The following article offers general guidance for customers using XG Series hardware appliances and describes the product behavior once the hardware reaches its EOL on March 31, 2025.
|
Impacted Products |
XG 86, XG 86w, XG 106, XG 106w, XG 115, XG 115w, XG 125, XG 125w, XG 135, XG 135w, XG 210, XG 230, XG 310, XG 330, XG 430, XG 450, XG 550, XG 650, XG 750 |
|
End-of-Life Date |
March 31, 2025 |
|
Final Renewal |
There must be at least one full month between the expiry date of your current XG subscription and the EOL date. Subscriptions must not extend beyond the EOL. |
What is the recommended migration path for my XG Series hardware?
The majority of XG customers move to the equivalent XGS model, e.g., XG 210 -> XGS 2100.
We recommend that you ask your Sophos partner to go through your current requirements to ensure the new firewall is sized correctly for your network. This is also a good opportunity to ask about current offers for your hardware refresh.
What happens to my XG license when I move to XGS?
Our systems currently allow for a 30-day grace period on the XG subscriptions from the start of the new license for XGS. The license on the XG shows as expired, but the licensed functionality will continue to work for 30 days, providing an overlap for both appliances and giving you time to complete the migration.
An extension to the grace period is planned for implementation in the coming months and this information will be updated once that is available.
How can I ensure a seamless transition from XG to XGS with my existing configuration?
Using the Backup/Restore process, you can migrate your XG configuration to the equivalent XGS model without any behavior change (as it is the same OS). Some restrictions do exist if the model you are migrating to has fewer ports than your current model. Please check with your local Sophos Partner if you are unsure about using this functionality.
In an upcoming release v20.0 MR2, we will be enhancing the Backup/Restore process to support an any-to-any Backup/Restore assistant with port mapping options. Once that is available, it will be possible to restore your backup on any XGS device, irrespective of the number of interfaces. We will update this information as soon as the release is available (expected Q3 CY2024).
Product Behavior
Will I be supported if my subscription expiry date is after March 31, 2025?
Sophos support for XG Series hardware ends on the EOL date, irrespective of the subscription expiry date. After the EOL, customers will no longer be eligible for software support, RMA, or hardware support.
Sophos currently has several attractive offers for XG Series customers to refresh their hardware with the latest XGS Series. The promotion and refresh process ensures that the customer can still benefit from their investment for the full subscription term.
Which is the last supported software release for XG hardware?
Sophos Firewall OS (SFOS) v20 will be the last major release to support the XG Series hardware. V20 maintenance releases will also include support.
SFOS v21, which is expected to be released in Q4 2024, will not support XG hardware. Customers who want to upgrade to v21, once available, must upgrade to XGS Series hardware.
Will the functionality included in the Base License still be available after the EOL?
The functionality included with the Base License (Firewall/ VPN/ Wi-Fi) will still be available, however, as the software will not receive further updates, this component will age, and any issues or security vulnerabilities will NOT be fixed after the EOL.
We strongly advise against the continued use of any EOL product and have several attractive offers to make the transition as easy as possible.
Will my XG series device keep working after the end-of-life date?
Sophos Firewall XG series deployments that still have a valid license and subscriptions will continue to run after the end-of-life date but over time, functionality and security will be degraded.
Features that depend on pattern updates or live lookup services could be impacted.
The pattern updates and cloud scanning can stop shortly after March 31, 2025:
- Anti-virus signature and engine updates, for both the Sophos and Avira engines
- IPS signature and engine updates
- Anti-spam (SASI) signature and engine updates
- URL classification lookups
- Sophos X-Ops Threat Feeds
You will no longer be protected against new threats or the latest changes to website categorization.
As these pattern upgrades stop for XG hardware and the installed data and engines age, the behavior of the features that depend on those components may become unreliable. Web Filtering and Email Filtering in particular may fail and cause traffic disruption beyond the failure to detect new threats.
Base License and other features that do not depend on data services or updates, such as routing, VPN, high availability, and reporting should not be directly impacted.
Please note: The management of any connected SD-REDs is part of the Network Protection subscription and therefore, that functionality would be impacted once the subscription expires.
After the end-of-life date:
- There will be no further updates to the Sophos Firewall OS system and software for the XG Series.
- If vulnerabilities are discovered in any components, Sophos will not provide patches or fixes.
This may result in the product, your data, and networks protected by the XG series firewall becoming increasingly vulnerable to attack. We strongly advise against using any EOL product. As a business, this could seriously impact your compliance status.
Example:
An XG Series customer has a subscription that is valid until June 30, 2025
- On June 25, 2025 (subscription is active), the IPS engine will offer protection based on the last pattern installed before the EOL. No new patterns will be available after the EOL date.
- On July 1, 2025 (subscription has expired), the IPS engine will no longer scan the traffic = no protection.
Once the subscription expires, all functionality associated with that subscription will stop working.
What functionality will be available after the EOL if all subscriptions have expired?
- Firewall/ VPN/ Wi-Fi, that are included in the Base License, will continue to function in most cases (see above) but will deteriorate over time.
- Note: SD-RED management is part of the Network Protection subscription, not the Base License.
- Any issues or security vulnerabilities will NOT be fixed.
- Software support, RMA, and hardware support will not be available.
What are the risks of using an EOL or non-supported product?
We strongly advise against the continued use of any EOL product and have several attractive offers to make the transition as easy as possible.
We recommend that you discuss the potential risks of using an unsupported or EOL product with a qualified legal or insurance advisor.
- Potential impact on your compliance status, particularly in the case of a data breach.
- Potential impact on your ability to obtain or renew cyber insurance
- A customer’s EOS/EOL replacement process may be considered when applying for cyber insurance and using EOL products could potentially impact a claim.
