Firewall license expiration
When a firewall license expires, your firewall configuration remains unchanged. You can configure new settings and edit existing ones, but they can't be enforced without a valid license.
Base Firewall
Note
Make sure you apply a Base Firewall license. Without it, subscriptions won't be effective.
Make sure you apply a Base Firewall license, as without a valid Base Firewall applied, subscriptions won't be effective.
The Base Firewall license doesn't expire for hardware appliances. It expires for cloud, virtual, and software appliances.
The following behavior applies when the Base Firewall license expires:
-
Firewall rules aren't processed whether you've configured them to allow or block traffic. The firewall acts as a router and masquerades all outbound traffic. The following traffic is allowed, even if there's a firewall rule to drop it:
- From the LAN zone to the WAN zone
- From the DMZ zone to the WAN zone
- From the LAN zone to the LAN zone
- From the LAN zone to the DMZ zone
- From the DMZ zone to the DMZ zone
- From the DMZ zone to the LAN zone
No other traffic can pass through the firewall.
-
IPsec VPN tunnels, such as RA, PBVPN, RBVPN, and SSLVPN RA tunnels remain established, but data traffic doesn't pass through them. You can also create new tunnels.
- Local Wi-Fi continues to broadcast SSIDs, and WiFi clients remain connected.
- The firewall continues to send traffic from ports 80, 443, and 3128 to the proxy or DPI engine, depending on your configuration.
- You'll continue to receive software updates that include feature and maintenance releases and pattern updates. Pattern updates are available only on the supported software releases. See Sophos Firewall Software.
- NAT rules, site-to-site RED tunnels, remote access points, and wireless networks stop working.
Network Protection
The following behavior applies when the Network Protection license expires:
- IPS signatures aren't loaded, and IPS policies aren't applied.
-
The Sophos X-Ops behavior is as follows:
- The firewall doesn't block bad IP addresses, domains, or URLs added through the Sophos X-Ops threat feed. The firewall continues to poll the latest threat feeds from Sophos X-Ops.
- DNS doesn't send NXDOMAIN for Indicators of Compromise (IOCs) for bad IP addresses or domains to the endpoint computer.
-
SD-RED tunnels are disconnected and show as offline.
- Site-to-site RED tunnels remain established, and the firewall continues to perform SSL/TLS inspection in DPI mode.
Web Protection
The following behavior applies when the Web Protection license expires:
- The firewall continues to send traffic from ports 80, 443, and 3128 to the proxy or DPI engine according to your configuration.
- Application signatures aren't loaded, and application filter policies aren't applied.
- Inspect untrusted content (under Active threat response > Sophos X-Ops threat feeds) and Antivirus stop working.
Proxy mode
The following features stop working in proxy mode:
- Web policies
- Malware scanning
- HTTPS decryption
- Logs for web filtering
- Web categories
- The firewall doesn't block bad URLs (over HTTPS) added through the Sophos X-Ops threat feed.
The following features continue to work in proxy mode:
- Parent proxy
- Pharming protection
- SafeSearch
- Authentication
DPI mode (Legacy proxy is turned off)
The following features stop working in DPI mode:
- Web policies
- Malware scanning
- Logs for web filtering
The following features continue to work in DPI mode:
- SSL/TLS decryption
- Logs for TLS decryption
- Web categories
Zero-day Protection
The following behavior applies when the Zero-day Protection license expires:
- Machine learning and Sandbox analysis are turned off.
- Threat intelligence is turned off. However, previous reports are still available.
Central Orchestration
The following behavior applies when the Central Orchestration license expires:
- Firewalls in the SD-WAN connection groups are no longer available.
- Central Firewall Reporting (CFR) reports are available only for seven days.
Email Protection
Emails are delivered without anti-spam and antivirus scanning when the Email Protection license expires.
Email notifications are sent indefinitely. For more information about which notification types are sent, see Notifications.
Webserver Protection
The following behavior applies when the Webserver Protection license expires:
- Your existing WAF rules stop working.
- You can create new rules and edit existing ones, but they can't be enforced without a valid license.
Enhanced support or Enhanced Plus support
The following behavior applies when the Enhanced support or Enhanced Plus support subscriptions expire:
-
If the Enhanced support or Enhanced Plus support subscriptions expire, Sophos can't provide RMA and Technical Support services for any SFOS version.
In an active-active HA setup, you must have a valid support subscription, Enhanced or Enhanced Plus, for each active device to receive advanced hardware replacement for them.
In an active-passive HA setup, an Enhanced Plus subscription is required for the primary device to receive advanced hardware replacement for the secondary device. You must renew your licenses within 90 days of expiration. At the end of 90 days, the firewall protection for the device stops.
For more information, see Enhanced: Advanced Hardware Replacement.
-
The firewall has three free firmware upgrades. Any further upgrades are possible only with a valid support subscription. This doesn't impact the trial license, home use license, or firmware upgrades from the installation assistant.
Xstream Protection Bundle
MDR threat feeds and Third-party threat feeds are a part of the Xstream Protection Bundle license. The following behavior applies when this license expires:
MDR threat feeds
- The firewall doesn't block Indicators of Compromise (IOCs) for IP addresses, URLs, and domains added by MDR threat feeds.
- MDR threat feeds continue to inspect IOCs.
- You can turn MDR threat feeds on or off and change the settings.
Third-party threat feeds
- The firewall doesn't block Indicators of Compromise (IOCs) for IP addresses, URLs, and domains added by Third-party threat feeds.
- The firewall continues to poll external URLs and get the latest IoCs.
- You can add new feeds and change the settings.
Air gap deployment
The air gap license is valid for 180 days. You must update your firewall's air gap license before it expires. If you don't update the license, only the Base Firewall license remains active.
For more information, see Activating licenses for air gap.
Deferred registration
If you've deferred the firewall registration during the initial setup, you can use the firewall for 30 days without registration.
If you sign in during this time, you'll see the license registration page. You can skip that page and sign in to the web admin console.
However, after 30 days, you must register the device to sign in to the web admin console. Except for the Base Firewall license, all licenses expire after 30 days.