Sophos XG Firewall: Licensing guide
Licensing is used to enable various features on the Sophos XG Firewall (SF) and the same general principles apply regardless of whether the license is for a hardware firewall or a virtual/software firewall. Certain Cyberoam iA / NG and Sophos SG appliances can also run the XG Firewall operation system. This guide provides an overview of the licensing model and then answers questions on its use.
The following sections are covered:
- Overview of the XG licensing model
- Getting started
- What do I receive when I purchase an XG Firewall product?
- How do I activate my product?
- When does my warranty start and finish?
- How are virtual firewall products licensed?
- What high availability models are supported and how are they licensed?
- How do I purchase after a 30-day free trial?
- How are Sophos iView V2 and SFM licensed?
- Which portal should I use to register a device and activate my licenses?
- How do I migrate my existing Cyberoam or Sophos UTM licenses to SFOS?
- How do I find out what licenses are running on my device?
- Renewals, upgrades and replacements
- Other articles and help
XG includes a Base license which is required for all hardware and virtual firewalls and is perpetual. Additional features can be purchased as 1, 2 or 3 year subscriptions (irregular terms greater than 1 year are also possible). The subscriptions can be purchased individually or as bundles. Some of the bundles include a hardware or virtual appliance, which includes the perpetual Base license, and other bundles contain the subscriptions only.
The chart below shows all the bundles (orange text) and within each bundle the individual subscriptions are shown. If the bundle name includes ‘Protect’ then it contains either an XG series hardware appliance or a virtual appliance.
There are 2 levels of support ‘Enhanced’ and ‘Enhanced Plus’. The higher level of support provides direct access to senior Sophos support staff and also provides warranty for any connected Sophos devices. If you are buying individual subscriptions and want the higher level of support, you should purchase the Enhanced Plus Support bundle. If you are buying any of the other bundles then the bundle includes Enhanced Support and you can add the higher level of support by purchasing the ‘Enhanced to Enhanced Support Upgrade’ product.
As well as any hardware you have purchased you will receive a License Schedule which is a PDF document. If you did not receive a License Schedule then contact your reseller. This is an important document and you should read it, action it and keep it safe. The License Schedule contains a link to the current Sophos licensing instructions – make sure you read through the License Schedule and understand what actions you need to take.
XG licenses are identified by the serial number that they are allocated to. Register your Firewall using the serial number to:
- Activate the Base license.
- Start any included subscriptions (if the product purchased was a ‘Protect’ product).
- Start the warranty (hardware only).
See Sophos XG Firewall – Instructions for XG license registration for details.
If you purchased separate subscriptions, you will have received one or more license keys on your License Schedule (a PDF document):
- When you activate a license key, the subscription will start – see Sophos XG Firewall: FAQ on activating XG license keys for details.
- License keys can only be activated after you have registered the device and the device is running a purchased Base license. If the device is a 30-day free trial or a hardware evaluation then license keys cannot be activated on it until the device has a purchased Base license linked to it.
- If you try and activate a license key from an order that has since been credited, you will see an error such as Sorry: this license key can no longer be used, if you believe you are entitled to use the key then please contact your reseller.
Registration and license key activation can be performed from the firewall’s local Web Admin (WebAdmin) licensing screen (Go to Administration > Licensing) or from the licensing portal which is called MySophos (see MySophos User Guide and FAQs).
The license is held centrally on the Sophos licensing system, so if you use MySophos to register a device or activate a license key you need to press the Synchronize button on the device’s WebAdmin licensing screen (Go to Administration > Licensing) to ensure the license on it is up to date. If you don’t do this the license will be updated automatically as part of the next daily license synchronization call.
Registering your hardware device will start the warranty. The warranty start and expiry dates will be set according to the following rules:
- Warranty Start Date – On first registration, the Warranty Start Date is set to the Registration Date unless Invoice Date is more than 90 days prior to Registration Date in which case Warranty Start Date is set to the Invoice Date plus 90 days.
- Warranty Expiry Date – The warranty will last a minimum of 12 months from the Warranty Start Date. If the active subscriptions include Enhanced Support, then the warranty will be extended to the latest expiry date of those subscriptions or a maximum of 5 years from Warranty Start Date whichever is the shorter.
To get warranty cover for RED, AP and Passive XG series hardware then you need Enhanced Plus Support on the firewall device they are connected to.
If you skipped registration when you first set up your firewall, then every time you log into the firewall’s local Web Admin you will be prompted to register. After 30 days you will no longer be able to sign in without completing the registration.
Unlike hardware where the license is limited only by the potential of the hardware, the virtual appliance licenses are constrained by the maximum number of cores and RAM that they will use. For example, SF SW/Virtual FullGuard – UP TO 4 CORES & 6GB RAM. As with hardware you need to purchase the Base license as well as any subscriptions you want. These can also be purchased as ‘Protect’ bundles which include the Base license and the subscriptions. The cores / RAM dimensions of feature subscriptions need to match the virtual appliance on which they run.
Sophos XG Firewall supports Active-Active (cluster) and Active-Passive (standby) modes:
- Each Active firewall requires its own license.
- For Active-Active mode, each firewall needs to be running the same subscriptions but the expiry date of those subscriptions do not need to match (the HA group will remain in place as long as the current Active subscriptions match on that day).
- For Active-Passive hardware appliances, each firewall should be registered but only the Active appliance needs to have subscriptions running on it as it will share the license with the Passive device.
- For Active-Passive virtual firewalls, you only need to purchase the Active license and that will allow you to start up a Passive instance.
- For Active-Passive, Technical support on the Passive unit will be provided if the Active unit has at least an Enhanced Support subscription. See When does my warranty start and finish? above for details of warranty rules.
For Active-Passive on hardware appliances, it is therefore vital that you decide beforehand which device will be the Active device and that is the one which needs to have the licenses running on it. For further details see Sophos XG Firewall: FAQ on High Availability (HA) licensing.
Note: Active/Passive is not yet available for XG in Azure.
If you set up a virtual firewall using a 30-day free trial and want to purchase a license for your installation, you should ensure that the serial number is quoted on your order. If you don’t do this then a new serial number will be generated and the license attached to that. You will then need to transfer the purchased license to your free trial serial number – see Sophos XG Firewall: License transfer for instructions on how to do this.
The same licensing system is used for iView V2 and Sophos Firewall Manager (SFM) products but the units these are sold in are different from the XG Firewall. SFM is available both as a hardware and virtual appliances and iView is available as a virtual appliance only:
- SFM is sold as hardware appliances (SFM200/SFM300/SFM400) or as virtual appliances limited by the number of devices they can manage (15/50/100/200/500/1000).
- iView V2 is sold by the data size that the product can access (500GB/1TB/4TB/8TB)
As with firewall, when any of these are purchased, a perpetual Base license is included. The same support subscriptions, Enhanced Support and Enhanced Plus Support, can also be purchased. For SFM hardware, the warranty rules are the same as for XG Firewall.
For most licensing operations, you can either use the MySophos licensing portal www.sophos.com/mysophos or you can use the firewall’s local Web Admin (WebAdmin) screens on the device. However, there are some operations that you can only do on MySophos and a few that you can only do on the WebAdmin screens as shown in the table below:
|Registration||Key activation||Change registrant / License transfer|
|XG (hardware or virtual)|
|Cyberoam iA / NG|
If you are using the MySophos portal, please see the MySophos User Guide and FAQs which explains how to access and use the portal. If you don’t already have a MySophos account, make sure you read the section ‘How to access MySophos and get an account’. Remember, when using the portal you will have to wait up to 1 day for the automated license synchronization process to update the license on your device. If you want the change reflected straight away, press the Synchronize button on the WebAdmin licensing screen (Go to Administration > Licensing).
If you register your device and activate license keys directly from your appliance WebAdmin screens then all changes are synchronized straight away. If you are in the process of upgrading a Cyberoam iA / NG or Sophos SG appliance then you must use the WebAdmin licensing screen (Go to Administration > Licensing) to register your device and migrate your license. See How do I migrate my existing Cyberoam or Sophos UTM licenses to SFOS? below for more information.
If you need to change the current registrant of a device or transfer the license from one serial number to another then use MySophos. Further information about transferring licenses can be found in Sophos XG Firewall: License transfer.
If you plan to try out the Sophos XG Firewall operating system / firmware (referred to as SFOS) on your existing Cyberoam iA / NG or Sophos SG appliance then you will be presented with 2 options:
- Start a 30-day trial
- Migrate your existing license to SFOS
We recommend you select the trial license to start with and migrate your existing license only when you are sure that is what you want to do. If you have a Cyberoam Firewall, we recommend you start the process from the Cyberoam customer portal and not from the SFOS directly, to ensure you get the best guidance for this process.
When you are ready to fully migrate your existing license to SFOS, navigate to the License Upgrade section found at the bottom of the WebAdmin licensing screen (Go to Administration > Licensing) (Note: You cannot use MySophos for this). Migrating your license means you will trade-in the remainder of your existing license and will get SFOS features of equivalent value – see Sophos XG Firewall: License migration for details. Depending on your starting point you will see one of the following:
- Cyberoam iA / NG – press the Migrate Cyberoam License button and follow the instructions.
- Sophos SG series – click on Choose File to select the UTM 9 license file you want to migrate and then press the Migrate UTM 9 License button.
Please note the following points:
- There is no roll-back option once you have migrated your license to SFOS.
- While running the 30-day evaluation license you will not be able to activate license keys (you must fully migrate your license to SFOS first – check the WebAdmin licensing screen (Go to Administration > Licensing) and it should show ‘Purchased’ in the Status column for the Base Firewall module).
- If you have any unused license keys for your Cyberoam OS or UTM OS system, you must activate them prior to migrating your license to SFOS.
- Once you have migrated, at renewal time, you should purchase Sophos XG Firewall subscriptions and not the one you would normally purchase for Cyberoam OS or Sophos UTM OS – it will not work.
When migrating, all initial licensing operations need to be conducted starting from the WebAdmin application on the appliance and not from MySophos. When you have fully migrated your license to SFOS, then you can also use MySophos.
Please see the following articles to prepare for your upgrade:
- To find out if your existing appliance can run SFOS, see Cyberoam and Sophos appliances that are eligible for an upgrade to Sophos XG Firewall.
- For an explanation about how existing Cyberoam or Sophos licenses map to SFOS licenses, see Sophos XG Firewall: License migration. This explains what subscriptions you will get under SFOS depending on the current Cyberoam or Sophos SG license you already have.
- If you have a Sophos SG appliance, see Sophos XG Firewall: How to convert an SG appliance to an XG appliance with SFOS.
Go to the Administration > Licensing screen and look for the Module Subscription Details section:
- If the Status = Evaluating then you have an evaluation license for that feature.
- If the Status = Subscribed then you have a purchased license for that feature.
If you think the license looks out of date, press the Synchronize button to make sure the license on the device is the same as held on the Sophos licensing system. You can also check the status of your license using the MySophos portal www.sophos.com/mysophos by navigating to the Network Protection > View Devices and clicking on your device serial number.
When it comes to renewal time you need to make sure your order includes the serial number that the subscription is running on. If you originally bought a ‘Protect’ bundle, then the name of the renewal product will be the bundle shown below it as shown in Figure 1. For example, if you purchased TotalProtect Plus, then at renewal to retain the same feature set you should purchase FullGuard Plus.
You can also see the product identifier against the subscriptions on your device in the MySophos portal www.sophos.com/mysophos – go to Network Protection > View Devices, click on the serial number in the list displayed and look at the License Number/Product column. For example, X-FG135-PLUS is the code for XG FullGuard Plus running on an XG135 or SG135 model. Provide your reseller with the serial number and contents of this column when renewing.
When you renew, depending on your country, your License Schedule will either show a License Key that you need to activate, or, will indicate that your renewal has already been activated. Make sure you read the License Schedule when it is sent to you and activate any license keys shown on it.
The start date for the renewal will be the day after expiry of the existing subscription. The exception to this is if the previous subscription already expired before the renewal was activated, in this case the renewal subscription will normally start from the date of activation but may occasionally be backdated – see Sophos XG Firewall: FAQ on activating XG license keys under the section Why didn’t I get the full term when I activated my license key?
If you want to upgrade the products you are running in the middle of the term, then you will need to request a quote from your reseller. You will receive an allowance for the remainder of the subscriptions which will reduce the cost of the new subscriptions you purchase.
Such mid-term changes can only be used to upgrade a subscription and not downgrade.
When a mid-term change is activated then the new subscription will start straight away (unless you requested a future start date) and the remainder of your existing subscription will be cancelled. You will need to activate the key shown on the License Schedule unless it indicates that it has been activated for you.
When Sophos agrees to replace a faulty appliance, an RMA case will be raised and approved:
- The RMA case will record the details including the serial numbers of the faulty and replacement appliances.
- When you receive your replacement device you will need to register it.
- If you were the registrant of the faulty device, then the license will transfer automatically when you register the replacement.
- If no automated transfer happens, the reason will be made clear on screen and you will be able to transfer the license yourself using MySophos – see Sophos XG Firewall: License transfer after RMA for details.