Sophos UTM hardware – End of sale for UTM licenses

Anyone who is currently still using Sophos UTM hardware should look for a successor soon. This is because renewal licenses will no longer be available for these devices after June 30, 2017. As of June 30, 2018, it will finally be over and the product will be End of Life.

Unfortunately, you have read correctly. Even though your UTM is probably still working just fine and is also still running the latest operating system on it, without a license you will no longer be able to use the functions after June 30, 2018. The firewall then degenerates into a “disempowered” standard firewall.

The old hardware must make way

Without a license, it will not be possible to continue using your UTM in the future, as licenses will no longer be available.

Of course, this is disappointing because, for example, on an old smartphone, the latest operating system is no longer supported, but the phone can still be used. But good. Everything works a little differently for the British than it does for us. They also drive on the “wrong” side of the road. 🙂

Of course, the UTM operating system is still available (it still runs on SG firewalls), it’s just that the UTM hardware is no longer supported and thus ends up as a waste product. The same will probably happen to today’s cars in a few years. The car will still be in super condition, but unfortunately there will be no more gasoline to drive it …

For us, by the way, there is only one reason why Sophos wants an end of life for UTM licenses. The fact is that anyone who owns UTM hardware incl. valid license, receives a new UTM in the event of a hardware defect. We assume that Sophos wants to prevent the need to replace UTM hardware in the future.

What to do with the old hardware after June 2018?

There are two ways you can still continue to use the hardware, although neither is quite optimal.

1. Since the UTM hardware is set in combination with a “hardware license”, one could simply install the software version on the UTM. However, the software version is licensed according to the number of IP addresses in the network. You are welcome to get acquainted with the products UTM Software and SFOS Software in our store.
2. As a private individual, you can switch to the free Sophos UTM Home license at any time. This will continue to function.

The change to a new hardware

Fortunately, switching to a new SG Firewall is relatively straightforward. If one follows Sophos’ migration path, even the term of the current license is maintained.

Let’s say you have a UTM 220 that still has a valid license until January 13, 2018. If you now decide to purchase an SG 230, you can migrate the license in the MyUTM portal and receive an SG 230 license with the same expiration date. However, if you now buy an SG 135 instead of an SG 230, the migration path will not be followed and you would have to buy a new license.

License migration path

Here’s another list so you know which SG Firewall you’d need to buy to meet the migration path:

• UTM 100 > SG 105
• UTM 110 > SG 115
• UTM 120 > SG 135
• UTM 220 > SG 230
• UTM 320 > SG 330
• UTM 425 > SG 430
• UTM 525 > SG 550
• UTM 625 > SG 650

If you have a FullGuard license in use, we recommend to let the license expire and then buy a TotalProtect Bundle (hardware and license). This is the most convenient way.

Configuration migration

On a SG Firewall

If you buy an SG Firewall, the migration is pretty simple. With an SG Firewall, the UTM operating system comes pre-installed. So you only need to backup the configuration from the UTM hardware and import it to the new SG Firewall. The thing is done in 15 minutes!

On an XG Firewall

Of course, you can also order XG hardware that has the Sophos Firewall operating system installed (SFOS). Sophos also provides a demo of the SFOS if you want to take a look (username: demo / password: XG@dem0user). However, if you choose this way, you have to recreate the whole configuration, because there is no import from the UTM operating system. So you start almost from scratch. I say “almost at zero” because you already have an idea of what you need to rebuild. On this occasion, it certainly does not hurt to rethink the structure of the configuration right away. For example, what we still often see are servers, clients, phones, backup NAS on the same network. You don’t do that anymore.

Switch to SG and later to XG?

An SG and an XG firewall have the same hardware 1:1. So you won’t block anything for the future if you order a SG Firewall first. The only difference is that an SG comes with the UTM operating system pre-installed, while the XG has the new SFOS installed. We have already described the differences in detail in a previous article.

So you can migrate to SG first and switch to the new operating system for free at a later date.

Sophos once announced a migration wizard for configuring from a UTM to an XG. But it has already been postponed twice. The idea is that you can take the backup file from the UTM and the wizard will then prepare the configuration for the SFOS. However, not everything is adopted and it does not mean that everything will run afterwards. Therefore, we prefer to start on a greenfield site and also question the architecture of the network again.