Skip to content
Avanet
Sophos UTM Hardware - End of Sale for UTM Licenses

Sophos UTM Hardware - End of Sale for UTM Licenses

Anyone still running Sophos UTM hardware should start planning for a replacement soon. From 30 June 2017 onwards, no renewal licences will be available for these appliances. From 30 June 2018, support ends completely and the product reaches end of life.

Unfortunately, that is correct. Even if your UTM is still running perfectly and on the latest operating system, you will no longer be able to use its licensed features after 30 June 2018. At that point, the firewall effectively becomes a “disempowered” basic firewall.

The old hardware has to go

Without a licence it will no longer be possible to keep using your UTM, as there will simply be no licences available.

That is of course disappointing. With an old smartphone, for example, the latest OS might no longer be supported, but you can still use the phone. But anyway. The British do things a bit differently from us. They even drive on the “wrong” side of the road. 🙂

The UTM operating system will of course continue to exist (it still runs on SG Firewalls), but the UTM hardware itself is no longer supported and ends up as electronic waste. The same fate will probably befall today’s cars in a few years’ time: the car will still be in perfect condition, but there will be no petrol left to run it…

From our point of view, there is only one reason why Sophos wants to declare UTM licences end of life. Anyone who owns UTM hardware with a valid licence is currently entitled to a replacement UTM if the hardware fails. We assume Sophos wants to avoid having to replace UTM hardware in future.

What to do with the old hardware after June 2018?

There are two ways you can continue using the hardware, although neither is ideal.

  1. As the UTM hardware is being discontinued in combination with a “hardware licence”, you could simply install the software version on the UTM. However, the software version is licensed according to the number of IP addresses in the network. Feel free to have a look in our shop at the UTM Software and SFOS Software products.
  2. As a private user, you can switch at any time to the free Sophos UTM Home licence. This will continue to work.

Moving to new hardware

Migrating to a new SG Firewall is, fortunately, relatively straightforward. If you follow the Sophos migration path, the remaining term of your current licence will even be preserved.

Suppose you own a UTM 220 with a valid licence until 13 January 2018. If you decide to move to an SG 230, you can migrate the licence in the MyUTM portal and will receive an SG 230 licence with the same expiry date. If, however, you buy an SG 135 instead of an SG 230, you are not following the migration path and will have to purchase a new licence.

Licence migration path

Here is a list so you know which SG Firewall you need to buy in order to stay within the migration path:

  • UTM 100 > SG 105
  • UTM 110 > SG 115
  • UTM 120 > SG 135
  • UTM 220 > SG 230
  • UTM 320 > SG 330
  • UTM 425 > SG 430
  • UTM 525 > SG 550
  • UTM 625 > SG 650

If you are using a FullGuard licence, we recommend letting the licence expire and then purchasing a TotalProtect bundle (hardware and licence). This is the most cost-effective option.

Migrating the configuration

To an SG Firewall

If you buy an SG Firewall, migration is very straightforward. An SG Firewall ships with the UTM operating system preinstalled. You simply back up the configuration from the UTM hardware and import it onto the new SG Firewall. The whole process takes about 15 minutes.

To an XG Firewall

You can of course also order XG hardware, which comes with the Sophos Firewall operating system installed (SFOS). Sophos also provides a demo of SFOS if you want to take a look (username: demo / password: XG@dem0user). If you choose this route, you must rebuild the entire configuration from scratch, as there is no import from the UTM operating system. You are effectively starting from almost zero. “Almost” because you at least know what you need to recreate. It is a good opportunity to rethink the configuration design. For example, we still frequently see servers, clients, phones and backup NAS systems all in the same network segment. That is no longer considered good practice.

Migrate to SG now and to XG later?

An SG and an XG Firewall use exactly the same hardware 1:1. So you are not limiting your future options at all if you first buy an SG Firewall. The only difference is that an SG ships with the UTM operating system preinstalled, whereas the XG runs the new SFOS. We have already described the differences in detail in a previous article.

You can therefore first migrate to SG and later switch to the new operating system at no additional cost.

Sophos at one point announced a migration assistant for converting a UTM configuration to an XG. However, it has already been postponed twice. The idea is that you take the backup file from the UTM and the assistant then prepares a configuration for SFOS. Not everything will be migrated, and it does not mean that everything will work flawlessly afterwards. That is why we prefer to start with a clean slate and take the opportunity to review the overall network architecture.

Patrizio

Patrizio

Patrizio is an experienced network specialist focused on Sophos firewalls, switches, and access points. He supports customers and IT teams with configuration, migration, and clean network segmentation.