Homepage » KB article » Sophos Firewall » Migration path of a Sophos UTM license to a SFOS license

Migration path of a Sophos UTM license to a SFOS license

In this article, we will show you what happens to your UTM license when you migrate it to Sophos Firewall OS (SFOS). We will show you the exact migration path and explain the differences.

Migration path and differences

When migrating your UTM license to the SFOS, the following will occur no additional costsbut nevertheless a few things have to be considered. Not everything can be adopted 1:1 in terms of licensing, since the UTM operating system and the SFOS differ in a few points.

Essential Firewall

What was called the "Essential Firewall" for the UTM operating system is now called the "Base License" for SFOS. You can read more about what this base license includes in the following article: Sophos Firewall OS (SFOS) Base License

Wireless Protection

Wireless protection is part of the base license for Sophos Firewall OS and is therefore already included free of charge.


The BasicGaurd is a slimmed down version of the FullGuard license. It is an inexpensive alternative to the big brother and includes a few functions from each module. However, important key features are missing and therefore we could never get excited about this license. Therefore, we are not unhappy about the fact that BasicGuard is no longer available at SFOS.

Important: So if you are using a BasicGuard now, it will be converted to a FullGuard license during the migration and the duration will be halved. For example, if the license is still valid for one year, it will only be valid for 6 months after the migration.

UTM Endpoint

Sophos has long since abandoned the further development of the UTM endpoint and has instead come up with Sophos Central has created more than just an alternative. With Sophos Central, your endpoints can communicate with your XG Firewall. Sophos calls this Synchronized Security. With the new SFOS, there is no longer an endpoint solution that can be managed through the firewall. So the future for endpoint protection clearly belongs to Sophos Central.

Important: Since SFOS no longer has an endpoint solution that can be managed through the firewall, your UTM endpoint licenses will expire after the migration. Make sure you have uninstalled all your UTM endpoint clients before migration, or at least disabled tamper protection everywhere.

Note: You can also rent licenses for Sophos Central on a monthly basis. Just take a look at our Sophos Central subscription.

UTM Support

The support plans have also changed with SFOS compared to the UTM operating system. At this point, you just need to know that your support package, whether Standard or Premium, will be converted to an "Enhanced Support" package upon migration. We'll cover more about the new support plans in a later post. Until then, you can read the official PDF from Sophos.

User/IP level for virtual appliances

Whereas with the UTM operating system for virtual devices you had to license by user/IPs, with SFOS it is now dependent on the performance of the device. The following graphic shows you where your previous license is classified with SFOS.

The rest remains the same

The modules "Network Protection", "Web Protection", "Email Protection", "Web Server Protection", as well as the iPSec Client, remain the same and are adopted without special changes.

More information

Shopping Cart
Scroll to Top