Operating Sophos Firewall Air-Gap Licensing and Pattern Updates

A Sophos Firewall can be operated in highly isolated environments without direct internet access. This is not a normal offline mode but a deliberately planned air-gap operation with its own licensing logic, manual synchronization, and a separate update process for patterns.

The most important point: Air Gap is not a way to simply operate a firewall “without the internet” on the side. You need prior approval, a claimed hardware firewall, a clear update process, and regular checks of license and pattern statuses. Otherwise, the firewall may continue to run, but protection functions lose their currency, or subscriptions are deactivated.

For general licensing logic, first see Understanding Sophos Firewall Base License. This article focuses on the special case of Air Gap.

When Air Gap is Sensible

Air Gap is only suitable for environments where the firewall is deliberately operated separated from the internet. Typical examples are highly regulated networks, research environments, defense environments, production segments, or other zones where direct cloud or update connections are not allowed.

Before deciding, three questions should be separated:

Question	Why important?
Is the firewall really not allowed to have internet access?	If controlled internet access is possible, normal license and pattern sync is usually easier and safer.
Who will take over the manual update process?	Air Gap creates operational effort. License files and patterns must be consciously maintained.
Which functions are lost or weakened?	Some functions require online services, reputation, Sophos Central, or external resolution.

Air Gap does not automatically increase security. It reduces a certain connection surface but shifts responsibility to processes: download, verification, transfer, upload, documentation, and monitoring.

Prerequisites

Before installation, these points should be clarified:

The firewall must be claimed as an air-gap firewall in Sophos Central.
Air-gap usage must be approved by the Sophos Account Manager.
According to Sophos, Air Gap is intended for hardware firewalls.
The environment must not simply be temporarily offline but must be planned as an isolated environment.
The firewall must not be operated with MSP Flex licensing in an unsuitable model.
Admin access to CLI and WebAdmin is required.
A secure way to transfer license and pattern files into the isolated environment is needed.

Before implementation, document the serial number, model, Sophos Central account, license status, and responsible person. For serial numbers and license basics, see Activate Sophos Firewall License Key and Find Sophos Firewall Serial Number.

Overview of the Process

The air-gap process consists of several separate steps. If one of them is missing, the firewall is not properly in air-gap operation.

Step	Location	Result
Claim firewall	Sophos Central	Firewall is assigned to the correct account
Clarify air-gap approval	Sophos Account Manager	Air-gap authorization is present
Download air-gap license	Sophos Central	License file is available
Activate Air Gap on the firewall	CLI Device Console	Manual license synchronization becomes visible
Upload license file	`Administration > Licensing`	License status is updated locally
Apply pattern updates	`Backup & firmware > Pattern updates`	Protection patterns are updated
Monitor process and logs	WebAdmin, Alerts, `licensing.log`	Deactivation or outdated patterns are detected early

The order is important. A license file alone is not enough if Air Gap has not been activated on the firewall. Conversely, the CLI command is useless if there is no valid air-gap license file from the correct account.

Download Air-Gap License

The license file is downloaded in Sophos Central. The typical path is:

Sophos Central > Profile Menu > Licensing > Firewall licenses > Download airgap license

The license file should be handled carefully after download and should not be placed in private downloads, messengers, or unclear clipboards. A brief internal record is sensible:

Download date
Sophos Central account
Affected firewall or firewall group
Serial numbers
Responsible person
Planned upload time

Sophos specifies that a downloaded air-gap license must be applied within 30 days. If the file is used too late, a new file should be downloaded.

Activate Air Gap on the Firewall

To make manual license synchronization visible in WebAdmin, Air Gap must be activated on the firewall via CLI.

Procedure:

Log in to the firewall console or via SSH.
In the Sophos console, select 4 for Device Console.
Execute the command:

system airgap enable

Afterwards, the Manual license synchronization section should be visible under Administration > Licensing.

This step should be documented. In productive environments, it belongs in the same change as the license file upload, so it is clear later when Air Gap was activated and which license file it corresponds to.

Upload Air-Gap License

After activation, the license file is applied in WebAdmin.

Procedure:

Log in to the WebAdmin Console.
Open Administration > Licensing.
In the Manual license synchronization section, select Choose file.
Select the air-gap license file.
Apply with Update license.
Check license status and expiration dates.

After the upload, check whether the expected subscriptions are active. A successful license synchronization does not replace a functionality check. If Web Protection, IPS, Zero-Day Protection, or other modules are used, policy, pattern status, logging, and tests must be correct separately.

HA Cluster: Consider Initial Primary

In Active-Passive HA, air-gap licensing is particularly delicate. The license file should only be applied to the Initial Primary. This device must also be the current Primary during the upload.

If the license is uploaded to the wrong node, license differences or unexpected HA behavior can occur. Therefore, it is sensible for operation:

Check System services > High availability before the upload.
Document Initial Primary and current role.
Set Initial Primary as Preferred primary device.
Apply the license file on the correct Primary.
Then check HA status and license status.

For HA basics and role logic, see Set Up Sophos Firewall High Availability. In Air Gap, this preparation is not optional because the wrong node can later cause incomprehensible license or failover symptoms.

Manually Apply Pattern Updates

Without automatic online updates, patterns must be consciously maintained. This affects signatures, engines, clients, and other update components. In air-gap environments, a pattern file is downloaded and uploaded in WebAdmin.

For SFOS 22.0 and newer, Sophos refers to the air-gap pattern file:

https://airgap.u2d.sophos.com/sfos_pattern_updates_v2.tar

Procedure:

Download the pattern file on a designated system.
Transfer the file into the isolated environment via the approved transfer method.
Log in to the firewall.
Open Backup & firmware > Pattern updates > Manual pattern update.
Select Choose file.
Upload the pattern file.
Confirm the upload and check the update status.

In HA environments, patterns are applied on the Primary and then synchronized to the Auxiliary. Therefore, the HA status should be checked first here as well.

Check Pattern Status

An air-gap operation is only as good as the routine behind it. New patterns are regularly available. If the firewall is not updated for a long time, the value of IPS, Antivirus, Application Signatures, and other protection functions decreases.

Practical control:

Control	Location
Current pattern versions	`Backup & firmware > Pattern updates`
Last successful update	`Backup & firmware > Pattern updates`
Update status	Ready to install, Downloading, Success, or Failed
License status	`Administration > Licensing`
License and deactivation notices	`licensing.log`

For a general operational check, additionally see Proper Use of Sophos Firewall Health Check. There, Air Gap should not be understood as an exception to update hygiene but as a special process for the same duty: keeping protection functions current.

License Expiration and Incommunicado Window

With normal license synchronization, 90 days without a successful sync are critical. For air-gap licenses, a longer window of 180 days applies. After that, security subscriptions are deactivated; Base Firewall and Enhanced Support remain active.

For operation, this means:

By day 160 at the latest, a new air-gap license file should be prepared.
At the latest with warning messages, the upload must be planned.
After 180 days without a new air-gap license, deactivation of protection subscriptions threatens.
Traffic can continue, but without the affected protection functions.
The status should be monitored via WebAdmin, Alerts, and licensing.log.

licensing.log is particularly important for license problems. An overview of relevant firewall logs is available in Sophos Firewall Troubleshooting: Services and Logs.

What is Restricted in Air-Gap Environments

Air Gap means that online services do not function as they would in a normally connected firewall. Some functions are not supported at all, while others lose part of their effectiveness.

Typical limitations:

Area	Restriction
Sophos Central Management	Central management and Synchronized Security are not usable as in online environments
Dynamic DNS	Requires internet connection
External NTP	Only works if a reachable internal time server is available
FQDN	Only sensible with internal DNS resolution
RED Online Provisioning	Requires online provisioning
Web and URL Categorization	Without online services, only limited with locally available categories and signatures
Zero-Day Protection	Requires cloud connection and does not fit classic Air Gap
Support Access	Remote support access is not available in isolated networks

This point is often underestimated in projects. An air-gap firewall cannot deliver the same cloud-supported protection effect as a normally connected firewall. Therefore, it should be decided before the design which protection functions are absolutely necessary and how the missing online functions will be compensated: internal DNS and NTP servers, manual pattern routine, Syslog, local documentation, and a clear support process.

Establish Operational Routine

Air Gap requires a fixed routine. Otherwise, license and pattern updates only become noticeable when a warning appears or a protection module is no longer current.

Sensible routine:

Interval	Task
Weekly or according to internal risk	Check, download, and apply pattern file
Monthly	Document pattern status, license status, HA status, and alerts
By day 160 at the latest	Prepare new air-gap license file from Sophos Central
After each upload	Check license status, pattern status, relevant protection modules, and HA sync
During each firmware window	Plan air-gap process, backup, pattern, and rollback together

Firmware updates remain a separate process. For execution, see Perform Sophos Firewall Firmware Update, for backup and recovery Create or Restore Sophos Firewall Backup.

Common Mistakes

Clarifying Air Gap Only After Installation

Air Gap should be clarified before procurement and installation. If the firewall is already productively isolated but no suitable air-gap approval or license file is available, unnecessary pressure arises.

Treating Pattern Updates as Optional

Pattern updates are not less important in air-gap environments but operationally more demanding. Without routine, protection functions quietly become outdated.

Ignoring HA Role Before License Upload

In Active-Passive HA, the Initial Primary must be the correct current Primary. Otherwise, the license status can become unclear after failover or upload.

Assuming Cloud Functions

Zero-Day Protection, Sophos Central Management, Online Reputation, RED Online Provisioning, or Support Access should not be silently planned in air-gap designs.

Handling License Warnings Too Late

Air-gap licenses have a 180-day window, but the process should not start on the last day. Download, transfer, change approval, and upload take time.

Checklist

Air-gap approval clarified with Sophos.
Firewall claimed in the correct Sophos Central account.
Serial number, model, and license status documented.
Secure file transfer into the isolated environment defined.
system airgap enable executed and documented.
Air-gap license uploaded under Administration > Licensing.
For HA: Initial Primary, current Primary, and Preferred Primary checked.
Pattern file downloaded and applied under Backup & firmware > Pattern updates.
License status, pattern status, and licensing.log checked.
Operational routine for pattern, license file, HA status, and firmware window established.

FAQ

What is Sophos Firewall Air Gap?

Air Gap is an operational model for isolated Sophos firewall environments without direct internet access. Licensing and pattern updates are maintained manually or through a separate air-gap process.

How do you activate Air Gap on the Sophos Firewall?

Air Gap is activated in the Device Console with system airgap enable. Afterwards, the section for manual license synchronization appears under Administration > Licensing.

How long is an air-gap license valid?

For air-gap licenses, a 180-day window applies without new synchronization. After that, security subscriptions are deactivated, while Base Firewall and Enhanced Support remain active.

Do patterns need to be manually updated in air-gap environments?

Yes, if no automated air-gap update solution is set up. For SFOS 22.0 and newer, the pattern file is downloaded and uploaded under Backup & firmware > Pattern updates > Manual pattern update.

What is important for Air Gap and HA?

In Active-Passive HA, the air-gap license should be applied on the Initial Primary while this device is also the current Primary. The Initial Primary should be set as the Preferred Primary.

Do all Sophos Firewall functions work in air-gap operation?

No. Functions with cloud, online reputation, Central, or remote support dependency are not or only partially usable. This must be checked before the design.