Sophos Firewall: Impact of expired license


Security protection on Sophos Firewall requires a Subscribed/Evaluating subscription.

If a subscription is Expired/Unsubscribed, Sophos Firewall cannot perform corresponding security protection.

Here is table of subscription and security features.

Base Firewall Firewall rule, VPN, Wireless Protection, NAT rule, site-to-site RED
Network Protection IPS, ATP, SD-RED device, Security Heartbeat
Web Protection Web Filter, Application Control, Anti-virus
Zero-day Protection Machine Learning, Sandboxing File Analysis, Threat Intelligence
Central Orchestration SD-WAN VPN Orchestration, Central Firewall Reporting Advanced
Email Protection Anti-spam, Anti-virus, DLP, Encryption (SPX), Email Malware Protection
Web Server Protection WAF, Anti-virus, reverse proxy
Enhanced Support It is the minimum subscription for
  • RMA,
  • Sophos Technical Support service, and
  • firmware upgrade*.
* It applies to v19.0 MR1 and later. More details in the section Enhanced support, Enhanced plus support
Enhanced Plus Support It provides more benefits than Enhanced support. Details in Sophos Support Service Guide.

Reference: Sophos Firewall > Administration Help > Licensing

Base Firewall

Once Base Firewall becomes Expired/Unsubscribed,

  1. Sophos Firewall stops applying firewall rule and NAT rule on any traffic.
    • All firewall rules stop working, no matter they are configured to allow or block traffic.
    • All NAT rules stop working.
    • The following traffic is allowed and has masquerading applied automatically by Sophos Firewall, even if there is a firewall rule to drop it.
      • from LAN zone to WAN zone
      • from DMZ zone to WAN zone
      • from LAN zone to LAN zone
      • from LAN zone to DMZ zone
      • from DMZ zone to DMZ zone
      • from DMZ zone to LAN zone
      No other traffic except the above can traverse Sophos Firewall.
  2. No VPN cannot be established.
  3. Site-to-site RED cannot be established.
  4. AP and wireless network stop working.

It applies to Sophos Firewall v18 and later.

Email protection

Once Email Protection becomes Expired/Unsubscribed, Sophos firewall delivers email without anti-spam/anti-virus scanning.

It applied to all Sophos Firewall OS versions.

Enhanced support, Enhanced plus support

If both Enhanced support and Enhanced plus support are expired/unsubscribed

  • For all Sophos Firewall OS versions, Sophos cannot provide RMA and Technical Support service.
  • For Sophos Firewall OS v19.0 MR1 and later, the firewall has 3 free firmware upgrade, and further firmware upgrades will only be possible with a valid support subscription. It does not impact the trial license, home use license or firmware upgrades from the install wizard

Edition history

2022-12-09, updated the section "Enhanced support, Enhanced plus support"

2022-09-29, minor update

2022-07-19, updated for v19.0 MR1

2022-01-14, fixed expired URL

2021-05-31, updated with section "Email protection"

2021-05-24, first release

minor update
[edited by: taowang at 11:46 AM (GMT -8) on 9 Dec 2022]