Shopping Cart

No products in the cart.

Migration path of a Sophos UTM license to a SFOS license

In this article, we will show you what happens to your UTM license when you migrate it to Sophos Firewall OS (SFOS). We will present you the exact migration path and explain the differences.

Migration path and differences

There are no additional costs when migrating your UTM license to the SFOS, but there are still a few things to keep in mind. Not everything can be adopted 1:1 in terms of licensing, since the UTM operating system and the SFOS differ in a few points.

Essential Firewall

What was called the “Essential Firewall” for the UTM operating system is now called the “Base License” for SFOS. You can read more about what this base license includes in the following article: Sophos Firewall OS (SFOS) Base License

Wireless Protection

Wireless protection is part of the base license for Sophos Firewall OS and is therefore already included free of charge.


The BasicGaurd is a slimmed down version of the FullGuard license. It is a low-cost alternative to its big brother and includes a few functions from each module. However, important key features are missing and therefore we could never get excited about this license. Therefore, we are not unhappy that BasicGuard is no longer available at SFOS.

Important: If you are now using a BasicGuard, this will be converted to a FullGuard license during the migration and the runtime will be halved. For example, if the license is still valid for one year, it will be valid for only 6 months after migration.

UTM Endpoint

Sophos has long since abandoned the further development of the UTM endpoint and instead created more than just an alternative with Sophos Central. With Sophos Central, your endpoints can communicate with your XG Firewall. Sophos calls this Synchronized Security. With the new SFOS, there is no longer an endpoint solution that can be managed through the firewall. So the future for endpoint protection clearly belongs to Sophos Central.

Important: Since SFOS no longer has an endpoint solution that can be managed through the firewall, your UTM endpoint licenses will expire after the migration. Make sure you have uninstalled all your UTM endpoint clients before migration, or at least disabled tamper protection everywhere.

Note: You can also rent licenses for Sophos Central from us on a monthly basis. Just take a look at our Sophos Central subscription.

UTM Support

Support plans have also changed for SFOS compared to the UTM operating system. At this point, you just need to know that your support package, whether Standard or Premium, will be converted to an “Enhanced Support” package upon migration. We will report more about the new support plans in a later post. In the meantime, you can read the official PDF from Sophos.

User/IP level for virtual appliances

Whereas with the UTM operating system for virtual devices it was necessary to license by user/IPs, with SFOS it is now dependent on the performance of the device. The following chart shows you where your previous license is ranked at SFOS.

The rest remains the same

The modules “Network Protection”, “Web Protection”, “Email Protection”, “Web Server Protection”, as well as the iPSec Client, remain the same and are adopted without special changes.

More information