Expedition reached EOL December 2024. PA recommends paid Professional Services. We built a better option.
Why the industry is moving away from Palo Alto's legacy migration tool.
Expedition reached End of Life. The download servers have been pulled, and no further updates, bug fixes, or support will be provided by Palo Alto Networks.
Critical vulnerabilities (CVSS up to 9.9) were disclosed, including unauthenticated remote code execution and cleartext credential storage, making it unsafe to deploy.
Research (NetConfEval) showed Expedition achieved only ~50-60% accuracy on real-world configurations, leaving massive manual validation work for engineering teams.
Instead of a replacement tool, Palo Alto now recommends engaging paid Professional Services for migrations, dramatically increasing project costs and timelines.
How NetConverter replaces and improves upon Expedition's capabilities.
| Capability | Palo Alto Expedition | NetConverter AI |
|---|---|---|
| Migration Paths | ASA, CheckPoint, Fortinet → PAN-OS | Any supported vendor → Any supported vendor (35+ paths) |
| Target Platforms | PAN-OS XML | PAN-OS, Panorama, FMC, FortiGate, and more |
| Accuracy | ~50-60% on complex configs | 95%+ with AI-enhanced deterministic mapping |
| Validation | Manual verification required | Automated 4-checkpoint pre-deployment validation |
| App-ID Mapping | Manual post-migration (Traffic-based) | Intelligent bidirectional App-ID mapping from config |
| Security | Critical CVEs, cleartext storage | SaaS-based, zero credentials stored, SOC2 practices |
| Cost Model | Free (but EOL, unsupported) | Pay-per-use (significantly cheaper than Pro Services) |
NetConverter supports the paths Expedition handled, plus many more.
Seamlessly migrate ASA access rules, NAT, and object groups to PAN-OS or Panorama with full zone mapping and optimization.
Convert FortiGate policies, VIPs, IP Pools, and custom services into PAN-OS equivalents without the typical NAT explosion.
Going the other way? Translate PAN-OS App-ID, security profiles, and NAT back to FortiOS structure reliably.
Get enterprise-grade accuracy, pre-flight validation, and actionable reporting without the risk of EOL software.