Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=administration-licensing-air-gap

Air gap

You can download an airgap license from Sophos Central and apply it to your Sophos Firewall for use in environments without internet access. This process makes sure your firewall is licensed and functional while remaining isolated from external networks.

Requirements

  • You must claim the firewall with the airgap license in Sophos Central before you deploy it in an air gap environment.

  • Your Sophos account manager must approve the air gap deployment for your Sophos Firewall hardware. You can request air gap access with your account manager at the time of purchase.

    Note

    Sophos only approves air gap requests if you have a network that isn't connected to the internet and doesn't have any Sophos Firewall MSP Flex licensed firewalls.

  • You must have a hardware device.

Download your airgap license

To download your airgap license, do as follows:

  1. Download the license file from your Sophos Central account, as follows:

    1. In Sophos Central, click your Profile icon. Profile Menu icon..
    2. Go to Licensing > Firewall licenses.

    3. Click Download airgap license.

      Sophos Central: Download airgap license.

      Note

      You must apply the airgap license within 30 days of downloading it. Otherwise, you must download a new airgap license.

Enable your airgap license

  1. Sign in to the firewall's CLI console.
  2. Type 4 and press Enter to access the Device Console.

  3. Run the command system airgap enable.

    This command makes the Manual license synchronization section in Administration > Licensing visible.

Apply your airgap license

  1. Sign in to the firewall's web admin console and go to Administration > Licensing.
  2. Under Manual license synchronization, click Choose file and select your license file.

  3. Click Update license.

    Manual license synchronization.

Note

You can still connect the firewall to the internet if you have an air gap license.

Air gap deployment unsupported features

The firewall doesn't support the following features in an air gap deployment because they require internet connectivity:

  • Chromebook authentication
  • Dynamic DNS

  • Email Protection: Anti-spam, RDNS lookup, and SPF protection.

    Note

    The following Email Protection features work: Malware scanning, email routing, MIME file filter, and SPX encryption.

  • External NTP server

  • FQDN only works based on internal DNS.
  • Online help
  • RED online provisioning.
  • Real-time Blackhole List (RBL) and IP reputation for Web Server Protection and Email Protection.
  • Sophos Anti-Virus Live Protection: SXL2 lookups (Live Protection) that happen within Sophos Anti-Virus Interface (SAVI) based on Sophos Labs signature information.
  • SMS gateway for guest users.
  • Support access for remote troubleshooting.
  • Synchronized Security and Sophos Central management.
  • Web and URL categorization, Micro apps discovery, and CASB Lite. These only offer protection based on the local custom categories and signatures.
  • Zero-Day Protection

Air gap FAQs

Find answers to common questions about air gap deployments.

How often should I update my air gap license?

The air gap license is valid for 180 days. You must update your firewall's air gap license before it expires.

Do I need to update my firewall's pattern data?

Yes. You can do it manually or automatically. See Air gap.

Does the airgap pattern update include a hotfix?

Pattern updates don't include hotfixes. To install a hotfix for an airgap deployment, contact Sophos Support. See Contact Sophos Support.

If the firewall is connected to the internet, will the firewall automatically synchronize its licenses even if air gap is turned on?

Even if air gap is turned on, the firewall will synchronize its licenses once it's connected to the internet.

I have multiple firewalls deployed in an air gap environment. Can I use one air gap license file for all of my firewalls?

You can download one air gap license file from your Sophos Central account and use it for all your firewalls.

Can I automate pattern updates in an air gap environment?

Yes, you can automate pattern updates for these devices. See Automate the pattern update in an air gap environment.

More resources