Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Activating licenses for air gap

Air gap installations are physically isolated deployments and aren't connected to the internet. You can update their licenses manually.

Note

You must register the firewall using the setup assistant or on Administation > Licensing before deploying it in an air gap environment.

Air gap isn't available for all deployments. See the following:

  • Sophos only approves air gap requests if you have a network that isn't connected to the internet and doesn't have any Sophos Firewall MSP Flex licensed firewalls.
  • Air gap is available only for hardware devices.

Note

Your Sophos account manager must approve air gap deployment for your Sophos Firewall hardware. You can request air gap access with your account manager at the time of purchase.

To update the license for air gap deployments, do as follows:

  1. Download the license file from your Sophos Central account. To do this, do as follows:

    1. In Sophos Central, click Profile Menu Profile Menu icon. in the task bar, then go to Licensing > Firewall licenses.
    2. Click Download airgap license.

      Note

      You must apply the airgap license within 30 days of downloading it. Otherwise, you must download a new airgap license.

  2. Sign in to the CLI console of the firewall.

  3. Type 4 and press Enter to access the Device Console.
  4. Run the command system airgap enable.

    Note

    This command shows the Manual license synchronization section in Administration > Licensing. Air gap doesn't stop you from connecting the firewall to the internet.

  5. Sign in to web admin console of the firewall and go to Administration > Licensing.

  6. Under Manual license synchronization, click Choose file and select your license file.
  7. Click Update license.

Manual license synchronization.

Air gap deployment unsupported features

The firewall doesn't support the following features in an air gap deployment because they require internet connectivity:

  • Chromebook authentication
  • Dynamic DNS
  • Email Protection: Anti-spam, RDNS lookup, and SPF protection.

    Note

    The following Email Protection features work: Malware scanning, email routing, MIME file filter, and SPX encryption.

  • External NTP server

  • FQDN only works based on internal DNS.
  • Online help
  • RED online provisioning.
  • Real-time Blackhole List (RBL) and IP reputation for Web Server Protection and Email Protection.
  • Sophos Anti-Virus Live Protection: SXL2 lookups (Live Protection) that happen within Sophos Anti-Virus Interface (SAVI) based on Sophos Labs signature information.
  • SMS gateway for guest users.
  • Support access for remote troubleshooting.
  • Synchronized Security and Sophos Central management.
  • Web and URL categorization, Micro apps discovery, and CASB Lite. These only offer protection based on the local custom categories and signatures.
  • Zero-Day Protection

Air gap FAQs

How often should I update my air gap license?

The air gap license is valid for 180 days. You must update your firewall's air gap license before it expires.

Do I need to update my firewall's pattern data?

In an air gap environment, you must manually upload pattern updates.

If the firewall is connected to the internet, will the firewall automatically synchronize its licenses even if air gap is turned on?

Even if air gap is turned on, the firewall will synchronize its licenses once it's connected to the internet.

I have multiple firewalls deployed in an air gap environment. Can I use one air gap license file for all of my firewalls?

You can download one air gap license file from your Sophos Central account and use it for all your firewalls.

Can I automate pattern updates in an air gap environment?

Yes, you can automate pattern updates for these devices. See Automate the pattern update in an air gap environment.

More resources