Understanding the Sophos Firewall Base License
The Sophos Firewall Base License is the basis of a Sophos Firewall. However, it is not the same as a support license, a security bundle, or a individual protection subscription. It is precisely this distinction that is important in operation: A firewall can have a Base License and still be limited in terms of firmware updates, support, RMA or certain security functions.
This guide explains how to classify the Base License, what is different with hardware and virtual firewalls and which points should be checked before updates, renewals or support cases.
Which licensing article fits?
Licensing issues often seem similar, but involve different decisions. It is therefore important for Sophos Firewall admins to choose the right topic first:
| Situation | Better starting point |
|---|---|
| Distinguish Base License, support and subscriptions | This article |
| Select the appropriate firewall model or performance class | Sophos Firewall Sizing Guide: Select the model correctly |
| Compare Standard Protection, Xstream Protection or other bundles | Which Sophos Firewall bundles are there? |
| Plan licensing without direct Internet access | Air-Gap licensing and pattern updates operate |
| Find serial number for license, support or RMA | Find serial number of Sophos Firewall |
| Transfer firewall to another Sophos Central account | Transfer Sophos Firewall to other Sophos Central account |
| Classify XG, SG or XGS in the lifecycle | Sophos XG vs. XGS: Differences, EOL and Migration |
| Check hardware warranty, support and RMA | Classify Sophos Hardware Warranty, Support and RMA |
| Prepare support case with license and device data | Open a Sophos support ticket: preparation and portal |
| Connect firewall with Sophos Central or assign central functions | Connect Sophos Firewall to Sophos Central |
This separation prevents typical false assumptions. A visible Base License does not automatically prove active support, appropriate security subscriptions, valid lifecycle or correct account ownership. For operations, Renewal and support cases, the serial number, account, support status, bundle, expiry dates and platform should always be checked together.
If a firewall is deliberately operated without direct Internet access, normal license synchronization is not the appropriate standard. Then it needs an air-gap process with release, license file, manual upload and Pattern routine. The process is described in Sophos Firewall Air-Gap licensing and operating pattern updates.
What the Base License is
The Base License identifies and authorizes the basic Sophos Firewall installation. Without appropriate license and serial number assignment, an appliance or virtual instance cannot be properly operated and managed as a productive Sophos Firewall system.
The distinction is important:
| Term | Operational meaning |
|---|---|
| Base License | Base entitlement for the firewall installation |
| Enhanced Support / Enhanced Plus Support | Support and update authorization depending on the license model |
| security subscription | Protection modules such as network, web, email, zero-day or other licensed functions |
| Serial number | unique firewall identity for license, support, RMA and account mapping |
The Base License should therefore not be understood as “everything is licensed”. Only part of the license question is answered.
What is included in the Base License
In the official license view, Sophos assigns the Base License to the basic functions Stateful Firewall, VPN, Wireless, High Availability and Firewall RED. What is important in practice is what this means: The firewall can basically be operated as a router, firewall and VPN gateway, but without additional security subscriptions many protection and support functions are missing.
Typical functions of the Base License:
| Area | What is basically possible with this | Important classification |
|---|---|---|
| Stateful Firewall | Firewall rules, zones, services, hosts, NAT and basic policy controls | The rule can allow or block traffic. Protection modules such as IPS, Web Protection or Zero-Day Protection are not yet automatically licensed. |
| Routing and Networking | Interfaces, VLANs, static routes, SD-WAN routes, DHCP, DNS and basic network services | The firewall can work as a central network router. Traffic security verification depends on additional modules. |
| VPN | Site-to-Site IPsec, Remote Access IPsec and SSL VPN | VPN functionality is basically possible. MFA, portal access, Device Access and logging should still be properly planned separately. |
| Wireless | Manage compatible Sophos access points via the firewall | This is not the same as modern Sophos Central wireless architecture. Many environments today use other WLAN systems. |
| High Availability | HA operation of the Sophos Firewall | Licensing and roles must be carefully checked separately for HA clusters, especially for active-passive and Subscription synchronization. |
| Firewall RED | RED connections via the firewall | SD-RED Device management and other protection functions may depend on additional licenses. |
| Local logs and reports | Local events, Log Viewer and simple reports | For longer storage, central search or reporting, depending on the target, Sophos Central reporting, syslog or SIEM is required. |
This means that the Base License is primarily the technical basis for operation. This turns an appliance or instance into a usable Sophos Firewall, but not a fully licensed protection package.
What is not included in the Base License
The question often arises as to whether you also receive firmware updates, support or all security functions with the Base License. That is exactly not the case.
| Not included | Why it matters |
|---|---|
| Firmware updates without support authorization | Firmware upgrades require valid support or bundle authorization. The Base License alone is not sufficient for this. |
| Manufacturer support via Sophos Case, chat or telephone | Support is tied to Enhanced Support, Enhanced Plus Support or an appropriate bundle. |
| IPS / Network Protection | Intrusion Prevention, Sophos X-Ops Threat Feeds, Security Heartbeat and other network protection functions require the appropriate Subscription. |
| Web Protection and Application Control | Web filtering, Application Control and web malware checking are not a pure base license feature. |
| Zero-Day Protection | Sandboxing, machine learning and threat intelligence require an appropriate license. |
| Email Protection | Anti-spam, antivirus, DLP, encryption and mail malware protection are licensed separately. |
| Webserver Protection / WAF | Web Application Firewall is a separate protection function and is not part of the Base License. |
| Sophos Central Firewall management only with Base License | The pure Base Firewall license is not sufficient for certain central management functions. This requires a paid Subscription or support license. |
| Longer central reporting | Central Firewall Reporting depends on license, storage and retention period. |
Firmware updates in particular are a common stumbling block: A firewall can display a valid Base License and still not have sufficient authorization for future firmware upgrades. The background is described in the blog post Sophos Firewall Updates will no longer be free in the future.
Hardware appliance
With a XGS hardware appliance, the Base License is linked to the hardware or serial number. The serial number is particularly important in operations because license status, support, RMA, account assignment and documentation depend on it.
Check:
- Is the firewall registered in the correct Sophos account?
- Does the serial number match the order, license documents and device?
- Is there an active support or bundle license?
- Are the required security subscriptions active?
- Is it clear which firmware updates are still possible?
The serial number can be found in SFOS directly in the dashboard. The procedure is in find the serial number of the Sophos Firewall.
Virtual and software-based firewalls
For virtual and software-based Sophos Firewall instances, licensing is more dependent on the assigned instance and serial number. Unlike hardware, there is no physical appliance serial number on a device label. The license and instance assignment must therefore be documented particularly clearly.
Important:
- Serial number and license file belong to the specific instance.
- Account assignment must be correct before productive operation.
- CPU-Core licensing and support must be checked separately.
- Backups do not replace clean license and serial number documentation.
- When reinstalling, Restore or migrating, it must be clear which instance uses which license.
Since 2025, CPU-Core licensing has been particularly relevant for virtual and software-based Sophos Firewall instances; RAM is no longer the previous license limit. The details are listed in the article Sophos Firewall VM & SW - Only CPU counts - No more RAM limit. For the basic platform decision, Sophos Firewall: hardware, virtual or cloud? fits.
What you shouldn’t derive from the Base License
The Base License does not automatically say that all desired functions can be used productively, are supported or are entitled to updates. Many misunderstandings arise because several things are displayed next to each other in the license view.
Do not derive from the Base License:
- that firmware updates are possible permanently without support,
- that all protection modules are active,
- that Web Protection, Mail Protection, Zero-Day Protection or other security modules are licensed,
- that support or RMA is covered,
- that the firewall is in the correct account,
- that HA licensing and Subscription synchronization are correct.
Important for firmware updates: Sophos has already introduced a support requirement for future firmware upgrades with SFOS v19 MR1. Non-support customers had a limited number of additional upgrades, after which a valid support Subscription is required. Avanet has classified this change in Sophos Firewall Updates will no longer be free in the future.
Additionally, the 2025 change is relevant, with Sophos placing greater restrictions on firewalls without a valid support license. The overview can be found in Sophos Firewall: Important change for customers without a support license.
Check license status in SFOS
In the local WebAdmin Console you can check the license status in the product or license area of the firewall. There you can see, among other things, serial numbers, registered licenses, runtimes and information about expired or missing Subscriptions.
Check:
- Open the user or product menu at the top right.
- About product or open the product/license area.
- Document serial number and model.
- Check Base Firewall / Base License.
- Check support and security subscriptions.
- Document expiration dates and warnings.
- If necessary, activate license key or Subscription.
The practical process for activating a license key can be found in Sophos Firewall Activate license key.
Document license and support status
For license, support and Renewal questions, a screenshot of the Base License is rarely sufficient. A small license data set should be maintained per firewall for operations, support cases, RMA, Restore or account transfer.
| Field | Why it matters |
|---|---|
| Serial number | Links license, device, support, RMA and account mapping |
| Model and platform | Distinguishes XGS hardware, virtual firewall, software appliance or cloud deployment |
| Sophos Account / Central Tenant | Prevents incorrect license activation or account transfer issues |
| Base License Status | Shows whether the firewall is basically assigned correctly |
| Support/Bundle | Decides on update, support and Renewal questions |
| security subscriptions | Shows which protection modules can really be used |
| Expiry dates | Important for Renewal, budget and planned firmware upgrades |
| Backup and Secure Storage Master Key | Important for Restore, migration and support cases |
This documentation should not only be created in the event of an error. When a firewall is transferred to another account, Sophos Firewall transferred to other Sophos Central account matches. If a Restore, hardware replacement or Reimage is in question, the article Sophos Firewall Create or restore backup should also be checked.
Base License expiry date
In the license view, the Base Firewall may appear with an expiration date very far in the future. This should not be confused with unlimited support or unlimited ability to update.
Practically this means:
- The Base License can remain visible in the long term as the basis of the firewall.
- Hardware, platform and firmware still have their own lifecycle limits.
- Firmware upgrades may require valid support authorization.
- Security functions depend on active Subscriptions.
- Support, RMA and Renewal must be checked separately.
What should be checked before updates and renewals
Before firmware updates, Renewal discussions or migrations, you should not just look at the license status superficially. A short audit is better.
Checklist:
- Serial number documented.
- Firewall registered in the correct Sophos account.
- Base License visible.
- Support license or bundle license active.
- Required security subscriptions active.
- Expiry dates documented.
- HA cluster: both nodes and license synchronization checked.
- Virtual firewall: CPU cores and license allocation checked.
- Backup available before license, update or migration work.
- Planned firmware upgrade checked against support status.
For larger updates, Sophos Firewall before SFOS 22 check upgrade also helps. For HA environments, Sophos Firewall High Availability (HA) setup is relevant because licensing and roles in the cluster must be clearly documented.
Common mistakes
Confusing Base License with support
A visible Base License does not automatically mean support and firmware upgrades are covered. The support status must be checked separately.
security modules do not check
If a feature doesn’t work or isn’t configurable, you shouldn’t just look at the Base License. What is crucial is whether the appropriate Subscription is active and whether the function has also been configured.
Using the wrong serial number
With multiple firewalls, HA clusters, virtual instances or account transfers, confusion quickly arises. Serial number, account and license documents must match.
Documenting virtual firewalls incompletely
For virtual firewalls, you should document the license, serial number, instance name, hypervisor, CPU cores, backup and responsible account together. Otherwise a Restore or support case will become unnecessarily difficult.