Understanding the Sophos Firewall Base License
The Sophos Firewall Base License is the foundation of a Sophos Firewall. However, it only answers the basic question: is this firewall instance registered and assigned from a licensing perspective? That is not the same as a support licence, a security bundle or an individual protection subscription.
This distinction is important in operation. A firewall can have a visible Base License and still be limited for firmware updates, support, RMA, Sophos Central Firewall Management or certain security functions. This guide explains how to classify the Base License, where to check it and which points should not be missed before updates, renewals, HA planning or support cases.
Which licensing article fits?
Licensing questions often sound similar, but they lead to different decisions. This article is the right one when you need to classify a visible Base Firewall entry in the licence view and understand what it means for support, firmware, HA, Central and security subscriptions.
For related questions, other guides fit better: model selection and performance class belong in the Sophos Firewall Sizing Guide, bundle decisions in the article on Sophos Firewall bundles, isolated firewalls in the workflow for Air-Gap licensing and pattern updates, account changes in the article on Sophos Central transfer, and hardware questions in the classification of XG, XGS, EOL and migration.
This separation prevents the key false assumption: a visible Base License does not automatically prove active support, appropriate security subscriptions, a valid lifecycle or correct account ownership. For operations, renewals and support cases, serial number, account, support status, bundle, expiry dates and platform should always be checked together.
What the Base License is
The Base License identifies and authorizes the basic Sophos Firewall installation. Without appropriate license and serial number assignment, an appliance or virtual instance cannot be properly operated and managed as a productive Sophos Firewall system.
The distinction is important:
- Base License: Basis of the firewall installation and basic entitlement.
- Enhanced Support / Enhanced Plus Support: Support and update entitlement depending on the licence model.
- Security subscription: Protection modules such as Network, Web, Email, Zero-Day or other licensed functions.
- Serial number: Unique firewall identity for licence, support, RMA and account mapping.
The Base License should therefore not be understood as “everything is licensed”. Only part of the license question is answered.
The most important check path in SFOS is Administration > Licensing. There you can see registration, appliance model, serial number, Base Firewall, support status, bundles, individual subscriptions and expiry dates. On an online-connected firewall, SFOS normally synchronises licences automatically with Sophos Central. For an up-to-date view, you can run Synchronize there before drawing the wrong conclusions from an old display.
Quick Operational Classification
For day-to-day work, a simple classification helps. The Base License only answers whether the firewall is generally assigned as a Sophos Firewall instance. The real operational question then follows: is there the right entitlement for what you are trying to do?
If the firewall only needs to route, apply simple rules or provide VPN, the Base License is the starting point. As soon as firmware upgrades, vendor support, RMA, IPS, Web Protection, Zero-Day Protection, WAF, Central Firewall Management or longer reporting become important, the relevant support, bundle or security subscription must be checked separately.
For HA clusters, looking at a single licence line is also not enough. Roles, serial numbers, platform type, subscription synchronisation and support model together determine whether failover, RMA and central management will work cleanly in a serious case. For virtual and software-based firewalls, CPU core licensing, instance assignment and restore scenario are added.
This quick decision does not replace a licence check, but it prevents the most common mistake: seeing a valid Base License and assuming that support, protection modules, and update entitlement are also clear.
What is included in the Base License
In the official license view, Sophos assigns the Base License to the basic functions Stateful Firewall, VPN, Wireless, High Availability and Firewall RED. What is important in practice is what this means: The firewall can basically be operated as a router, firewall and VPN gateway, but without additional security subscriptions many protection and support functions are missing.
Typical functions of the Base License:
- Stateful Firewall: Firewall rules, zones, services, hosts, NAT and basic policy control. The rule can allow or block traffic. Protection modules such as IPS, Web Protection or Zero-Day Protection are not yet automatically licensed.
- Routing and networking: Interfaces, VLANs, static routes, SD-WAN routes, DHCP, DNS and basic network services. The firewall can work as a central network router. Traffic security inspection depends on additional modules.
- VPN: Site-to-Site IPsec, Remote Access IPsec and SSL VPN. VPN functionality is basically possible. MFA, portal access, Device Access and logging should still be planned separately.
- Firewall RED: This means RED functions of the firewall, especially Site-to-Site RED between Sophos firewalls. This is not the same as SD-RED Device Management or SD-RED tunnels to SD-RED devices.
- Wireless: Management of compatible Sophos access points through the firewall. This is not the same as the modern Sophos Central Wireless architecture. Many environments now use other WLAN systems.
- High Availability: HA operation of Sophos Firewall. Licensing and roles must be checked separately for HA clusters, especially for Active-Passive and subscription synchronisation.
- Local logs and reports: Local events, Log Viewer and simple reports. For longer retention, central search or reporting, Sophos Central Reporting, Syslog or SIEM may be required depending on the objective.
This means that the Base License is primarily the technical basis for operation. This turns an appliance or instance into a usable Sophos Firewall, but not a fully licensed protection package.
What is not included in the Base License
The question often arises as to whether you also receive firmware updates, support or all security functions with the Base License. That is exactly not the case.
- Firmware upgrades without support entitlement: Sophos allows three free firmware upgrades. After that, a valid support or bundle entitlement is required. The Base License alone is therefore not a reliable update strategy.
- Vendor support via Sophos case, chat or telephone: Support is tied to Enhanced Support, Enhanced Plus Support or a suitable bundle.
- SD-RED and Network Protection: SD-RED Device Management and SD-RED tunnels to SD-RED devices should not be planned as Base License functions. They require the appropriate Network Protection subscription.
- IPS / Network Protection: Intrusion Prevention, Sophos X-Ops Threat Feeds and Security Heartbeat also require Network Protection.
- Web Protection and Application Control: Web filtering, Application Control and web malware scanning are not pure Base License functions.
- Zero-Day Protection: Sandboxing, Machine Learning and Threat Intelligence require a corresponding licence.
- Email Protection: Anti-spam, antivirus, DLP, encryption and mail malware protection are licensed separately.
- Webserver Protection / WAF: Web Application Firewall is a separate protection function and is not part of the Base License.
- Sophos Central Firewall Management only with Base License: The pure Base Firewall licence is not sufficient for Central Firewall Management. This requires an active paid subscription outside the Base License or an active support contract.
- Longer central reporting: Central Firewall Reporting depends on licence, storage and retention period.
Firmware upgrades in particular are a common stumbling block: a firewall can display a valid Base License and still not have sufficient entitlement for further planned firmware upgrades. The background is described in the blog post Sophos Firewall updates will no longer be free in future.
Hardware appliance
With an XGS hardware appliance, the Base License is linked to the hardware or serial number. Hardware appliances generally have the Base Firewall as the device foundation. Practical usability nevertheless depends on lifecycle, support, bundle, expiry dates and account assignment.
The serial number is particularly important in operation because licence status, support, RMA, account assignment and documentation depend on it.
Check:
- Is the firewall registered in the correct Sophos account?
- Does the serial number match the order, license documents and device?
- Is there an active support or bundle license?
- Are the required security subscriptions active?
- Is it clear which firmware updates are still possible?
- Is the hardware itself still in the supported lifecycle?
The serial number can be found in SFOS directly in the dashboard. The procedure is in find the serial number of the Sophos Firewall.
Virtual and software-based firewalls
For virtual, software-based and cloud Sophos Firewall instances, licensing depends more strongly on the assigned instance and serial number. Unlike hardware, there is no physical appliance serial number on a device label. Licence and instance assignment must therefore be documented particularly carefully.
Important:
- Serial number and license file belong to the specific instance.
- Account assignment must be correct before productive operation.
- CPU core licensing, Base Firewall and support must be checked separately.
- Backups do not replace clean license and serial number documentation.
- When reinstalling, Restore or migrating, it must be clear which instance uses which license.
Since 2025, CPU-Core licensing has been particularly relevant for virtual and software-based Sophos Firewall instances; RAM is no longer the previous license limit. The details are listed in the article Sophos Firewall VM & SW - Only CPU counts - No more RAM limit. For the basic platform decision, Sophos Firewall: hardware, virtual or cloud? fits.
For HA, the distinction matters: with Active-Passive HA, only the primary instance needs the Base Firewall and the other licences for virtual and software-based firewalls. With Active-Active HA, both devices or instances need their own appropriate licences. With hardware HA, additional RMA and support details apply that cannot be derived from the Base License alone. For Sophos Central Firewall Management, simple licence synchronisation is also not enough; the firewalls must be registered for Firewall Management and have an appropriate paid subscription or support licence.
What you shouldn’t derive from the Base License
The Base License does not automatically say that all desired functions can be used productively, are supported or are entitled to updates. Many misunderstandings arise because several things are displayed next to each other in the license view.
Do not derive from the Base License:
- that firmware updates are possible permanently without support,
- that all protection modules are active,
- that Web Protection, Mail Protection, Zero-Day Protection or other security modules are licensed,
- that support or RMA is covered,
- that the firewall is in the correct account,
- that HA licensing and Subscription synchronization are correct.
Important for firmware updates: Sophos already introduced a support requirement for future firmware upgrades with SFOS v19 MR1. Customers without support have three free firmware upgrades, after which a valid Support Subscription is required. Avanet has classified this change in Sophos Firewall Updates will no longer be free in the future.
Additionally, the 2025 change is relevant, with Sophos placing greater restrictions on firewalls without a valid support license. The overview can be found in Sophos Firewall: Important change for customers without a support license.
Check Licence Status Cleanly
In the local WebAdmin Console, you can check the licence status under Administration > Licensing. There you can see, among other things, serial number, registered licences, terms and notes about expired or missing subscriptions. The point is not just whether Base Firewall appears somewhere. What matters is whether the displayed licences fit the planned operation.
Check:
- Log in to the Sophos Firewall.
- Open Administration > Licensing.
- Document serial number and model.
- Check Base Firewall / Base License.
- Check support and security subscriptions.
- Classify status values such as
Subscribed,Evaluating,Not subscribedorExpired. - Document expiry dates and warnings.
- If necessary, run Synchronize to retrieve the current status from Sophos Central.
- If necessary, activate a licence key or subscription.
The practical process for activating a license key can be found in Sophos Firewall Activate license key.
Document license and support status
For license, support and Renewal questions, a screenshot of the Base License is rarely sufficient. A small license data set should be maintained per firewall for operations, support cases, RMA, Restore or account transfer.
- Serial number: Links licence, device, support, RMA and account mapping.
- Model and platform: Distinguishes XGS hardware, virtual firewall, software appliance or cloud deployment.
- Sophos Account / Central Tenant: Prevents incorrect licence activation or account transfer issues.
- Base License Status: Shows whether the firewall is basically assigned correctly.
- Support / Bundle: Decides update, support and renewal questions.
- Security subscriptions: Shows which protection modules can really be used.
- Expiry dates: Important for renewal, budget and planned firmware upgrades.
- Backup and Secure Storage Master Key: Important for restore, migration and support cases.
This documentation should not only be created in the event of an error. When a firewall is transferred to another account, Sophos Firewall transferred to other Sophos Central account matches. If a Restore, hardware replacement or Reimage is in question, the article Sophos Firewall Create or restore backup should also be checked.
Base License expiry date

In the license view, the Base Firewall may appear with an expiration date very far in the future. This should not be confused with unlimited support or unlimited ability to update.
Practically this means:
- The Base License can remain visible in the long term as the basis of the firewall.
- Hardware, platform and firmware still have their own lifecycle limits.
- Further firmware upgrades may require valid support entitlement.
- Security functions depend on active Subscriptions.
- Support, RMA and Renewal must be checked separately.
For cloud, virtual and software-based firewalls, Sophos states that the Base Firewall does not expire like a normal protection subscription. For hardware appliances, by contrast, the Base Firewall status is linked to the hardware lifecycle. Therefore, a far-away expiry date should never be assessed in isolation: model, EOL status, SFOS version, support and security subscriptions always belong in the same check.
When the Base Firewall Really Expires
An expired Base Firewall status is not a cosmetic licence warning. The configuration remains visible and can partly still be edited, but enforcement changes massively.
Sophos describes the following behaviour for an expired Base Firewall, among other things: firewall rules are no longer processed, certain LAN/DMZ-to-WAN or internal traffic directions are allowed as with a simple router, other traffic remains blocked, VPN tunnels can stay up but no longer transport user traffic, and NAT rules, site-to-site RED tunnels, Remote Access Points and Wireless Networks no longer work as intended. That is exactly why a Base Firewall warning should not only be looked at during the next renewal discussion.
The distinction is important: an expired security module is not the same as an expired Base Firewall. If Web Protection, Zero-Day Protection or Webserver Protection expires, for example, the firewall does not automatically lose every basic function, but the affected protection or enforcement function disappears or works only in a limited way. Troubleshooting therefore always starts with the question of which licence has really expired.
For admins, this means in practice:
- Check licence status under Administration > Licensing.
- Check serial number, Sophos Central account and account assignment.
- Check whether this is a normal online sync issue, an air-gap topic, an HA problem or a real licence expiry.
- For production systems, start the support, renewal or partner process immediately.
If a firewall is operated in isolation, the normal 24-hour sync is not the right yardstick. In that case, the air-gap process with licence file, manual upload and pattern routine belongs to operational responsibility.
What should be checked before updates and renewals
Before firmware updates, Renewal discussions or migrations, you should not just look at the license status superficially. A short audit is better.
First, document serial number, model, platform, Sophos account and Base License. Then check support or bundle licence, required security subscriptions, expiry dates and warnings. For HA clusters, both nodes, roles and licence synchronisation are part of the check; for virtual firewalls, CPU cores, instance assignment and restore scenario are added.
Before a firmware upgrade, do not trust that a visible Base Firewall entry is enough. A useful combination is a current backup, checked support status, known target version, maintenance window and a short fallback plan. Free firmware upgrades without support are at most a transitional situation, but not a clean operational strategy.
For larger updates, Sophos Firewall before SFOS 22 check upgrade also helps. For HA environments, Sophos Firewall High Availability (HA) setup is relevant because licensing and roles in the cluster must be clearly documented.
Common mistakes
Confusing Base License with support
A visible Base License does not automatically mean support and firmware upgrades are covered. The support status must be checked separately.
Not checking security modules
If a feature doesn’t work or isn’t configurable, you shouldn’t just look at the Base License. What is crucial is whether the appropriate Subscription is active and whether the function has also been configured.
Using the wrong serial number
With multiple firewalls, HA clusters, virtual instances or account transfers, confusion quickly arises. Serial number, account and license documents must match.
Documenting virtual firewalls incompletely
For virtual firewalls, you should document the license, serial number, instance name, hypervisor, CPU cores, backup and responsible account together. Otherwise a Restore or support case will become unnecessarily difficult.