Please note: The MR1 release is delayed by a week. We will add an announcement once it is available.
Management Summary
- From v19 MR1, Enhanced or Enhanced Plus Support will become a requirement for future firmware upgrades.
- There is no change for customers with a valid support subscription (about 80% of customers)
- While there is no immediate change for the remaining 20% who do not own support today, they will need to add support once they have used their three-free-upgrade allocation.
On July 19, 2022, with the soft release of Sophos Firewall OS (SFOS) v19 MR1, we are introducing some changes to the scope of our support licensing and future access to firmware upgrades.
What is changing?
Once a firewall is running v19 MR1 or later, subsequent firmware upgrades will require a valid support subscription. To allow customers without support sufficient time to add the subscription, the first three firmware upgrades after MR1 will be free.
Once the allocation of three free upgrades is exhausted, the support requirement comes into effect and further firmware upgrades will only be possible if a valid support subscription is available.
- A valid support subscription can be either Enhanced or Enhanced Plus.
- Firmware upgrades will only be restricted if there is no valid support subscription.
This does not apply to:
- Firmware upgrades from the install wizard
- Mandatory firmware upgrades, hotfixes, and pattern updates
- Re-imaging the device using an ISO
- Home use licenses
- Trial licenses
- and during the three free firmware update allocation.
How does this affect you/your customers?
Customer Scenario |
Immediate Action Required |
Future Action Required |
| Owns a valid support subscription Applies to Enhanced and Enhanced Plus |
None | None, as long as support remains valid |
| Has no support subscription e.g., using Base License or individual à-la-carte subscription only |
None – eligible for next three upgrades after v19 MR1 | Purchase support to continue receiving upgrades |
| Using a Trial license | None, support is included | None, no change |
| Using a Home license | None, no change | None, no change |
| HA Active / Passive | None. As long as the Active device has a valid support subscription, the Passive device will also be covered. | None, as long as support remains valid on the Active device. |
Customers who have a valid support subscription
For the approx. 80% of Sophos Firewall customers who already have a valid Enhanced or Enhanced Plus support subscription, there will be no change.
Customers who do not own a support subscription
Customers who have just a Base license or an individual à-la-carte security subscription without support today, do not need to take any immediate action. However, to continue receiving firmware updates, they will need to add a support subscription once they have used their allocation of three free firmware updates after installing MR1.
We would suggest that you reach out to these customers to discuss adding support in the coming weeks/months.
Customers who have a trial license
Customers with a trial license are not affected as that includes support for the trial period.
Customers who have a Home license
Customers with a Home license are not affected.
Note: The three free upgrade limitation mentioned below applies to customers WITHOUT an active support subscription only.
What does the allocation of three free firmware upgrades mean?
The allocation of three firmware upgrades postpones the enforcement of the support requirement even when there is no active support subscription. This is in addition to the initial install wizard firmware update.
- The free upgrades are included to cover use cases such as when a customer receives a new appliance running older firmware for which there is an update available.
- This ensures that new customers have a grace period after their initial purchase, when they may not have activated all licenses, or be fully aware of the support requirement.
- An alert message will be shown in the user interface which mentions the support requirement and shows the remaining free upgrades.
- Note: this message will only appear for customers without an active support subscription
Which upgrades count towards the three-free-upgrade allocation?
Any Early Access Program (EAP), General Availability (GA), or Maintenance Release (MR) firmware version which is installed after upgrading to v19 MR1.
What about hotfixes (over the air security patches) and pattern updates?
These updates will continue to be provided for any product which has not yet reached its end-of-life date for all customers and will not be deducted from the three-free-update allocation for customers without support.
What if I re-image my firewall?
Re-imaging the appliance with the ISO will continue to work as it does today. Any firewall without a support subscription can also be re-imaged with the ISO of any newer firmware, which will not be deducted from the three-free-update allocation. Re-imaging the appliance resets the free upgrade allocation when there is no active support subscription.
What about the first firmware upgrade during the initial installation?
Firmware upgrades and mandatory firmware from the initial install wizard will work as today and will not be deducted from the three-free-update allocation.
How do I know how many upgrades I still have left?
For customers without support, this will be shown in the user interface.
How is the firmware upgrade restricted after the free updates have been exhausted?
If you don’t have an active support subscription and have used your free upgrade allocation, further firmware upgrades will NOT be possible. This applies to firmware updates from the user interface, using OpCode, SFLoader, or from Sophos Central. Customers will need to purchase a support subscription to continue receiving upgrades.
How does this impact the backup-restore workflow?
There is no impact on the backup-restore workflow. Firmware upgrades (incl. free upgrades) are independent of device configuration and therefore, backup-restore will work as today.
Why is Sophos making this change?
While this practice is new for us (with the exception of Sophos Switch), it is the standard for many of our competitors for their firewalls, switches, wireless access points and more.
Support should be an essential part of every sales deal.
How will this be communicated?
We plan to send emails to all partners who have sold/own, and customers who own Sophos Firewall around July 14, 2022.
Once MR1 is available, the release notes will also link to the FAQs which we will post on the Sophos Firewall Community.
