Activating licenses for air gap
Air gap installations are physically isolated deployments and aren't connected to the internet. You can update their licenses manually.
Note
You must register the firewall using the setup assistant or on Administation > Licensing before deploying it in an air gap environment.
Air gap isn't available for all deployments. See the following:
- Sophos only approves air gap requests if you have a network that isn't connected to the internet and doesn't have any Sophos Firewall MSP Flex licensed firewalls.
- Air gap is available only for hardware devices.
Note
Your Sophos account manager must approve air gap deployment for your Sophos Firewall hardware. You can request air gap access with your account manager at the time of purchase.
To update the license for air gap deployments, do as follows:
-
Download the license file from your Sophos Central account. To do this, do as follows:
- In Sophos Central, click Profile Menu in the task bar, then go to Licensing > Firewall licenses.
-
Click Download airgap license.
Note
You must apply the airgap license within 30 days of downloading it. Otherwise, you must download a new airgap license.
-
Sign in to the CLI console of the firewall.
- Type
4
and pressEnter
to access the Device Console. -
Run the command
system airgap enable
.Note
This command shows the Manual license synchronization section in Administration > Licensing. Air gap doesn't stop you from connecting the firewall to the internet.
-
Sign in to web admin console of the firewall and go to Administration > Licensing.
- Under Manual license synchronization, click Choose file and select your license file.
- Click Update license.
Air gap deployment unsupported features
The firewall doesn't support the following features in an air gap deployment because they require internet connectivity:
- Chromebook authentication
- Dynamic DNS
-
Email Protection: Anti-spam, RDNS lookup, and SPF protection.
Note
The following Email Protection features work: Malware scanning, email routing, MIME file filter, and SPX encryption.
-
External NTP server
- FQDN only works based on internal DNS.
- Online help
- RED online provisioning.
- Real-time Blackhole List (RBL) and IP reputation for Web Server Protection and Email Protection.
- Sophos Anti-Virus Live Protection: SXL2 lookups (Live Protection) that happen within Sophos Anti-Virus Interface (SAVI) based on Sophos Labs signature information.
- SMS gateway for guest users.
- Support access for remote troubleshooting.
- Synchronized Security and Sophos Central management.
- Web and URL categorization, Micro apps discovery, and CASB Lite. These only offer protection based on the local custom categories and signatures.
- Zero-Day Protection
Air gap FAQs
How often should I update my air gap license?
The air gap license is valid for 180 days. You must update your firewall's air gap license before it expires.
Do I need to update my firewall's pattern data?
In an air gap environment, you must manually upload pattern updates.
If the firewall is connected to the internet, will the firewall automatically synchronize its licenses even if air gap is turned on?
Even if air gap is turned on, the firewall will synchronize its licenses once it's connected to the internet.
I have multiple firewalls deployed in an air gap environment. Can I use one air gap license file for all of my firewalls?
You can download one air gap license file from your Sophos Central account and use it for all your firewalls.
Can I automate pattern updates in an air gap environment?
Yes, you can automate pattern updates for these devices. See Automate the pattern update in an air gap environment.