Sophos Firewall: Impact of expired license

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview
Base firewall
Email protection
Enhanced support, Enhanced plus support
Edition history

Overview

Security protection on Sophos Firewall requires a Subscribed/Evaluating subscription.

If a subscription is Expired/Unsubscribed, Sophos Firewall cannot perform corresponding security protection.

Here is table of subscription and security features.

Base Firewall	Firewall rule, VPN, Wireless Protection, NAT rule, site-to-site RED
Network Protection	IPS, ATP, SD-RED device, Security Heartbeat
Web Protection	Web Filter, Application Control, Anti-virus
Zero-day Protection	Machine Learning, Sandboxing File Analysis, Threat Intelligence
Central Orchestration	SD-WAN VPN Orchestration, Central Firewall Reporting Advanced
Email Protection	Anti-spam, Anti-virus, DLP, Encryption (SPX), Email Malware Protection
Web Server Protection	WAF, Anti-virus, reverse proxy
Enhanced Support	It is the minimum subscription for RMA, Sophos Technical Support service, and firmware upgrade. It applies to v19.0 MR1 and later. More details in the section Enhanced support, Enhanced plus support
Enhanced Plus Support	It provides more benefits than Enhanced support. Details in Sophos Support Service Guide.

Reference: Sophos Firewall > Administration Help > Licensing

Base Firewall

Once Base Firewall becomes Expired/Unsubscribed,

Sophos Firewall stops applying firewall rule and NAT rule on any traffic.
- All firewall rules stop working, no matter they are configured to allow or block traffic.
- All NAT rules stop working.
- The following traffic is allowed and has masquerading applied automatically by Sophos Firewall, even if there is a firewall rule to drop it.
  - from LAN zone to WAN zone
  - from DMZ zone to WAN zone
  - from LAN zone to LAN zone
  - from LAN zone to DMZ zone
  - from DMZ zone to DMZ zone
  - from DMZ zone to LAN zone
  No other traffic except the above can traverse Sophos Firewall.
No VPN cannot be established.
Site-to-site RED cannot be established.
AP and wireless network stop working.

It applies to Sophos Firewall v18 and later.

Email protection

Once Email Protection becomes Expired/Unsubscribed, Sophos firewall delivers email without anti-spam/anti-virus scanning.

It applied to all Sophos Firewall OS versions.

Enhanced support, Enhanced plus support

If both Enhanced support and Enhanced plus support are expired/unsubscribed

For all Sophos Firewall OS versions, Sophos cannot provide RMA and Technical Support service.
For Sophos Firewall OS v19.0 MR1 and later, the firewall has 3 free firmware upgrade, and further firmware upgrades will only be possible with a valid support subscription. It does not impact the trial license, home use license or firmware upgrades from the install wizard

Edition history

2022-12-09, updated the section "Enhanced support, Enhanced plus support"

2022-09-29, minor update

2022-07-19, updated for v19.0 MR1

2022-01-14, fixed expired URL

2021-05-31, updated with section "Email protection"

2021-05-24, first release

Updated Disclaimer
[edited by: Erick Jan at 10:53 AM (GMT -7) on 17 Apr 2023]

Top Replies

LuCar Toni over 3 years ago in reply to Andrea_e +2

Bundle basically means Hardware + Software. So you need the Standard Protection + Webserver Protection as a "a la card" license. They should be able to generate you an offer for you appliance.

TheMonzel over 3 years ago

What about the other licence modules?
I thought, that REDs are part of the Base Licence (same as for Wireless Protection). So the connection, ACLs and NAT should work for REDs with the base licence.

If Network Protection expires (and the base license is stil valid), all rules should still apply and control the traffic. But SOFS won't apply Security Heartbeat, IPS, ATP and SSL/TLS inspection, right?

My expirience with expired Web Protection was, the Web Proxy was reachable - but didn't apply any rule itself (It was on 17.5 - and long ago. I don't know, whether this is valid).
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
emmosophos over 3 years ago in reply to TheMonzel

Hello TheMonzel,

The RED device is part of the Network protection license. So you won’t be able to configure a RED device using only the Base License.

If the Network Protection expires, you’ll be able to configure any module but it won't be enforced.

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up +1 Vote Down

Sign in to reply

Cancel
Santiago Castrillon over 3 years ago

if I have a RED device already working what happens if Network protection is expired?

We dont use any Security Heartbeat, IPS, ATP and SSL/TLS inspection with RED
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
Sagar Kumar over 3 years ago

Just starting to use Sophos FW's as I've been using Juniper SRX for a bit now. link
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
emmosophos over 3 years ago in reply to Santiago Castrillon

Hello Santiago,

You can still use the RED device, but the security modules won't be enforced, you can configure them, but they’ll be ignored.

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up +1 Vote Down

Sign in to reply

Cancel
Shunze Lee over 3 years ago

How long is the grace period after the license expires?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
lna over 3 years ago in reply to Shunze Lee

the grace period starts 30 days bevore expiry end ends at the time the license has expired

if you are in trouble ask your sophos sales representative for a demo license unlike UTM Licensing your partner cannot grant you a demo license anymore.

lna@cema

SCA (utm+xg), SCSE, SCT

Sophos Platinum Partner
Cancel
Vote Up +1 Vote Down

Sign in to reply

Cancel
Andrea_e over 3 years ago

This is messed up, I've bought a device that would have worked until his death and now it will be just a white brick only because I've updated to V18. I'll roll back to V17.5 for the next days and in the meanwhile I'll buy a firewall of a different brand!

What a shame Sophos!
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
LuCar Toni over 3 years ago in reply to Andrea_e

What do you mean? Base License is valid until 2999.

__________________________________________________________________________________________________________________
Cancel
Vote Up -1 Vote Down

Sign in to reply

Cancel
Andrea_e over 3 years ago in reply to LuCar Toni

I read that "Sophos Firewall v18: impact of expired license" and on the 1st of April the licenses of my XG 125 are going to expire.
I gotta say that I didn't read which license, I've just seen a list of licenses.
But if the base firewall never expire, why in this article there is this "Once Base firewall becomes Expired/Unsubscribed"?
By the way, I see that the Webserver protection is expiring, so it still means that I have to renew the licenses (I'm looking for the prices and I really don't understand which license should I get, is there a comparison of the different licenses with the relative features?).
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel