Licensing is used to enable various features on the Sophos XG Firewall, and the same methods apply regardless of whether it is a physical or virtual firewall. Some Cyberoam IA / NG and Sophos SG devices can also run the XG Firewall operating system.
XG licensing model overview
XG Firewall includes a Permanent Basic license, which is required for all hardware and virtual firewalls. Additional features can be purchased as a 1, 2 or 3-year subscription.
Subscriptions can be purchased separately or as a package. Some of the packages contain hardware or virtual device with a perpetual Base license and other packages include subscriptions only. The chart below shows all packages and shows individual subscriptions within each package. If the package name contains ‘Protect’, it contains an XG series hardware device or a virtual device.
There are 2 support levels, “Enhanced” and “Enhanced Plus“. It provides direct access to Sophos support staff and also provides a warranty for all connected Sophos devices. If you are purchasing an individual subscription and want to get a higher level of support, you must purchase the “Enhanced Plus Support” package. If you are purchasing any of the other packages, the package includes “Enhanced Support” and you can add a higher level of support by purchasing “Enhanced Support Enhanced for Upgrade”.
What do I get When I buy an XG Firewall product?
When you first purchase the device, a pdf file with the license information is delivered to you in addition to the hardware or software product. You can activate your device with the license information written here.
How do I Activate my Product?
XG Firewall licenses are identified by the serial number they were assigned to. With this information, you can activate the basic license and, if there is an included subscription, start it. You can initiate a warranty for hardware. If you have purchased separate subscriptions, you will receive one or more license keys in the pdf file provided.
- Subscriptions start when you activate a license key.
- License keys are activated only after enrolling in the device and running a base license on the device purchase. If the device is a 30-day free trial or a hardware evaluation, license keys cannot be activated until you have a Base license purchased associated with the device.
- You cannot use the same license key to use a device that has expired as a trial again.
Enrollment and license key activation can be activated from the Administration> Licensing tab on the Web Admin (WebAdmin) screen of the firewall or through my Sophos site.
The license is kept centrally in the Sophos license system, so if you are using MySophos to enrol a device or activate a license key, you must press the “Synchronize” button in the “Administration> Licensing” section of the WebAdmin license screen of the device to obtain the license.
If you do not do this, the license will be updated automatically as part of the next daily license synchronization call.
When does my Warranty start and end?
Registering your hardware device will start the warranty. Warranty start and end dates are determined according to the following rules.
- Warranty Start Date – At the first registration, the Warranty Start Date, Invoice Date is set as the Registration Date unless it is more than 90 days before the Registration Date; in this case, the Warranty Start Date is set to the Invoice Date plus 90 days.
- Warranty Expiration Date – The warranty will last at least 12 months from the Warranty Start Date. If Advanced Support is available on active subscriptions, the warranty is extended up to the expiration date of those subscriptions or up to a maximum of 5 years from the Warranty Start Date, whichever is shorter.
- For RED, AP, and Passive XG series hardware to receive warranty coverage, Enhanced Plus Support is required on the firewall device they are connected to.
- If you skipped registration when you first set up your firewall, you will be prompted to register every time you log into the firewall’s Web Admin. After 30 days, you cannot log in without completing the registration process.
What high Availability Models are Supported and how are they Licensed?
Sophos XG Firewall supports Active-Active and Active-Passive modes:
- Each Active firewall requires its own license.
- For Active-Active mode, each firewall must be running the same subscriptions.
- For Active-Passive hardware devices, each firewall must be enrolled, but only the Active device must have subscriptions running on it as it will share the license with the Passive device.
- For Active-Passive virtual firewalls, you only need to purchase the Active license and this allows you to start a Passive instance.
- For Active-Passive, Technical support on Passive unit will be provided if the Active unit has at least one Advanced Support subscription.
Therefore, for Active-Passive on hardware devices, it is very important that you decide which device is the Active device and which one should have licenses running on it.
Sophos iView V2 and SFM licenses
The same licensing system is used for iView V2 and Sophos Firewall Manager (SFM) products. Sold products are different from XG Firewall. SFM is available as both a hardware and a virtual device, and iView can only be used as a virtual device.
- SFM is sold as hardware devices (SFM200 / SFM300 / SFM400) or virtual devices limited to devices they can manage (15/50/100/200/500/1000).
- iView V2 is sold according to the size of data the product can access (500 GB / 1 TB / 4 TB / 8 TB).
As with the firewall, a perpetual Basic license is included with the purchase of any of these. The same support subscriptions, Enhanced Support and Advanced Plus Support can also be purchased. For SFM hardware, the warranty rules are the same as for XG Firewall.