Sophos Firewall v18: impact of expired license

Overview

Security protection on Sophos Firewall requires a Subscribed/Evaluating subscription.

If a subscription is Expired/Unsubscribed, Sophos Firewall cannot perform corresponding security protection.

Here is table of subscription and security protection.

Base firewall Firewall rule, NAT rule, VPN, Wireless Protection, site-to-site RED
Network protection RED appliance, ATP, IPS, Security Heartbeat
Web protection Web Filter, Anti-virus, Application Control
Email protection Anti-spam, Anti-virus, email encryption (SPX), DLP
Web server protection WAF, Anti-virus, reverse proxy
Sandstorm Sandstorm service
Enhanced support It is the minimum subscription for RMA and Sophos Technical Support service
Enhanced plus support It provides more benefits than Enhanced support.

Reference: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/ModuleLicense.html

Base firewall

Once Base firewall becomes Expired/Unsubscribed,

  1. All firewall rules stop working, no matter they are configured to allow or block traffic.
  2. All NAT rules stop working.
    In another word, Sophos Firewall stops applying firewall rule and NAT rule on any traffic.
    The following traffic is allowed and has masquerading applied automatically by Sophos Firewall, even if there is a firewall rule to drop it. 
    • from LAN zone to WAN zone
    • from DMZ zone to WAN zone
    • from LAN zone to LAN zone
    • from LAN zone to DMZ zone
    • from DMZ zone to DMZ zone
    • from DMZ zone to LAN zone
    No other traffic except the above can traverse Sophos Firewall.
  3. No VPN cannot be established.
  4. Site-to-site RED cannot be established.
  5. AP and wireless network stop working.

It applies to Sophos Firewall v18 only.

On Sophos Firewall v17.5 MR15 and earlier, firewall rule and NAT rule still work even if Base Firewall becomes Expired/Unsubscribed.

Email protection

Once Email Protection becomes Expired/Unsubscribed, Sophos firewall delivers email without anti-spam/anti-virus scanning.

It applied to Sophos Firewall v17.5 and v18.

Enhanced support, Enhanced plus support

If both Enhanced support and Enhanced plus support are expired/unsubscribed, Sophos cannot provide RMA and Technical Support service.

It applied to Sophos Firewall  v17.5 and v18.

Edition history

2021-05-31, updated with section "Email protection"

2021-05-24, first release



2021-06-03
[edited by: taowang at 1:30 AM (GMT -7) on 3 Jun 2021]