition tool.. I thought Palo alto is the best...

 

But when I switch company to small partner (system integrator) & I started reading Sonicwall & Fortigate... Sonicwall using cloud based easy migration from other vendors to Sonic with free of cost.. 

 

I'm thinking that it's gonna be same like that with unique innovation in it.... 

 

On the other hand expedition tool is great one.. no matter what.. it really bring the impact that matters.. 

 

Lemme read about the SCM & put my comment again.. if it's really a good one.. I believe it should be... If it's really a good one then I believe it's a time to change my job .. 

 

My opinion, Palo alto suppose to make it available with a free of cost for everyone.. so that the engineers from partner org.. can use it to bring some profit out of their competitive business else they insist customers to go with other costs less products.. again I'm a good fan of Palo Alto.. 

L0 Member

The best part about this is them attaching the EOL notice to the tail end of a vulnerability announcement.

So basically, your last patch made the thing fully exploitable, then EOL the thing so you basically leave every single one of your customers high and dry.

PAN-SA-2025-0001 Expedition: Multiple Vulnerabilities in Expedition Migration Tool Lead to Exposure of Firewall Credentials (Severity: HIGH)

https://security.paloaltonetworks.com/PAN-SA-2025-0001


Then, with utter contempt and chutzpah, you tell people "F U, Pay us more to do it for you through GoldSeal or BlueAlly or some other garbage support that uses ChatGPT to solve issues". 
"Oh you dont wanna pay us more through a 3rd party service vendor, then pay us to use our lofty memoryhog cloud UI to do it for you". 

Palo Alto sucks. Your cloud product sucks, your subscription services suck, your support sucks, Unit 42(8200) sucks, your devops sucks, your entire org is a brain-sink circling a drain and AI ain't gonna help.

L0 Member

Absolutely the most BS corpo-speak announcement I've seen in a while. The only reason you're excited to announce the great news is that it means people likely have to pay you even MORE money to migrate configurations on top of all the premium license costs. How very Broadcom of you. 💩

L0 Member

Couldn't agree more with the comments that have been made. This isn't good news for anyone using this tool and puts us in a terrible position on moving configurations from Cisco ASA to Palo Alto. Expedition is literally a selling point on migrating away from other firewall vendors to Palo Alto. It would be interesting to see if that slows down any competitive migrations to Palo Alto - why move if you've just made the barrier to move much higher? Without Expedition, it makes this migration much more difficult. I also highly doubt that "professional services" will be able to perform a better job of highly complex migrations and will cost considerably more - again, increasing the barrier. I would love to see Palo Alto open source this product or reverse such an ill-advised decision.

L0 Member

Major bummer, this 'exciting news'. Deeply sadening, you mean......  As a hospital we started with Cisco Pix 515 , migrated to Cisco Firewall Blade, migrated to Fortigates and finally ended up with Palo Alto's in 2016, renewed them in 2020 and have to choose what to do in 2025 . Since all movements at Palo Alto are to 'the cloud', which I deem to be very unsafe, maybe we'll have to consider going back to Fortinet again, or even better in pricing and not in the least customer service & support : Huawei. Reading all above, I will actively inform with our Huawei representatives how their firewalls perform against Palo Alto and Fortinet firewalls. We just moved to our 2nd generation Huawei datacenter and campus switches, so why not use their firewalling as well ?  USA companies ( Cisco, Palo Alto, General motors, HP ) get greedy when they get fat. I had hoped Palo Alto would be an exception. But apparently not.........

L1 Bithead

Hello Team, 

Please provide how we could leverage SCM converting 3rd part firewalls into Palo alto configuration, we are in critical stage in a migration project. Kinldy provide some documentation around how SCM bring functionalities of firewall configuration converter. Thanks in advance. 

L0 Member

Palo Alto has been trying very hard as of late to find any reason they can for customers to migrate to another vendor. If Palo Alto could spend more time QA checking their software before their release, avoiding the plethora of high and critical CVEs accompanying their software and bugs, and less time going after the people who use and support their software, like this example here, that would be great. 

 

Way to stick it to the people supporting your products 👍. A few extra dollars to the company's bottom line via Professional Services (the 'Great News") at the expense of you customer's subject matter experts who are supporting your products. Those experts are sometimes the ones who influence the decision makers regarding vendor selection.

 

L0 Member

We have been actively working as a Fortinet partner for a long time. At the request of our client, we need to replace the externally positioned Cisco Firepower security appliance with a Palo Alto (PA) device.

 

As a Fortinet partner, we are able to obtain licenses directly from the vendor during migration periods, which significantly eases the transition process. However, on the Palo Alto side, the lack of a similar support model — either requiring involvement from the technical team or purchasing additional licenses — poses a major challenge. This can be a serious drawback when recommending PA devices.

Also, is the technical team truly accessible worldwide? Not everyone is able to speak or understand English fluently, which raises further concerns. These issues create significant question marks regarding Palo Alto’s global support and partner flexibility.

KN

L1 Bithead

Not exciting news at all.

Over the years, we’ve relied heavily on this tool to optimize rules, perform bulk changes in security policies, and remove unused objects.
It has also provided crucial support during vendor migrations, helping us transition seamlessly.

Currently, I don’t see any good alternatives for vendor migration, and I doubt PS will offer such support free of cost like expidtion tool.

  • 65590 Views
  • 32 comments
  • 1 Likes
Register or Sign-in
Contributors
Article Dashboard
Version history
Last Updated:
‎06-14-2024 01:47 PM
Updated by: