First Buy or Renewal

Were we able to help you with this tutorial? Then consider us for the next Renewal. 😎
We sell licenses for all Sophos Firewalls worldwide!

To the Products

Migration path of a Sophos UTM license to an SFOS license

In this article, we’ll show you what happens to your UTM license when you migrate it to Sophos Firewall OS (SFOS). We introduce you to the exact migration path and explain the differences.

Migration path and differences

There are no additional costs for migrating your UTM license to the SFOS, but there are a few things to consider. Not everything can be taken over 1:1, because the UTM operating system and the SFOS differ in a few points.

Migrate UTM license to SFOS

Essential Firewall

What was called “Essential Firewall” in the UTM operating system is now called “Base License” in the SFOS. You can read more about what this Base License contains here: Sophos Firewall OS (SFOS) Base License.

Wireless Protection

Wireless protection is part of the base license of Sophos Firewall OS and is therefore included free of charge.


The BasicGaurd is a light version of the FullGuard license. It is an inexpensive alternative to the big brother and contains a few functions of each module. But important key features are missing and therefore we could never get excited about this license. Therefore, we are not unhappy about the fact that the BasicGuard is no longer available in SFOS.

Important: So if you now use a BasicGuard, it will be converted to a FullGuard license during the migration and thus halves the runtime. For example, if the license is still valid for one year, it will only be valid for 6 months after the migration.

UTM Endpoint

At Sophos they have abandoned the development of the UTM endpoint a long time ago and have created more than just an alternative with Sophos Central. With Sophos Central, your endpoints can communicate with your XG firewall. Sophos calls this Synchronized Security. With the new SFOS, there is no endpoint solution that can be managed via the firewall. The way forward for endpoint protection is clearly Sophos Central.

Important: Since SFOS does not have an endpoint solution that can be managed through the firewall, your UTM endpoint licenses will expire after the migration. Make sure that you have uninstalled all your UTM endpoint clients before the migration, or at least the tamper protection has been disabled everywhere.

Note: You can also rent licenses for Sophos Central from us on a monthly basis. Just check out our Sophos Central Subscription.

UTM Support

The SFOS support plans have also changed compared to the UTM operating system. At this point, you just need to know that your support package, whether standard or premium, will be converted into an “Enhanced Support” package during the migration. We will report more about the new support plans in a later article. Until then, however, you can already read the official Sophos PDF.

User/IP level for Virtual Appliances

While the UTM operating system for virtual devices had to be licensed according to User/IPs, the SFOS now depends on the performance of the device. The following figure shows you where your current license is classified in the SFOS.

Migration path for User/IP levels in virtual appliances

The rest remains the same

The modules “Network Protection”,”Web Protection”,”Email Protection”,”Web Server Protection”, as well as the iPSec Client remain the same and are adopted without any special changes.

More information