Sophos XG
Firewall
Licensing
This article provides a detailed overview of the licensing for Sophos XG Firewall
and related products.
Although the Sophos XG Firewall licensing is very similar to what we offer for UTM 9 today, we have made some strategic changes:
• New enhanced Base Firewall license incl. IPSec and SSL VPN plus Wireless • Software/virtual licensed by the virtual cores/RAM of the hardware
• Two new next-gen firewall bundles: EnterpriseGuard and EnterpriseProtect • Significant changes to support licensing
Details on all of these changes can be found below.
Understanding the Naming of the Product
Our new product is called Sophos XG Firewall. This is a completely new platform and not the next version of either the Sophos UTM or Cyberoam OS. It combines elements of both Sophos and Cyberoam UTM and next-gen firewall technology but also completely new innovations and features many of you have been requesting for some time.
Under Sophos XG Firewall you may also find the following components mentioned:
Sophos Firewall OS (SF-OS) which is the firmware
XG SeriesAppliances which come pre-installed with SF-OS Further Products in the XG Firewall ecosystem are:
Sophos Firewall Manager (SFM) for the central management of SF-OS firewalls
Sophos Cloud Firewall Manager (CFM), a cloud version of the above, exclusive to partners in v1
Deployment Options and Base Firewall
XG Series Hardware
All appliances which come pre-installed with SF-OS are labelled XG. We will offer the same line-up as with the SG Series and they have the same technical specifications but they do have a different BIOS. Upon launch there will be two additional XG models which will be introduced later for Sophos UTM 9 (as SG Series):
the entry level desktop appliance, XG 85 (also available as XG 85w) and the high-end 2U XG 750.
Please note: The installation of UTM 9.x on XG Series appliances will initially not be supported. XG Firewall comes preinstalled on XG Series and will only run on SG Series that have been upgraded from UTM 9.x. It is not possible to buy the XG Base Firewall or subscription and install directly on SG hardware. Please contact your Channel Account Manager if you have any questions.
Base Firewall
A perpetual Base Firewall license is included in the purchase price of every XG Series appliance. The Base Firewall includes:
• Network Firewall
• SSL and IPSec VPN (no renewal required but IPSec client licenses are sold separately) • Complete wireless protection, incl. hotspot support and voucher system
This is the equivalent of the Essential Firewall with Sophos UTM but with much enhanced features.
Base Firewall
Type of license perpetual
How to buy Included in hardware purchase price Purchased when buying software/virtual
Software/Virtual
We have changed the way in which we license software and virtual for XG Firewall from IP/User bands to (virtual) cores/RAM of the hardware it’s being installed on. This will simplify the selection of the right license for many scenarios and is more in line with industry standards.
Understanding the Naming for software/virtual
Your product will only work with the number of (virtual) cores and (virtual) RAM it is licensed for. For example, if you add more RAM to the above license, not more than 6 GB will be addressed unless you change your license. In such cases, please contact your Channel Account Manager for a quote.
What you are actually purchasing when you select one of our virtual/software options from the price list is the Base Firewall. See above for full details of what is included in the Base Firewall.
Please note: Sophos UTM licensing for virtual/software remains unchanged.
Subscriptions and Bundles
As with Sophos UTM 9, you have the option to purchase individual software subscription to tailor your security to your needs, or you can buy one of our bundles which can offer a significant cost saving.
Individual
Subscriptions
XG Firewall offers the following subscription modules for individual purchase
Individual Software Subscriptions Network Protection
IPS, RED/HTML5, ATP, Security Heartbeat*
Web Protection
URL, AV, AppCtrl
Email Protection
Antispam, AV, SPX, DLP
Web Server Protection
WAF, AV, Rev. Proxy
* Requires Cloud Endpoint Protection Advanced or Cloud Enduser Protection The key differences to Sophos UTM are:
No Wireless Protection subscriptionas that is now included in the Base Firewall license
No Endpoint Protection subscription as we will use the Cloud Endpoint, e.g. for Heartbeat
Feature upgrades/updates included for 90 days so a support option should be quoted on top
Product Bundles
With the introduction of two new bundles for XG Firewall we offer a simpler way for you to sell a next-generation firewall.
New NGFW Software License Bundle
EnterpriseGuard is a new software license bundle which includes:
New NGFW Appliance/Software Bundle
EnterpriseProtect provides a complete next-gen firewall solution in a single SKU. It includes:
Network Protection Web Protection Enhanced Support
XG Series appliance OR software/virtual appliance of your choice
FullGuard for XG Firewall
Of course, it is still possible to offer a FullGuard software bundle and this remains the most cost-effective way to buy all-in-one protection.
For XG Firewall FullGuard includes:
Network Protection Web Protection Email Protection Web Server Protection Enhanced Support
TotalProtect for XG Firewall
TotalProtect will continue to be a lead product for many of your projects as it offers the best value for money when buying software together with an appliance (hardware/software/virtual).
For XG Firewall TotalProtect includes:
Network Protection Web Protection Email Protection Web Server Protection Enhanced Support
Savings with Bundles vs. Individual Subscriptions
The following chart shows the benefits of bundles over individual subscriptions. These prices exclude support.
Overview Sophos XG Firewall Licensing with Appliance
High Availability (HA)
The first release of XG Firewall supports just two nodes in a cluster. When licensing products in active/passive or active/active mode the following table provides guidance on which licenses will be required.
# Use case description Licenses
1 Hardware Active-Active 2 required, i.e. 1 for each device.
Active subscriptions must match (e.g. Network Protection, Web Protection)
Subscription expiry dates don’t have to match although it is best practice for them to do so
2 Hardware Active-Passive 2 required, 1 for the Active/Master device and 1 (Base Firewall only) for the Passive device. The Base Firewall is included in the purchase price of the hardware.
3 Software/Virtual
Active-Active (Same as for hardware) 2 required, i.e. 1 for each device.
Active subscriptions must match (e.g. Network Protection, Web Protection)
Subscription expiry dates don’t have to match although it is best practice for them to do so
4 Software/Virtual
Active-Passive 1 required for the Active/Master device The product allows another SW/Virtual device to be directly linked in as the Passive device. The Passive device will have no separate serial number and doesn’t communicate with the licensing system.
Please note: HA will not be supported for XG Series appliances with integrated wireless in the first release.
Sophos Firewall Manager (SFM)
SFM Product Licenses
Sophos Firewall Manager is available as a hardware appliance and as a software ISO or virtual appliance for you to install on third-party hardware.
The license is perpetual, i.e. requires no renewal, but we recommend that you add a support option to each quote for SFM to ensure your customer receives product updates and upgrades and warranty beyond the first year for HW models. The support option will have a fixed term and require renewal. See the Support Licensing
section for more details.
SFM is licensed by the number of devices which are to be managed. There are three hardware appliances:
Hardware Model SFM200 SFM300 SFM400
Recommended # of managed devices 30 150 300
Device # based on current estimates And six options for software/virtual
SW/Virtual Appliance SFMv15 SFMv50 SFMv100 SFMv200 SFMv500 SFMv1000
Licensed # managed
Please note: Sophos Firewall Manager can be used to manage appliances (hardware/virtual/software) running SF-OS only.
Sophos Cloud Firewall Manager (CFM)
CFM v1 Licensing
The Sophos Cloud Firewall Manager is being introduced for Partners only in v1 and as an introductory offer, at no cost.
CFM will be accessible through the Cloud Partner Dashboard.
Sophos iView v2
iView Licenses
Sophos iView is available as a software ISO or virtual appliance for you to install on third-party hardware. The license is perpetual, i.e. requires no renewal, but we recommend that you add a support option to each quote for iView to ensure your customer receives product updates and upgrades. The support option will have a fixed term and require renewal. See the Support Licensing section for more details.
There are five options to purchase iView plus one free version for trial use
iView v2 Virtual/Software Free New New
Licensed Storage capacity 100 GB 500 GB 1 TB 4 TB 8 TB Unlimited
Please note: Sophos iView v2 can be used to manage appliances (hardware/virtual/software) running SF-OS, Sophos UTM 9.x (recommended from v9.3) and Cyberoam OS.
Other License Types
Trial and Evaluation LicensesWe offer options for your customers and prospects to try out all XG Firewall products. We also offer options for Sophos Partners to use our products.
The table below gives you an overview
Evaluation/Testing SF-OS iView SFM CFM
Partners 1 yr license free
(renewable) (+ 1 yr support – Unlimited free renewable) 1,000 device virtual license free (+ 1 yr support – renewable) Free w/ v1
Customers 30 day trial 100 GB free Manage 5
Support Licensing
With XG Firewall we have introduced a new support licensing scheme.
When purchasing individual subscription modules, please note that they now include software feature updates/upgrades for just 90 days and therefore, we would strongly recommend that you always quote a support option or select one of our bundles which already include Enhanced Support.
What you get Included with purchase Enhanced
Support Plan (Included in bundles)
Enhanced Plus Support Plan
Support
Direct telephone and email support
Included for 90-days
(business hours only) Included (24x7) VIP Access (Senior Support) (24x7)
Security Updates & Patches
For the life of the product
Included with an active
software subscription Included with an active software subscription Included with an active software subscription Software Feature Updates
& Upgrades Included for 90-days Included Included Consulting
Remote consultation on your firewall configuration and security with a Sophos Senior Technical Support Engineer
Included
(up to 4 hours)
Warranty and RMA For all hardware appliances
1 year
(return/replace) Advance Exchange Advance Exchange Technical Account
Manager
Dedicated named technical account manager
Optional (extra cost) Optional (extra cost)
Further Information
Should you have further questions related to XG Firewall licensing, please contact your Channel Account Manager.
The following Knowledge Base Articles provide valuable information regarding licensing:
Sophos/Cyberoam Appliances which can be upgraded
Sophos XG Firewall License Migration - your new license names and components
United Kingdom and Worldwide Sales Tel: +44 (0)8447 671131
Email: [email protected]
North American Sales Toll Free: 1-866-866-2802 Email: [email protected]
Australia and New Zealand Sales Tel: +61 2 9409 9100
Email: [email protected]
Asia Sales Tel: +65 62244168
Email: [email protected]
Oxford, UK | Boston, USA
