Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: Impact of expired license

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Overview

Security protection on Sophos Firewall requires a Subscribed/Evaluating subscription.

If a subscription is Expired/Unsubscribed, Sophos Firewall can't perform corresponding security protection.

Here is the table of subscription and security features.

Base Firewall Firewall rule, VPN, Wireless Protection, NAT rule, site-to-site RED
Network Protection IPS, ATP, SD-RED device, Security Heartbeat
Web Protection Web Filter, Application Control, Anti-virus
Zero-day Protection Machine Learning, Sandboxing File Analysis, Threat Intelligence
Central Orchestration SD-WAN VPN Orchestration, Central Firewall Reporting Advanced
Email Protection Anti-spam, Anti-virus, DLP, Encryption (SPX), Email Malware Protection
Web Server Protection WAF, Anti-virus, reverse proxy
Enhanced Support It is the minimum subscription for
  • RMA,
  • Sophos Technical Support service and
  • firmware upgrade*.
* It applies to v19.0 MR1 and later. More details in the section Enhanced support, Enhanced plus support
Enhanced Plus Support It provides more benefits than Enhanced support. Details in Sophos Support Service Guide.

Reference: Sophos Firewall > Administration Help > Licensing

Base Firewall

Once Base Firewall becomes Expired/Unsubscribed,

  1. Sophos Firewall stops applying firewall rules and NAT rules on any traffic.
    • All firewall rules stop working, no matter if they’re configured to allow or block traffic.
    • All NAT rules stop working.
    • The following traffic is allowed and has masquerading applied automatically by Sophos Firewall, even if there’s a firewall rule to drop it.
      • from LAN zone to WAN zone
      • from DMZ zone to WAN zone
      • from LAN zone to LAN zone
      • from LAN zone to DMZ zone
      • from DMZ zone to DMZ zone
      • from DMZ zone to LAN zone
      No other traffic except the above can traverse the Sophos Firewall.
  2. No VPN can't be established.
  3. Site-to-site RED can't be established.
  4. AP and wireless network stop working.

It applies to Sophos Firewall v18 and later.

Email Protection

Once Email Protection becomes Expired/Unsubscribed, Sophos Firewall delivers email without anti-spam/antivirus scanning.

It applied to all Sophos Firewall OS versions.

Enhanced support, Enhanced plus support

If both Enhanced support and Enhanced Plus support are expired/unsubscribed,

  • For all Sophos Firewall OS versions, Sophos cannot provide RMA and Technical Support services.
  • For Sophos Firewall OS v19.0 MR1 and later, the firewall has three free firmware upgrades, and further firmware upgrades will only be possible with a valid support subscription. It does not impact the trial license, home use license, or firmware upgrades from the install wizard

Edition history

2022-12-09 updated the section "Enhanced support, Enhanced plus support."

2022-09-29, minor update

2022-07-19, updated for v19.0 MR1

2022-01-14, fixed expired URL

2021-05-31, updated with section "Email protection"

2021-05-24, first release




Updated Links to latest
[edited by: Raphael Alganes at 10:26 AM (GMT -8) on 14 Nov 2024]
Parents
  • This is messed up, I've bought a device that would have worked until his death and now it will be just a white brick only because I've updated to V18. I'll roll back to V17.5 for the next days and in the meanwhile I'll buy a firewall of a different brand!

    What a shame Sophos!

  • What do you mean? Base License is valid until 2999. 

    __________________________________________________________________________________________________________________

  • I read that "Sophos Firewall v18: impact of expired license" and on the 1st of April the licenses of my XG 125 are going to expire.
    I gotta say that I didn't read which license, I've just seen a list of licenses.
    But if the base firewall never expire, why in this article there is this "Once Base firewall becomes Expired/Unsubscribed"?
    By the way, I see that the Webserver protection is expiring, so it still means that I have to renew the licenses (I'm looking for the prices and I really don't understand which license should I get, is there a comparison of the different licenses with the relative features?).

Reply
  • I read that "Sophos Firewall v18: impact of expired license" and on the 1st of April the licenses of my XG 125 are going to expire.
    I gotta say that I didn't read which license, I've just seen a list of licenses.
    But if the base firewall never expire, why in this article there is this "Once Base firewall becomes Expired/Unsubscribed"?
    By the way, I see that the Webserver protection is expiring, so it still means that I have to renew the licenses (I'm looking for the prices and I really don't understand which license should I get, is there a comparison of the different licenses with the relative features?).

Children