Sophos Firewall (SFOS) License Migration: What You Need to Know

ProductsPricing & LicensingSophos Firewall

Migration of existing license bundles to the new bundles (Xstream Protection or Standard Protection) plus additional à la carte subscriptions, if required.

Last month, we sent an email to all affected partners and customers about the planned migration for existing Sophos (XG) Firewall customers to our new licensing scheme.

The purpose of the migration is to convert all existing license bundles to one of the two new bundles (Xstream Protection or Standard Protection) plus additional à la carte subscriptions, if required (see Migration Path table below).

This represents an important milestone to simplify our licensing, moving from five bundles to two, and means our Sophos Firewall OS (SFOS) subscriptions will be aligned regardless of hardware (XG/XGS/SG1) or software (virtual appliance/cloud) platform.

On August 4, 2021, we plan to start migrating SFOS bundle licenses running on all SG/XG/Virtual Firewall devices starting with the UKI region. This is slightly later than originally planned as our test phase took longer than expected.

The migration for MSPs will be at a later date and separate communications will follow via the Sophos MSP team.

1Note: SG Series running SFOS only. There is no change for devices running Sophos UTM.


Important Notes on the Migration Process

The actual migration happens in Sophos backend systems, not on the firewall.

  • It does not require any input from the firewall admin
  • It does not change the firmware version running on the firewall
  • It does not change the remaining term/renewal date on any subscription
  • It does not remove any functionality for any customer
  • Some functionality may be added, as shown in the Migration Path table below

All firewalls sync with our licensing server about once every 24 hours.

  • If a device is offline during the migration, or if a license key has not yet been activated, it will be migrated at a later date.
  • After the migration, an automated script will run at regular intervals to catch any outstanding assets which still need to be migrated.
    • This would be the case if a key for a legacy license bundle was applied post-migration.
    • It is also the case for devices deployed in air-gapped mode.

Some changes will only be visible in the SFOS user interface after upgrading to v18.5 MR1:

  • the new Central Orchestration functionality
  • changes to the licensing section to show the bundle name
  • the new name for Sandstorm Protection, which is Zero-Day Protection.

There may be some additional licenses which need to be initially excluded from the migration. See this Knowledgebase article for further information.

Any exclusions from the migration will be added to the KBA.


Planned Migration Schedule

The migration will take place over several days and is planned to complete within a 2-to-3-week period.

There will be two phases to the migration:

  1. The first phase is a staged migration of all affected termed assets (i.e., non-MSP) by region.
    • The plan is to begin with the UKI region on August 4.
    • We have planned the migration over multiple dates based upon the number of assets which need to be migrated.
    • Active-Active HA clusters will be migrated only once all regions are complete to avoid any disruption
  1. In the second phase, we will migrate all affected MSP assets.
    • The current expectation is that MSP licenses will be migrated in late August.
    • The MSP team will provide further details to all MSPs once the testing is complete, and the schedule confirmed.

The current status will be shown in a Knowledgebase article, along with some FAQs.


Migration Path

The following table shows the migration path for all licenses which are part of this migration.

Current subscription New Subscription(s) What’s New
Standard Protection No change
EnterpriseGuard Plus
(EnterpriseProtect Plus)
Xstream Protection Central Orchestration*
Xstream Protection
+ individual subscription for:

  • Email Protection
  • Web Server Protection
Central Orchestration*
Zero-Day Protection**
Email and Web Server no longer part of software bundle***
FullGuard Plus
(TotalProtect Plus)
Xstream Protection
+ individual subscription for:

  • Email Protection
  • Web Server Protection
Central Orchestration*
Email and Web Server no longer part of software bundle***
Enhanced Plus Support Enhanced Support
+ an Enhanced to Enhanced Plus Support Upgrade with the same term
Enhanced Plus Support is only available as an Enhanced to Enhanced Plus Upgrade


For customers who purchased a ‘Protect’ bundle, the migration is based upon the included software subscription as shown above.

* Central Orchestration will require an upgrade to SFOS v18.5 MR1
**Zero-Day Protection is the new name for Sandstorm Protection (SFOS only)
***Upon renewal, Email Protection and Web Server Protection will need to be renewed separately, if still required.


Active Quotes for Previous Bundles (FullGuard, EnterpriseGuard, etc.)

The new Xstream and Standard Protection license bundles are included in the current (2.x) reseller price list, and all quotes should be for the new licensing for all customers. You may need to adjust active quotes if they are likely to close after July 30, 2021.


The previous bundles for FullGuard, EnterpriseGuard, etc. can only be ordered until July 30, 2021. After that date, orders can no longer be processed. This applies to Sophos (XG) Firewall customers only, there is no change for customers running Sophos UTM who can continue to purchase all existing bundles.


Further Information

The migration process has been fully tested and therefore, we would not expect to see any issues. However, should you not find the answer to your questions in the KBA and still have any queries after the migration, please reach out to your usual Sophos contacts.