Sign in Get started

Palo Alto Expedition Alternative

Expedition reached EOL December 2024. PA recommends paid Professional Services. We built a better option.

Start Free Migration See Comparison

What Happened to Expedition?

Why the industry is moving away from Palo Alto's legacy migration tool.

EOL'd December 2024

Expedition reached End of Life. The download servers have been pulled, and no further updates, bug fixes, or support will be provided by Palo Alto Networks.

11 CVEs Disclosed

Critical vulnerabilities (CVSS up to 9.9) were disclosed, including unauthenticated remote code execution and cleartext credential storage, making it unsafe to deploy.

~50-60% Accuracy

Research (NetConfEval) showed Expedition achieved only ~50-60% accuracy on real-world configurations, leaving massive manual validation work for engineering teams.

Paid Alternatives Only

Instead of a replacement tool, Palo Alto now recommends engaging paid Professional Services for migrations, dramatically increasing project costs and timelines.

Expedition vs. NetConverter

How NetConverter replaces and improves upon Expedition's capabilities.

Capability Palo Alto Expedition NetConverter AI
Migration Paths ASA, CheckPoint, Fortinet → PAN-OS Any supported vendor → Any supported vendor (35 validated paths)
Target Platforms PAN-OS XML PAN-OS, Panorama, FMC, FortiGate, and more
Accuracy ~50-60% on complex configs 95%+ with AI-enhanced deterministic mapping
Validation Manual verification required Automated 4-checkpoint pre-deployment validation
App-ID Mapping Manual post-migration (Traffic-based) Intelligent bidirectional App-ID mapping from config
Security Critical CVEs, cleartext storage SaaS-based, zero credentials stored, SOC2 practices
Cost Model Free (but EOL, unsupported) Pay-per-use (significantly cheaper than Pro Services)

Available Migration Paths

NetConverter supports the paths Expedition handled, plus many more.

Your Expedition Migration Path, Without Expedition

Expedition's job was to turn a legacy firewall config into a PAN-OS candidate. NetConverter does the same job through a vendor-neutral intermediate representation: the source — Cisco ASA, FortiGate, or an existing PAN-OS / Panorama config — is parsed into a normalized model, then serialized to your target (PAN-OS set, PAN-OS XML, or Panorama). Address and service objects are de-duplicated, object-groups are preserved, NAT is translated in place, and security zones are mapped rather than left as raw interface names.

The difference is what happens after translation. Expedition handed you output and left verification manual. NetConverter runs every conversion through a 4-tier validation pipeline before you deploy:

Migrating off a different platform first? See the Cisco ASA → Palo Alto and Fortinet → Palo Alto guides, or the FortiGate Migration Tool replacement.

Expedition EOL — Frequently Asked Questions

Is Palo Alto Expedition still supported?
No. Palo Alto Expedition reached End of Life in December 2024. The download servers have been pulled and Palo Alto Networks provides no further updates, bug fixes, or support. Multiple critical CVEs (CVSS up to 9.9, including unauthenticated remote code execution and cleartext credential storage) were disclosed before EOL, so continuing to run it is a security risk.
What replaces Palo Alto Expedition after EOL?
Palo Alto now points customers to paid Professional Services rather than a free successor tool. NetConverter is a SaaS alternative that covers the migration paths Expedition handled — Cisco ASA, FortiGate, and PAN-OS into PAN-OS set/XML or Panorama — and adds automated 4-tier validation and confidence scoring instead of leaving verification entirely manual.
Can I migrate Cisco ASA to Palo Alto without Expedition?
Yes. NetConverter parses ASA access-lists, NAT statements, and object-groups into a vendor-neutral model and serializes them to PAN-OS (set or XML) or Panorama, with zone mapping and object de-duplication. Each translation is checked by a 4-tier validation pipeline before you deploy.
Does NetConverter map App-IDs like Expedition did?
Yes, and earlier in the process. Expedition's App-ID adoption was largely a manual, traffic-based step after cutover. NetConverter derives App-ID candidates from the source policy's ports and services during translation, so application-based rules are proposed from the configuration rather than only learned from live traffic later.
How is NetConverter more accurate than Expedition?
Independent testing (NetConfEval) put Expedition around 50-60% accuracy on real-world configurations, with the remainder left to manual fix-up. NetConverter uses deterministic intermediate-representation mapping backed by a 4-tier validation pipeline (syntax, semantic, best-practice, and AI-assisted review) and reports a confidence score per conversion, so reviewers know exactly where to focus.
Is NetConverter safe given Expedition's security history?
NetConverter is SaaS-based and does not store device credentials. You upload or paste a configuration to convert it — there is no on-prem appliance to patch and no cleartext credential store of the kind that led to Expedition's critical CVEs.

Ready to Migrate without Expedition?

Get enterprise-grade accuracy, pre-flight validation, and actionable reporting without the risk of EOL software.