Skip to content


You can activate your evaluations and subscriptions. You can also synchronize your licenses.

Device registration and license activation

To see the device registration details and the status of the licenses, go to Administration > Licensing.

The firewall fetches the following registration details from your Sophos Licensing Portal account:

  • Model number and the device key.
  • Company name with which you've registered the firewall.
  • Contact person in your organization.
  • Email address used to register the firewall.

The modules show as Unsubscribed when you set up the firewall for the first time. See FAQs for registration.

Synchronizing licenses

If Sophos Firewall is connected to the internet, the firewall synchronizes with the Sophos Licensing Portal every 24 hours, and licenses are updated automatically.

You can synchronize the licenses manually for the latest subscriptions. Click Synchronize next to Module registration details.

No license synchronization period

If license synchronization doesn't take place for 90 consecutive days, the security subscriptions are deactivated. Only the Base Firewall and support subscriptions remain active.

The incommunicado period (no license synchonization period) resets if license synchronization succeeds.

During the incommunicado period, users can sign in and traffic continues to flow, but without the firewall's protection.

Deactivated subscriptions

The licensing.log file shows the following:

License deactivation logs

If license synchronization succeeds after 90 days, the remaining license subscriptions appear as follows:

Activated subscriptions

After synchronization, the licensing.log file shows the following:

License activation logs

Activating license keys

You can activate paid and trial licenses.

To activate paid subscriptions, do as follows:

  1. Go to Administration > Licensing.
  2. Under Device registration details, click Activate subscription.
  3. Enter the license key you received from Sophos.
  4. Click Verify key.
  5. After the key is verified, click Confirm.
  6. Click Synchronize to synchronize the firewall with the licensing system.
    The firewall updates the subscriptions list.

See FAQs on activating license keys.

See the video Registration and basic setup.

To activate trial subscriptions, do as follows:

  1. Go to Administration > Licensing.
  2. Click Activate evaluations.

    Sign in with your Sophos ID appears.

  3. Sign in using your MySophos credentials.

    The pop-up window shows the license details immediately if you're already signed in using a normal browser session.

    • You must use the MySophos credentials related to the firewall you're activating. Otherwise, an error will occur.
    • If you're using incognito mode in your browser, minimize the pop-up window after signing in so that the session remains active, then click Activate evaluations again in the web admin console. If you close the incognito session, you may be prompted to sign in again.
  4. Select the modules that you want to evaluate.

  5. Click Confirm.
  6. Click Initiate license synchronization.

The licensing page on the firewall shows that you have an evaluation license for the module.

See the video Licensing, trials, and license keys.

Registering the firewall later

You can set up the firewall without registering it to the licensing server. You can defer registration for up to 30 days. You can configure all firewall features except Sophos Central and Synchronized Security Heartbeat. You may want to delay registration for demonstration purposes or because the firewall doesn't have an internet connection.

To defer firewall registration when setting up the firewall, do as follows according to your scenario:

With internet connection

  1. On Register your firewall, select I do not want to register now.
  2. Click Continue, then click Continue in the warning prompt.
  3. Follow the instructions in the assistant.

Without internet connection

  1. On Internet Connection, select Continue Offline.
  2. Click Continue, then click Continue in the warning prompt.
  3. Follow the instructions in the assistant.

After you finish the setup, go to Administration > Licensing to check that Registration has been currently deferred on this device. is shown.


To register the firewall during the 30-day period, go to Administration > Licensing and click Click here. This takes you to the registration page.

See FAQ on new registration.

Module subscription details

You can subscribe to the license modules as follows:

  • With a license key (paid subscription).
  • Without a license key for a 30-day trial (free subscription).


If you want to evaluate a module again later, you can activate its evaluation in the next major version.

Example: If you had evaluated Zero-day protection in version 18.5 but didn't buy it, you can activate its evaluation again in 19.0.

You can see the status of the subscriptions and their expiration date. Statuses can be one of the following:

  • Subscribed
  • Evaluating
  • Not subscribed
  • Expired

License bundles

The following license bundles are available for XGS and XG Series firewalls:

Xstream Appliance Bundle Standard Appliance Bundle
Base License Base License
Xstream protection
  • Network Protection
  • Web Protection
  • Zero-Day Protection
  • Central Orchestration
  • Enhanced Support
Standard protection
  • Network Protection
  • Web Protection
  • Enhanced Support

Individual licenses and firewall features

You can also subscribe to individual licenses. The licenses deliver the following features:

  • Base License: Stateful Firewall, VPN, Wireless.
  • Network Protection: Intrusion Prevention (IPS), Advanced Threat Protection (ATP), SD-RED Device Management.
  • Web Protection: Web Security and Control, Application Control, Web Malware Protection.
  • Zero-day protection: Machine Learning, Sandboxing File Analysis, Threat Intelligence.
  • Central Orchestration: SD-WAN VPN Orchestration, CFR Advanced.
  • Email Protection: Anti-spam, Antivirus, DLP, Encryption, Email Malware Protection.
  • Webserver Protection: Web Application Firewall.


For Support subscriptions, see Support scope and communication methods.

See Licensing guide for Sophos Firewall.

Licenses for high-availability cluster

Active-passive HA: You must activate the licenses on the device you've configured as the initial primary. Don't activate them on the auxiliary device. The cluster uses the licenses of the primary device.

Active-active HA: Both Sophos Firewall devices need the licenses. The licenses must be the same for both devices. See HA licensing FAQs.

Activating licenses for airgap

Airgap installations are physically isolated deployments and aren't connected to the internet. You can update their licenses manually.

Airgap isn't available for all deployments. See the following:

  • Sophos only approves airgap requests if you have a network that isn't connected to the internet and doesn't have any Sophos Firewall MSP Flex licensed firewalls.
  • Airgap is available only for hardware devices.


Your Sophos account manager must approve air gap deployment for your Sophos Firewall hardware. You can request air gap access with your account manager at the time of purchase.

To update the license for airgap deployments, do as follows:

  1. Download the license file from your Sophos Licensing Portal account.
  2. Sign in to the web admin console and go to Administration > Licensing.
    A section Manual license synchronization shows up for airgap firewalls.
  3. Select the license file.
  4. Click Update license.

See How airgap and manual pattern update works.

Transferring licenses to another Sophos Firewall

You must transfer your license to another appliance in the following cases:

  • Active-passive HA: You've activated the licenses on the auxiliary device and must transfer them to the primary.
  • Replacement: You're replacing your current Sophos Firewall device with a different one.
  • License purchase after trial: You've purchased the licenses after an evaluation.

See License transfer for Sophos Firewall.

Upgrading from UTM to SFOS

You can migrate the UTM 9 licenses to licenses of SFOS installed on SG appliances. We then transfer your UTM 9 licenses to equivalent SFOS licenses.

Note the following:

  • The SG Series firewall must be registered.
  • You can't migrate UTM 9 licenses to SFOS on Sophos Firewall appliances.
  • After migrating the licenses to SFOS, you can't migrate back to the UTM 9 licenses.


This option is only available if you upgrade to SFOS licenses on SG Series firewalls.

See License migration.

See Licensing guide for Sophos Firewall.