With today’s release of our revolutionary new XG Firewall, we’re breaking the mold and bringing endpoint and network security together. This is an exciting time for Sophos, our partners, and our customers.
The XG Firewall combines some of the great technology from UTM 9 with a ton of innovative new features. But that doesn’t mean it’s the end for our industry leading and award-winning Sophos UTM platform. Far from it.
Sophos UTM has a long and successful history that extends back several years. We will continue to develop and support this platform. You can learn more about Sophos UTM 9 and the SG Series on sophos.com.
We anticipate that many of our existing Sophos UTM customers will want to migrate to the XG Firewall, to take advantage of new technologies like the Sophos Security Heartbeat, new features like the simplified new interface, improved reporting, and more.
If you’re a Sophos UTM customer, however, you do not have to migrate right away or at all, if you don’t want to. Many of you will have questions about the new XG Firewall and what it means for you. Rest assured, we’ve been thinking a lot about our Sophos UTM customers, and we’ve put together this FAQ to help answer any questions you might have.
Frequently Asked Questions
What is the difference between Sophos UTM and the XG Firewall?
As you know, the Sophos UTM SG Series with UTM 9 firmware is our leading and award-winning unified threat management (UTM) platform. Sophos UTM has a long and successful history, and we will continue to develop and support this platform.
Sophos XG Firewall, our new firewall platform which combines some of the great technology from UTM 9 with a variety of new technology including support for the new Sophos Security Heartbeat™, a new user interface, improved user-based policies and reporting, and much more. It comes pre-installed on XG Series appliances, but you can also upgrade your SG Series appliances (more on that below).
What’s the difference between the SG Series and XG Series hardware appliances?
SG Series appliances come pre-installed with UTM 9 firmware. XG Series appliances come pre-installed with XG Firewall firmware. Otherwise, the hardware specifications are identical.
Can I migrate from UTM 9 to the new XG Firewall?
Yes. As a Sophos UTM 9 customer with a valid license, you are entitled to migrate to XG Firewall when the timing is right for you. We strongly urge customers to be patient and wait for the automated migration tools for the best migration experience.
As an existing UTM 9 customer wishing to upgrade, what should I do?
We suggest all UTM 9 customers spend some time to get familiar with the new XG Firewall using the free trial option while patiently awaiting the migration tools to make the transition as seamless as possible.
Do I have to migrate from UTM 9 to XG Firewall?
No. While we are confident that most Sophos UTM 9 customers will want to take advantage of many of the great new features and benefits of XG Firewall over time, there is certainly no rush, and you don’t have to migrate if you don’t want to.
Will you continue to develop and support UTM 9?
Yes. Sophos UTM 9 will see continued development and support with a couple of new releases already in the planning stages.
Will the new XG Firewall firmware run on my existing hardware or virtual environment?
Sophos XG Firewall runs perfectly on all Sophos SG Series hardware appliances, as well as the same Intel compatible hardware and the same virtual environments as UTM 9. XG Firewall is not currently compatible with Amazon Web Services, but we plan to add support for AWS and Azure cloud deployments soon.
Customers with UTM Series or ASG Series hardware (prior to the SG Series) interested in migrating to XG Firewall should talk to their Sophos Partner about doing a hardware refresh to one of the XG Series that come pre-installed with XG Firewall.
When can I migrate from UTM 9 to XG Firewall?
We strongly recommend that customers wait until the migration the tools are available for a smooth migration. We recommend working with your preferred Sophos Partner to plan your migration when the time is right.
Is there a license fee associated with migrating?
No. Sophos is pleased to switch your license from UTM 9 to XG Firewall at no extra charge. Your license will be changed over automatically when you choose to migrate.
What are the various migration phases and tools available?
In order to make migration as smooth as possible, we are developing a series of migration tools that will be rolled out in phases. Watch the Sophos Blog for migration news, tools, and help, or contact your Sophos Partner.
Here are the migration phases:
Migration at Launch: While we strongly encourage existing customers to wait until Phase 1 or 2, early adopters who wish to migrate to XG Firewall following launch can do a manual migration. There will be no migration tools available during this phase so you will be setting up and configuring your XG Firewall from a fresh install.
Phase 1 Migration: This phase is in planning and we anticipate being able to offer beta migration tools by mid-2016. The process will involve manually taking a backup of your UTM 9 device and uploading it to the Cloud Migration Service for conversion, making necessary adjustments, and then exporting it as a configuration for XG Firewall.
Phase 2 Migration: This phase is planned to coincide with an update to XG Firewall in mid-2016. UTM 9.4 customers will be able to use an option in Webadmin to initiate a migration using some automation and a less manual process, with options to retain some quarantine items.
Phase 3 Migration: Later in 2016 we plan to simplify the migration process further with support for multiple device migration and more automation.
Are there UTM 9 features I need that are not in XG Firewall?
There are a few feature gaps you should be aware of. If you are dependent on any of these features, you will want to wait until the gaps are closed in a subsequent release of XG Firewall. Watch the Sophos Blog for XG Firewall updates and news.
Here are the most significant initial feature gaps:
- Multi-node clustering of three or more appliances is not supported initially
(two appliance clustering for Active-Active or Active-Passive is supported)
- Clustering of “w” (integrated wireless) models is not supported initially
- Site-to-Site RED Tunnels are not supported initially
(RED devices are fully supported in XG Firewall, but RED tunnels between firewalls are not yet supported)
- A couple of Advanced Web Protection features are not supported initially, including block page override using a password and category-based quota time policies (global quotas are supported)
- Two-Factor Authentication is not supported initially
- Sophos Mobile Control integration is not supported initially
- Sophos Endpoint Deployment and Management from within the UTM is not supported (customers are encouraged to switch to Sophos Cloud Endpoint to take advantage of Security Heartbeat™)
Can I centrally manage both UTM 9 and XG Firewall with the new Sophos Firewall Manager?
Sophos UTM Manager (SUM) is the centralized management platform for UTM 9 and is still supported for managing multiple UTM 9 devices. It cannot manage XG Firewall devices.
Sophos Firewall Manager (SFM) is the new centralized management platform for XG Firewall. It cannot manage UTM 9 devices, so if you plan to run a mix of UTM 9 and XG Firewall devices, you will need both SUM and SFM for centralized management.
Can I centrally report on both UTM 9 and XG Firewall with the new Sophos iView?
Yes. The new version of Sophos iView provides consolidated report for UTM 9, XG Firewall, and CyberoamOS devices.
How can I take advantage of the new Security Heartbeat™?
Sophos Security Heartbeat requires both Sophos XG Firewall and Sophos Cloud Endpoint. Learn more about Security Heartbeat.
Where can I get further information?
Please contact your Sophos Partner should you have any further questions and follow the Sophos Blog for ongoing news and updates related to your Sophos products. You can sign up for the Sophos Blog newsletter by entering your email address in the sign-up field in the upper right corner of the blog homepage. You can also sign up for our RSS feed