Licensing is used to enable various features on the Sophos XG Firewall (SF) and the same general principles apply regardless of whether the license is for a hardware firewall or a virtual/software firewall. Certain Cyberoam iA / NG and Sophos SG appliances can also run the XG Firewall operation system. This guide provides an overview of the licensing model and then answers questions on its use. The following sections are covered:
Applies to the following Sophos products and versions Sophos FirewallSophos Firewall ManagerSophos iView
XG includes a Base license which is required for all hardware and virtual firewalls and is perpetual. Additional features can be purchased as 1, 2 or 3 year subscriptions (irregular terms greater than 1 year are also possible). The subscriptions can be purchased individually or as bundles. Some of the bundles include a hardware or virtual appliance, which includes the perpetual Base license, and other bundles contain the subscriptions only.
The chart below shows all the bundles (orange text) and within each bundle the individual subscriptions are shown. If the bundle name includes ‘Protect’ then it contains either an XG series hardware appliance or a virtual appliance.
There are 2 levels of support ‘Enhanced’ and ‘Enhanced Plus’. The higher level of support provides direct access to senior Sophos support staff and also provides warranty for any connected Sophos devices. If you are buying individual subscriptions and want the higher level of support, you should purchase the Enhanced Plus Support bundle. If you are buying any of the other bundles then the bundle includes Enhanced Support and you can add the higher level of support by purchasing the ‘Enhanced to Enhanced Support Upgrade’ product.
As well as any hardware you have purchased you will receive a License Schedule which is a PDF document. If you did not receive a License Schedule then contact your reseller. This is an important document and you should read it, action it and keep it safe. The License Schedule contains a link to the current Sophos licensing instructions – make sure you read through the License Schedule and understand what actions you need to take.
XG licenses are identified by the serial number that they are allocated to. Register your Firewall using the serial number to:
See Sophos XG Firewall - Instructions for XG license registration for details.
If you purchased separate subscriptions, you will have received one or more license keys on your License Schedule (a PDF document):
Registration and license key activation can be performed from the firewall’s local Web Admin (WebAdmin) licensing screen (Go to Administration > Licensing) or from the licensing portal which is called MySophos (see MySophos User Guide and FAQs).
The license is held centrally on the Sophos licensing system, so if you use MySophos to register a device or activate a license key you need to press the Synchronize button on the device's WebAdmin licensing screen (Go to Administration > Licensing) to ensure the license on it is up to date. If you don’t do this the license will be updated automatically as part of the next daily license synchronization call.
Registering your hardware device will start the warranty. The warranty start and expiry dates will be set according to the following rules:
To get warranty cover for RED, AP and Passive XG series hardware then you need Enhanced Plus Support on the firewall device they are connected to.
If you skipped registration when you first set up your firewall, then every time you log into the firewall’s local Web Admin you will be prompted to register. After 30 days you will no longer be able to sign in without completing the registration.
Unlike hardware where the license is limited only by the potential of the hardware, the virtual appliance licenses are constrained by the maximum number of cores and RAM that they will use. For example, SF SW/Virtual FullGuard - UP TO 4 CORES & 6GB RAM. As with hardware you need to purchase the Base license as well as any subscriptions you want. These can also be purchased as ‘Protect’ bundles which include the Base license and the subscriptions. The cores / RAM dimensions of feature subscriptions need to match the virtual appliance on which they run.
Sophos XG Firewall supports Active-Active (cluster) and Active-Passive (standby) modes:
For Active-Passive on hardware appliances, it is therefore vital that you decide beforehand which device will be the Active device and that is the one which needs to have the licenses running on it. For further details see Sophos XG Firewall: FAQ on High Availability (HA) licensing.
Note: Active/Passive is not yet available for XG in Azure.
If you set up a virtual firewall using a 30-day free trial and want to purchase a license for your installation, you should ensure that the serial number is quoted on your order. If you don’t do this then a new serial number will be generated and the license attached to that. You will then need to transfer the purchased license to your free trial serial number - see Sophos XG Firewall: License transfer for instructions on how to do this.
The same licensing system is used for iView V2 and Sophos Firewall Manager (SFM) products but the units these are sold in are different from the XG Firewall. SFM is available both as a hardware and virtual appliances and iView is available as a virtual appliance only:
As with firewall, when any of these are purchased, a perpetual Base license is included. The same support subscriptions, Enhanced Support and Enhanced Plus Support, can also be purchased. For SFM hardware, the warranty rules are the same as for XG Firewall.
For most licensing operations, you can either use the MySophos licensing portal www.sophos.com/mysophos or you can use the firewall’s local Web Admin (WebAdmin) screens on the device. However, there are some operations that you can only do on MySophos and a few that you can only do on the WebAdmin screens as shown in the table below:
If you are using the MySophos portal, please see the MySophos User Guide and FAQs which explains how to access and use the portal. If you don’t already have a MySophos account, make sure you read the section ‘How to access MySophos and get an account’. Remember, when using the portal you will have to wait up to 1 day for the automated license synchronization process to update the license on your device. If you want the change reflected straight away, press the Synchronize button on the WebAdmin licensing screen (Go to Administration > Licensing).
If you register your device and activate license keys directly from your appliance WebAdmin screens then all changes are synchronized straight away. If you are in the process of upgrading a Cyberoam iA / NG or Sophos SG appliance then you must use the WebAdmin licensing screen (Go to Administration > Licensing) to register your device and migrate your license. See How do I migrate my existing Cyberoam or Sophos UTM licenses to SFOS? below for more information.
If you need to change the current registrant of a device or transfer the license from one serial number to another then use MySophos. Further information about transferring licenses can be found in Sophos XG Firewall: License transfer.
If you plan to try out the Sophos XG Firewall operating system / firmware (referred to as SFOS) on your existing Cyberoam iA / NG or Sophos SG appliance then you will be presented with 2 options:
We recommend you select the trial license to start with and migrate your existing license only when you are sure that is what you want to do. If you have a Cyberoam Firewall, we recommend you start the process from the Cyberoam customer portal and not from the SFOS directly, to ensure you get the best guidance for this process.
When you are ready to fully migrate your existing license to SFOS, navigate to the License Upgrade section found at the bottom of the WebAdmin licensing screen (Go to Administration > Licensing) (Note: You cannot use MySophos for this). Migrating your license means you will trade-in the remainder of your existing license and will get SFOS features of equivalent value – see Sophos XG Firewall: License migration for details. Depending on your starting point you will see one of the following:
Please note the following points:
When migrating, all initial licensing operations need to be conducted starting from the WebAdmin application on the appliance and not from MySophos. When you have fully migrated your license to SFOS, then you can also use MySophos.
Please see the following articles to prepare for your upgrade:
Go to the Administration > Licensing screen and look for the Module Subscription Details section:
If you think the license looks out of date, press the Synchronize button to make sure the license on the device is the same as held on the Sophos licensing system. You can also check the status of your license using the MySophos portal www.sophos.com/mysophos by navigating to the Network Protection > View Devices and clicking on your device serial number.
When it comes to renewal time you need to make sure your order includes the serial number that the subscription is running on. If you originally bought a ‘Protect’ bundle, then the name of the renewal product will be the bundle shown below it as shown in Figure 1. For example, if you purchased TotalProtect Plus, then at renewal to retain the same feature set you should purchase FullGuard Plus.
You can also see the product identifier against the subscriptions on your device in the MySophos portal www.sophos.com/mysophos – go to Network Protection > View Devices, click on the serial number in the list displayed and look at the License Number/Product column. For example, X-FG135-PLUS is the code for XG FullGuard Plus running on an XG135 or SG135 model. Provide your reseller with the serial number and contents of this column when renewing.
When you renew, depending on your country, your License Schedule will either show a License Key that you need to activate, or, will indicate that your renewal has already been activated. Make sure you read the License Schedule when it is sent to you and activate any license keys shown on it.
The start date for the renewal will be the day after expiry of the existing subscription. The exception to this is if the previous subscription already expired before the renewal was activated, in this case the renewal subscription will normally start from the date of activation but may occasionally be backdated – see Sophos XG Firewall: FAQ on activating XG license keys under the section Why didn't I get the full term when I activated my license key?
If you want to upgrade the products you are running in the middle of the term, then you will need to request a quote from your reseller. You will receive an allowance for the remainder of the subscriptions which will reduce the cost of the new subscriptions you purchase.
Such mid-term changes can only be used to upgrade a subscription and not downgrade.
When a mid-term change is activated then the new subscription will start straight away (unless you requested a future start date) and the remainder of your existing subscription will be cancelled. You will need to activate the key shown on the License Schedule unless it indicates that it has been activated for you.
When Sophos agrees to replace a faulty appliance, an RMA case will be raised and approved:
If you have a question about any aspect of XG licensing then please see the relevant FAQ:
You will also find useful information in the Sophos XG Firewall community. The XG Firewall community forums includes the following sub-groups specifically related to getting started with XG and licensing:
There are some great videos in the XG Firewall How-To library that show you how to get started with the XG including the main licensing operations. Most relevant to licensing are:
For more general information on the XG, please see the XG Firewall Documentation and select what you want to view or read.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.