Sophos UTM & XG Firewall Lifecycle Policy

Sophos Network Security software is continuously enhanced with new features and technologies protecting against most recent threats. For this reason, new software releases are launched on a regular basis.

In order to keep the same or better level of performance with an increasing software feature set, it is sometimes also necessary to update the specification of the appliance. This will typically entail changes to the CPU, memory, disk and network cards, or even to the whole system. Therefore, Sophos appliances and related accessories such as Sophos RED and Sophos Access Points (APs) are updated in regular intervals in order to make use of the most recent improvements in hardware technology.

After a certain period of time, a major architecture change might be required, in which case, a product (both software and hardware) will reach its End-Of-Life (EOL) which is the date upon which Sophos will cease supporting the product or services related to it. To make it transparent, Sophos will announce the dates for the End of Life and End of Sale stages of its products along with the available migration path.

During its lifecycle a product will pass the following milestones until it reaches its final End-of-Life state:

Life Cycle Milestone Definition
GA Date The date when a product is made generally available.
End-of-Sale (EOS) The last date when the related product or service is available for purchase.
Last Renewal Date The last date when an existing subscription or support contract for the related product or service can be renewed. Support contract renewals may not extend beyond the EOL date.
End-of-Life (EOL) The last date on which Sophos will cease support for the related product or service.
Migration Path A migration path is announced as a recommendation to replace a discontinued product with an alternative one.


Please note: This policy also applies to Not-For-Resale (NFR) products.

Software Releases


Sophos Gateway Software improvements are offered in the following ways:

Major release
(every 1-2 years)
Minor / Feature release
(every 4-6 months)
Maintenance release
(every 1-2 months)
Pattern updates
(up to multiple times per day)
  • Feature release with significantly improved functionality.
  • Automated migration paths will be offered on Sophos appliances but some features might require manual reconfiguration.
  • Older appliance models/revisions might no longer be supported hence requiring a HW refresh.
  • Feature release with new/improved functionality.
  • Migration possible via automated updates. No manual reconfiguration required.
  • Older appliance models/revisions might no longer be supported hence requiring a HW refresh.
  • Primarily deliver bug fixes and vulnerability fixes.
  • In rare cases also offer small feature enhancements which don’t change the behavior of existing system
  • Automatically provided to the gateway to maintain security effectiveness of the system
  • Different components of the gateway receive updates at different intervals but include the following: antivirus updates, ips updates, web categorization updates, email filtering updates, WAF signature updates, and application control updates. Some of these updates happen automatically in the cloud while others reside on the appliance which pulls them down automatically.
  • Periodically, a maintenance update is required if the security update requires a change to the security engine that consumes the patterns.

Software and pattern update entitlements

Customers are entitled to receive software and pattern updates depending on their contract:

  • Software upgrades (new major/minor releases including new features and bug fixes) require a valid support contract
  • Bug fixes & vulnerability fixes (delivered via maintenance upgrades) are included with any software subscription contract

Software Version Numbering


Sophos UTM version numbering

Sophos UTM software version numbers use the following format:

Sophos UTM version numbering

So 9.210 is maintenance release 10 of minor version 2 of major version 9.

Minor UTM feature releases may also be treated technically as a feature release, but indicated by giving the maintenance release number a significant increment. (e.g. 9.315 incremented to 9.350) Such releases will not be considered a full feature release, but both (e.g. 9.31x and 9.35x) will receive updates in parallel to each other, so customers aren’t required to move to an unproven feature release to receive a maintenance update.


Sophos XG Firewall version numbering

Sophos XG Firewall software version numbers use the following format:

Sophos XG Firewall version numbering

Software Support Policy


The following support policy applies to Sophos UTM and Sophos XG Firewall Software:

Maintained Software Releases

  • Sophos maintains the last two minor versions of the last major version by providing maintenance releases for each. (For example Sophos XG Firewall releases 17.0 and 17.1 might be maintained through maintenance releases at a given time. Likewise Sophos UTM 9.4 and 9.5 might be maintained through maintenance releases at a given time.)
  • Only the latest maintenance release of each minor release is actively maintained.
  • In addition Sophos will maintain specific accredited releases (e.g. certified by Common Criteria or FIPS) for a period of 2 years or until a successor release has been accredited, whatever will be earlier. Please see https://community.sophos.com/kb/en-us/121502#Software%20Milestones for the latest maintained releases
  • The last major version of the software continues to be developed through delivery of new minor versions.

    (For example Sophos XG Firewall release V17 will receive further minor/feature versions 17.1 and 17.2 etc..., Sophos UTM release V9 will receive further minor/feature versions 9.6 etc...)

Supported Software Releases

  • Customers can continue to receive support as long as their support contract is in effect for all versions until End of Life (EoL) is announced.
  • However if issues on a supported software release require a vulnerability or bug fix then customers might need to upgrade to a maintained software release.
  • The duration of the supported software phase is variable (typically between 24 and 36 months) and depends on numerous factors like technology innovation, market changes and customer demands. An EoL notification is sent out to the public 90 days in advance.

Sophos Gateway Software lifecycle

Sophos Gateway Software lifecycle

Hardware Support Policy


Hardware Models and Revisions

Sophos UTM and XG Firewall appliances; Access Points, and RED devices use two levels of numbering:

  • Model number (e.g. XG210): defines an appliance with a target performance profile so that it can support a certain number of users, e.g. a XG135 supports up to 50 users, a XG210 up to 100 users…
  • Revision (e.g. XG210 rev.5): A new revision enhances a model with new/faster hardware components so that its performance stays on the same target level even if using new software releases with more advanced features.

Standard Hardware EoL Policy

The hardware life cycle applies to a certain model (e.g. the XG210). The general principles of the Sophos Hardware EoL policy are:

  • Software subscriptions and support services are bound to a model and not to a specific revision.
  • If customers upgrade an older appliance to the most current revision (e.g. through the Sophos HW refresh program) they can move their existing service contracts to the new revision.
  • In case of an RMA (exchange of failed hardware) the customer receives a model of the same or newer revision. In case the model has already passed its EoL date but is still under a valid support service contract Sophos might still send a replacement unit of the same model (if available) or an alternative model of same or better capacity as its own discretion. The replacement unit will be shipped with a current software release and might not be able to support the original software release used on the defective unit. Existing subscriptions and support services can be moved to the new unit.
  • If a new revision is introduced to the market the last revision is sold as long as stocks last.
  • Older revisions might not be able to support all features of a new software release. Therefore, Sophos may require customers to upgrade to the newest revision of the model or a new model (e.g. through the Sophos HW refresh program) if they want to make use of all software features.
  • If the Software running on an appliance is reaching its EoL customers are required to upgrade to new Software which has been declared as a replacement for the original Software. If current Hardware model or revision is not supported by new Software customer is required to upgrade to a newer revision of the model or a new model (e.g. through the Sophos HW refresh program) which is supported by the new Software.

Sophos UTM and XG Firewall Hardware lifecycle

Sophos UTM and XG Firewall Hardware lifecycle
  • Sophos will send an EoL notification to channel partners generally giving them a 90-day notice period before the EoS date giving them an opportunity to make final purchases.
  • After the EoS date support and hardware maintenance will be provided to customers with a valid support and warranty contract until the End-of-Life date of the hardware. In case service contracts are still valid beyond this End-of-Life date remaining terms can be moved to supported replacement hardware.
  • The last date to order an extension for warranty, technical support and subscription service contracts is 12 months before the End-of-Life date for the relevant product.
  • Last repair /replace date will be 36 months after EoS date.
  • After the EoS date the then active major software version (see Sophos UTM retirement schedule) will be supported for this model until the End of Life date for the relevant product.

Hardware Warranty

  • All APX Series devices are supplied with a 5-year hardware warranty. Further warranty extensions are not possible. Hence the following guidelines only apply to AP series models.
  • All HW appliances, RED & AP Series devices (including modules and accessories) are supplied with a 1-year hardware warranty (8x5, return & replace).
  • Extended Warranty beyond the 1st year for appliance hardware is covered through an Enhanced support contract (XG Firewall) capped at a maximum of 5 years or an active Software Subscription (UTM)
  • Extended Warranty beyond the 1st year for RED and AP Series devices which are managed by Sophos XG Firewall appliances is covered through an Enhanced Plus support contract of the appliance to which the RED/AP is connected to.
  • Extended Warranty beyond the 1st year for RED and AP Series devices which are managed by Sophos SG Firewall appliances is covered through an Extended Warranty contract for the dedicated RED/AP.
  • Extended Warranty beyond the 1st year for RED devices which are managed by Sophos UTM Firewall appliances is covered through an Extended Warranty contract for the dedicated RED.
  • Extended Warranty beyond the 1st year for AP Series devices which are managed by Sophos UTM Firewall appliances is covered through a Wireless Protection contract of the appliance to which the AP is connected to.