FAQs: SFOS v19 MR1 Adds Support Requirement for Future Firmware Upgrades

Sophos Firewall OS v19 MR1 introduces changes to our support licensing and future access to firmware upgrades 

(Update on 25-July: v19 MR1 has been released now. Please refer v19 MR1 is Now Available.)

Management Summary

  • From v19 MR1, Enhanced or Enhanced Plus Support will become a requirement for future firmware upgrades. 
  • There is no change for customers with a valid support subscription (about 80% of customers) 
  • While there is no immediate change for the remaining 20% who do not own support today, they will need to add support once they have used their three-free-upgrade allocation. 

Currently planned for July 19, 2022, the soft release of Sophos Firewall OS (SFOS) v19 MR1, will introduce some changes to the scope of our support licensing and future access to firmware upgrades.  

What is changing?

Once a firewall is running v19 MR1 or later, subsequent firmware upgrades will require a valid support subscription. To allow customers without support sufficient time to add the subscription, the first three firmware upgrades after MR1 will be free. 

Once the allocation of three free upgrades is exhausted, the support requirement comes into effect and further firmware upgrades will only be possible if a valid support subscription is available. 

  • A valid support subscription can be either Enhanced or Enhanced Plus. 
  • Firmware upgrades will only be restricted if there is no valid support subscription. 

This does not apply to:

  • Firmware upgrades from the install wizard 
  • Mandatory firmware upgrades, hotfixes, and pattern updates 
  • Re-imaging the device using an ISO 
  • Home use licenses
  • Trial licenses 
  • and during the three free firmware update allocation. 

 

How does this affect you/your customers? 

Customer Scenario 

Immediate Action Required 

Future Action Required 

Owns a valid support subscription 

Applies to Enhanced and Enhanced Plus 

None 

None, as long as support remains valid 

Has no support subscription 

e.g., using Base License or individual à-la-carte subscription only 

None - eligible for next three upgrades after v19 MR1 

Purchase support to continue receiving upgrades 

Using a Trial license 

None, support is included 

None, no change 

Using a Home license 

None, no change 

None, no change 

Customers who have a valid support subscription 

For the approx. 80% of Sophos Firewall customers who already have a valid Enhanced or Enhanced Plus support subscription, there will be no change. 

Customers who do not own a support subscription 

Customers who have just a Base license or an individual à-la-carte security subscription without support today, do not need to take any immediate action. However, to continue receiving firmware updates, they will need to add a support subscription once they have used their allocation of three free firmware updates after installing MR1. 

Customers who have a trial license 

Customers with a trial license are not affected as that includes support for the trial period. 

 Customers who have a Home license 

Customers with a Home license are not affected. 

Note: The three free upgrade limitation mentioned below applies to customers without an active support subscription only. 

 

What does the allocation of three free firmware upgrades mean? 

The allocation of three firmware upgrades postpones the enforcement of the support requirement even when there is no active support subscription. This is in addition to the initial install wizard firmware update. 

  • The free upgrades are included to cover use cases such as when a customer receives a new appliance running older firmware for which there is an update available. 
  • This ensures that new customers have a grace period after their initial purchase, when they may not have activated all licenses, or be fully aware of the support requirement. 
  • An alert message will be shown in the user interface which mentions the support requirement and shows the remaining free upgrades.
    • Note: this message will only appear for customers without an active support subscription

 

Which upgrades count towards the three-free-upgrade allocation? 

Any Early Access Program (EAP), General Availability (GA), or Maintenance Release (MR) firmware version which is installed after upgrading to v19 MR1. 

 

What about hotfixes (over the air security patches) and pattern updates? 

These updates will continue to be provided for any product which has not yet reached its end-of-life date for all customers and will not be deducted from the three-free-update allocation for customers without support. 

 

What if I re-image my firewall? 

Re-imaging the appliance with the ISO will continue to work as it does today. Any firewall without a support subscription can also be re-imaged with the ISO of any newer firmware, which will not be deducted from the three-free-update allocation. Re-imaging the appliance resets the free upgrade allocation when there is no active support subscription. 

 

What about the first firmware upgrade during the initial installation? 

Firmware upgrades and mandatory firmware from the initial install wizard will work as today and will not be deducted from the three-free-update allocation. 

 

How do I know how many upgrades I still have left? 

For customers without support, this will be shown in the user interface. 

 

How is the firmware upgrade restricted after the free updates have been exhausted? 

If you don’t have an active support subscription and have used your free upgrade allocation, further firmware upgrades will NOT be possible. This applies to firmware updates from the user interface, using OpCode, SFLoader, or from Sophos Central. Customers will need to purchase a support subscription to continue receiving upgrades. 

 

How does this impact the backup-restore workflow? 

There is no impact on the backup-restore workflow. Firmware upgrades (incl. free upgrades) are independent of device configuration and therefore, backup-restore will work as today.  

 

Why is Sophos making this change? 

While this practice is new for us (with the exception of Sophos Switch), it is the standard for many of our competitors for their firewalls, switches, wireless access points and more. 

Support should be an essential part of every firewall project. 

 

How will this be communicated? 

We plan to send emails to all partners who have sold/own, and customers who own Sophos Firewall around July 14, 2022. 

Parents
  • Sorry to say but that one is the weakest answer for why to do it. Because everyone else does we do it, too. If they jump off a bridge, we do it, too... For me a firewall without subscription doesn't make sense but maybe for other customers it does. Especially I think this is not the real reason (and many others will do...): It is just for generating more money but that reads even worse ;)

    But yep it is legitimate to do it. I simply just wouldn't have written it this way. Rest of article is clear.

Comment
  • Sorry to say but that one is the weakest answer for why to do it. Because everyone else does we do it, too. If they jump off a bridge, we do it, too... For me a firewall without subscription doesn't make sense but maybe for other customers it does. Especially I think this is not the real reason (and many others will do...): It is just for generating more money but that reads even worse ;)

    But yep it is legitimate to do it. I simply just wouldn't have written it this way. Rest of article is clear.

Children