XG Series Hardware: End of Life (EOL) Frequently Asked Questions

The following article offers general guidance for customers using XG Series hardware appliances and describes the product behavior once the hardware reaches its EOL on March 31, 2025.

 

Impacted Products

XG 86, XG 86w, XG 106, XG 106w, XG 115, XG 115w, XG 125, XG 125w, XG 135, XG 135w, XG 210, XG 230, XG 310, XG 330, XG 430, XG 450, XG 550, XG 650, XG 750

Note: XG 85 and XG 105 had an earlier EOL date and are no longer supported.

End-of-Life Date

March 31, 2025

Final Renewal

Considerations before opting to do a final renewal:

  • Limited-time offers are currently available for existing XG customers with up to 99% discount on XGS hardware and up to 33% on Xstream Protection (3-year term)*
    • A 1-year hardware refresh offer is also available if you don't have the budget available for a 3-year term 
  • The next major release of Sophos Firewall OS (v21) will NOT include support for XG Series hardware appliances
  • Moving from XG to XGS is a simple backup/restore process - check with your local Sophos partner or SE for full details

If you do opt to do a final renewal, subscriptions must not extend beyond the EOL date.

 

What is the recommended migration path for my XG Series hardware?

The majority of XG customers move to the equivalent XGS model, e.g., XG 210 -> XGS 2100.

We recommend that you ask your Sophos partner to go through your current requirements to ensure the new firewall is sized correctly for your network. This is also a good opportunity to ask about current offers for your hardware refresh.

 

What happens to my XG license when I move to XGS?

Our systems currently allow for a 30-day grace period on the XG subscriptions from the start of the new license for XGS. The license on the XG shows as expired, but the licensed functionality will continue to work for 30 days, providing an overlap for both appliances and giving you time to complete the migration.

An extension to the grace period is planned for implementation in the coming months and this information will be updated once that is available.

 

How can I ensure a seamless transition from XG to XGS with my existing configuration?

Using the Backup/Restore process, you can migrate your XG configuration to the equivalent XGS model without any behavior change (as it is the same OS). Some restrictions do exist if the model you are migrating to has fewer ports than your current model. Please check with your local Sophos Partner if you are unsure about using this functionality.

In an upcoming release v20.0 MR2, we will be enhancing the Backup/Restore process to support an any-to-any Backup/Restore assistant with port mapping options. Once that is available, it will be possible to restore your backup on any XGS device, irrespective of the number of interfaces. We will update this information as soon as the release is available (expected Q3 CY2024).

 

MSP: What will happen to licensing and monthly billing for XG appliances deployed as MSP Flex?

All XG Series hardware appliances will be end-life and end-support after March 31, 2025, irrespective of how they are deployed and licensed. This includes XG hardware appliances deployed with MSP Flex licensing.

Product Behavior

Which is the last supported software release for XG hardware?

Sophos Firewall OS (SFOS) v20 will be the last major release to support the XG Series hardware. V20 maintenance releases will also include support.

SFOS v21, which is expected to be released in Q4 2024, will not support XG hardware. Customers who want to upgrade to v21, once available, must upgrade to XGS Series hardware.

 

Will the functionality included in the Base License still be available after the EOL?

The functionality included with the Base License (Firewall/ VPN/ Wi-Fi) will still be available, however, as the software will not receive further updates, this component will age, and any issues or security vulnerabilities will NOT be fixed after the EOL.

We strongly advise against the continued use of any EOL product and have several attractive offers to make the transition as easy as possible.

 

Will my XG series device keep working after the end-of-life date?

Sophos Firewall XG series deployments that still have a valid license and subscriptions will continue to run after the end-of-life date but over time, functionality and security will be degraded.

Features that depend on pattern updates or live lookup services could be impacted.

The pattern updates and cloud scanning can stop shortly after March 31, 2025:

  • Anti-virus signature and engine updates, for both the Sophos and Avira engines
  • IPS signature and engine updates
  • Anti-spam (SASI) signature and engine updates
  • URL classification lookups
  • Sophos X-Ops Threat Feeds

You will no longer be protected against new threats or the latest changes to website categorization.

As these pattern upgrades stop for XG hardware and the installed data and engines age, the behavior of the features that depend on those components may become unreliable. Web Filtering and Email Filtering in particular may fail and cause traffic disruption beyond the failure to detect new threats.

Base License and other features that do not depend on data services or updates, such as routing, VPN, high availability, and reporting should not be directly impacted.

Please note: The management of any connected SD-REDs is part of the Network Protection subscription and therefore, that functionality would be impacted once the subscription expires.

After the end-of-life date:

  • There will be no further updates to the Sophos Firewall OS system and software for the XG Series.
  • If vulnerabilities are discovered in any components, Sophos will not provide patches or fixes.

This may result in the product, your data, and networks protected by the XG series firewall becoming increasingly vulnerable to attack. We strongly advise against using any EOL product. As a business, this could seriously impact your compliance status.

Example:

An XG Series customer has a subscription that is valid until June 30, 2025

  • On June 25, 2025 (subscription is active), the IPS engine will offer protection based on the last pattern installed before the EOL. No new patterns will be available after the EOL date.
  • On July 1, 2025 (subscription has expired), the IPS engine will no longer scan the traffic = no protection.

Once the subscription expires, all functionality associated with that subscription will stop working.

 

What functionality will be available after the EOL if all subscriptions have expired?

  • Firewall/ VPN/ Wi-Fi, that are included in the Base License, will continue to function in most cases (see above) but will deteriorate over time.
    • Note: SD-RED management is part of the Network Protection subscription, not the Base License.
  • Any issues or security vulnerabilities will NOT be fixed.
  • Software support, RMA, and hardware support will not be available.

 

What are the risks of using an EOL or non-supported product?

We strongly advise against the continued use of any EOL product and have several attractive offers to make the transition as easy as possible.

We recommend that you discuss the potential risks of using an unsupported or EOL product with a qualified legal or insurance advisor.

  1. Potential impact on your compliance status, particularly in the case of a data breach.
  2. Potential impact on your ability to obtain or renew cyber insurance
    • A customer’s EOS/EOL replacement process may be considered when applying for cyber insurance and using EOL products could potentially impact a claim.
Parents
  • "Using the Backup/Restore process, you can migrate your XG configuration to the equivalent XGS model"

    In my recent experience migrating a client from an XG210 to an XGS2100 the config did migrate over, but we ended up with issues accessing a web based application where it would load indefinitely on white screen even after disabling all protections during testing. The only fix was to go back to factory settings and set it up 1:1 from scratch and cost me hours and multiple failed visits and having to re-deploy new VPN Profiles. Would highly recommend extensive testing before switching Where possible or leave yourself plenty of time. 

    We've had similar issues in the past with previous firmware versions - Hopefully new MR2 release will prove more reliable

Comment
  • "Using the Backup/Restore process, you can migrate your XG configuration to the equivalent XGS model"

    In my recent experience migrating a client from an XG210 to an XGS2100 the config did migrate over, but we ended up with issues accessing a web based application where it would load indefinitely on white screen even after disabling all protections during testing. The only fix was to go back to factory settings and set it up 1:1 from scratch and cost me hours and multiple failed visits and having to re-deploy new VPN Profiles. Would highly recommend extensive testing before switching Where possible or leave yourself plenty of time. 

    We've had similar issues in the past with previous firmware versions - Hopefully new MR2 release will prove more reliable

Children