Cluster Node Replacement - Keeping License Valid

We are running a pair of SG310s in an active/passive failover cluster.

Both of these units have reached end of hardware support so we need to swap out both nodes.

In addition to this our licenses for features are also ending and we have a few days remaining on these.

We have an activation code for the new hardware and software for one new unit and a hardware activation code for the other.

What we are aiming to achieve is to swap out both hardware nodes without any (more than a usual failover) drop of service.

Current Setup

 ID Role  Device name  Status  Version  Licensing
 1  SLAVE  Node1  READY  9.503-4 Base License Only
 2  MASTER  Node2  ACTIVE  9.503-4 FullGuard License Associated


So I was thinking ...

Swap the unit ID1 out with the new unit that has the software subscription associated with the hardware.

Apply the new license to the system.

Swap the unit ID2 out with the other new unit that only has the base license applied.


In terms of version I was expecting to bring both active nodes up to the latest release (9.505-4) and update the two new units to the same version before starting anything.


Is it this simple, or am I missing something?

Thanks in advance ...

  • It is really simple if you replace the UTM with same Hardware type.
    Install current version to cluster and new devices. (use the 30day eval at the new devices)
    make a factory reset at the new devices.
    shutdown cluster slave-node.
    remove slave node (marked as "dead" now) from HA
    add first new device to the cluster. (simple by connecting the HA interface)
    wait until sync is ready
    remove second old system
    add second new device - wait until sysnc is ready

    This way "replacing a cluster node" keeps all files and configuration.
    License is included within configuration and keeps active if new devices are from same type.
    License is NOT bound to a specific device.

    If you wish to replace the License now, upgrade the old one or generate a new license and import the license-file.

    If new devices are from different device type ... please note this here

  • Your post is confusing to me...

    In fact, as longs the UTM subscriptions are active, the SG 310 is covered by warranty.  There's no reason to replace them, just extend your subscription.

    You show that Node 1 has only a base license, but that's not how HA works - both nodes are covered by the same license.  In an Active/Active Cluster, the term of the license is half of what it would be for a single unit or for two appliances in Active/Passive (Hot-Standby).

    Cheers - Bob

  • In reply to dirkkotte:

    Thanks dirkkotte,

    I thought that was roughly what we needed to be doing, some of the language around the licensing is a bit confusing.

    We have been given activation codes, one for the new appliance without any additional licensing and one for the new appliance with the bundle we have purchased.

  • In reply to BAlfson:

    Thanks Bob,

    When we shifted to the Sophos UTM platform we were under the impression that we only needed to purchase subscription renewals for our hardware to remain covered (as had been the case for our previous system). However when it came to renew the subscription we were told directly by our reseller and Sophos account manager (a Sophos Employee) that after 3 years the hardware of the UTMs is not supported and we have to buy a new hardware appliance to have the hardware covered for replacement. This information did not seem to be presented during the pre-sales/evaluation phase of the project to replace the system from the previous vendor.

    Needless to say this came as quite a surprise to us (as we have 4 A/P HA pairs in our environment) we have had to purchase quite a bit of hardware we were not expecting to and had therefore not budgeted for!

    I realise that there may be territorial differences in play here, as it appeared to me that in the USA it is possible to buy a bundle of an appliance with 5 years subscription which it does not seem to be possible to do where we are based in the UK.

    It was our understanding that the base license is required for hardware support on each unit and that the additional subscription license is only needed for one of the nodes in our setup with Active/Passive.

    Some of the confusion around licensing I have mentioned in response to the previous reply, seems to relate to the way the activation codes for the hardware and subscription are provided.


  • In reply to RBCJB:

    Hey John.

    I'll try to explain the best I can.

    When you buy an UTM appliance you receive an ACT key to create a base license and a UPG key to apply the subscription. With that you access MyUTM portal, create a base license with the ACt key, apply the subscription with the UPG key and download the license file. For Active/Passive cluster this is all you need, as when you form the cluster the license file will automatically be applied to both devices, so when you failover the active node has a license attached to it. Both hardwares act as one and are covered by the same license file.

    Now, as a Sophos partner, that way of doing business is pretty strange to me. AFAIK there's no need to replace an appliance until it has reached EOL, and I'm pretty sure that's where Bob's confusion comes from. Your current hardware would be covered by warranty for as long as you would keep an active subscription. Now, Sophos does release new revisions for the appliance from time to time, and they do tend to come with some improvements over the past revisions, but that doesn't mean you need to buy a new hardware just to keep the warranty. 

    Now, since you have already bought two new appliances, follow dirkkotte's instructions and you are all set: level the firmware version, remove slave node, replace with new appliance, add it to the cluster, promote to master and repeat. After that apply the new license you should have downloaded from MyUTM. Do note that the new license timer starts counting from when you register it to MyUTM, so if you still have some time left in the current subscription AND the current an new hardware are the same models (all of them SG310) you can replace the hardware using the current licence and register/apply the new license closer to the current license's expiration.

    I hope that was clear enough for you to understand.


  • In reply to giomoda:

    Thanks to the three of you who have responded ... all now makes sense to me except the apparent need to replace the hardware!

    As I said we were told that this was absolutely necessary by our account manager, and we did of course question this quite strongly as we had never heard of this before.

    Also we have not had this issue with other Sophos hardware, such as our WS1100 which we have had in place for at least 6 years (although I haven't ever had to request a replacement unit so maybe we wouldn't get one if it failed??)

    Anyway I'm starting to drift off topic now, so unless any Sophos employee wants to contribute to clear up the matter of why we've been told we need to replace our hardware after only 3 years of use (which I'd be very interested to have clarified) then there's nothing much more I need to know right now.

  • In reply to RBCJB:

    John, this situation is not what I expect from Sophos.  I hate to sound like a prig, but this isn't fair to you or your organization.

    I have had it reconfirmed by a Sophos Employee familiar with the policies in the UK: "SG appliances are under warranty as long as there’s a current subscription on the box globally (not only in North America)."

    I don't know of a another reseller to recommend to you, but I would suggest that they need to give you your money back, take back the new hardware and work out their problems with Sophos.

    Cheers - Bob