Switch from Sophos XG to the XGS firewall

The Sophos XG Series hardware appliances will reach their end-of-life date on 31 March 2025. Final renewals are possible up to the EOL date, but not beyond.

There is a large customer base of XG Series customers who need to replace their hardware before EOL. In addition, Sophos Firewall OS v20 is the last major release that will include support for XG hardware (v20 MRs will also include support).

More info on the XG series lifecycle Calendar

What does End of Life of the XG Firewall mean?

• Only the base licence firewall will continue to work.
• There are no longer any renewal licences (separate or bundled) available for the hardware appliance.
• Sophos no longer provides support or extended hardware warranty for these appliances.
• There will be no further SFOS updates for the firewall. SFOS V20 is the latest.

Simplifying XG to XGS Transitions: Backup/Restore Assistant*

* Refers to functionality coming in v20 MR2 (targeting July 23, 2024 release)

There is no need to reinstall hardware when moving from XG to XGS. The hardware will be retired, but the firmware Sophos Firewall OS (SFOS) will remain the same. You can create a backup of the current firewall and restore it to the new XGS appliance.

The enhanced backup/restore functionality planned for SFOS V20 MR2 will remove any practical limitations around backup/restore. For example, you can restore the backup of a 6-port XG to a 4-port XGS.

1. On the XG Create a backup file and save. (The XG must be running v19.5 MR4, v20.O GA or higher).
2. On the XGS Upload the backup file and restore. (The XGS must be running v20 MR2 or higher).
3. On XGS Assistant appears; review port mapping. Only physical interfaces are shown. (Virtual interfaces restore with the physical port. Pseudo ports created if no port).

Sophos APs no longer working?

Legacy AP Series access points (AP 15, 30, 50, 100) are not supported on XGS and have an EOL date of 31 December 2023. If you are using the XG firewall to manage Sophos AP Series access points that are end-of-life but still functional, these will also need to be replaced when you move to the XGS firewall.

APX access points (APX 120, 320, 530, 740) will continue to be sold while stocks last, but end-of-life has been announced for 31 December 2027. Our recommendation: Suggest that the customer move any existing or newly purchased access points to Sophos Central if they are supported. Please note: There is no licensing charge for Sophos Central Wireless for AP and APX Series access points.

Therefore, to continue using Sophos access points, we recommend the AP6 series. Firewall management is not supported for Wi-Fi 6/6E access points.  AP6 requires a support and services subscription per AP for Sophos Central management. Alternatively, an individual AP can be managed from a local user interface.

We always recommend wireless management via Sophos Central for scalability, more advanced features and a future-proof solution.

FlexiPort modules XG Series are not compatible with XGS

XG Series FlexiPort modules are not compatible with the XGS Series and may need to be purchased separately.  All XGS models have additional built-in ports to meet the requirements of many customer use cases. Adding a Sophos switch may be a solution.

What subscriptions does the customer use?

All XG Series customers were migrated to the newer licensing scheme in 2021*, and those with FullGuard, for example, benefited from a generous migration to Xstream Protection plus Email and WebServer (WAF) Protection. When renewing these customers, always check if they are using Email and WebServer Protection, as these subscriptions are not included in Xstream Protection and would need to be renewed separately.

Our recommendation: If a customer requires Email Protection, Central Email Advanced has a superior feature set. Also review their requirements for Web Server Protection. In some cases, the functionality they need may be better addressed by ZTNA, and with the ZTNA gateway now integrated, deploying ZTNA is easier than ever.

Don’t forget to mention Central Orchestration (included in Xstream Protection) to customers who are currently using legacy RED devices for SD-WAN connectivity to their branch offices and remote locations. With Xstream SD-WAN, they get the same easy setup and zero-touch deployment they know and love from their RED devices, all on their XGS.

Promos to Support a Hardware Refresh

Sophos offers a number of promotions that can be used to make a hardware refresh more attractive when upgrading from XG to XGS hardware.

When you purchase a new Sophos XGS firewall with a 3-year Xstream subscription, there are generous discounts on the hardware, depending on the appliance.

Please contact [email protected] for further details.