Sophos SG hardware running UTM OS reaches end-of-life on June 30, 2026. After that date: no updates, no security patches, no support. If you're still running Sophos UTM, you have about 7 months to migrate.
License Renewal Deadline
June 30, 2025 is the last day to renew existing UTM licenses. After that, no extensions possible.
Timeline
April 2023
End of sales for SG hardware and UTM licenses. No new purchases possible.
October 2023
License model restructured. Three-year licenses discontinued.
June 30, 2025
Final opportunity to renew existing UTM licenses. After this date, no extensions.
June 30, 2026
Complete end-of-life. No updates, no security patches, no support. Running unsupported firewall software is a security and compliance risk.
Your Options
EOL announcements are a natural point to re-evaluate. You don't have to stick with Sophos. Maybe the UTM was chosen 8 years ago for reasons that no longer apply. Maybe your requirements have changed. Maybe you've outgrown it.
Stay with Sophos: XGS
Sophos recommends migrating to XGS Firewall with their latest Firewall OS. New platform, new interface, new feature set. If you're happy with Sophos and they fit your needs, straightforward path.
Different Vendor
Palo Alto, Fortinet, Check Point—each has strengths depending on your requirements. Need better logging and analytics? Want tighter integration with your SIEM? Looking for specific compliance certifications? Different vendors, different strengths.
Managed Firewall from Us
We provide managed firewalls based on Cisco ASAv. A true firewall—stateful packet inspection, ACLs, NAT. No "next-gen" bloat. IDS/IPS, application control, content filtering belong elsewhere in your stack, not on the firewall. We handle the hardware, updates, monitoring, and rule changes. You focus on your business.
We Help You Choose
We're vendor-agnostic for recommendations. We understand your architecture, your requirements, your budget—and recommend what actually fits. Sometimes that's staying with Sophos. Sometimes it's a different vendor. Sometimes it's our managed ASAv service where you don't touch the firewall at all.
The Migration Problem
The technical migration isn't the hard part. Export config, import to new platform, done. The hard part is what happens when you look at that config.
- Rules created years ago by people who left the company
- No documentation explaining why specific rules exist
- Objects named "temp-fix" or "test-rule" that are clearly production
- Overly permissive rules nobody dares to tighten
- Rules for systems that were decommissioned but never cleaned up
You could migrate everything as-is and carry the technical debt to the new platform. Or you could use this as an opportunity to clean up—but that requires understanding what every rule does.
Traditional approach: interview application owners, dig through old tickets, make educated guesses. Takes months. Still misses things.
How We Help
Traffic-Based Rule Generation
We built a toolkit to generate firewall rules from packet captures. Mirror your firewall interfaces, capture traffic for a week, and we generate access-lists based on what actually flows through the network. Gets you to the first 90% fast. Still needs manual audit, but you're auditing real traffic patterns instead of guessing.
Read more about pcap_or_it_didnt_happen.sh
Migration Services
We handle the full migration: capture, analysis, rule generation, audit with your application teams, implementation on the new platform. Typical engagement: 2–4 weeks from kickoff to completed ruleset.
Hosting and Platform Services
If you're also looking at infrastructure changes—new datacenter, cloud migration, managed services—we run our own European datacenters on AS215197. Managed Kubernetes, GPU compute, storage servers. No third-party bottlenecks, direct peering with DE-CIX Frankfurt and AMS-IX.
Learn more about Zero Services
Timeline
7 months until EOL. If you have complex rulesets or multiple firewalls, start planning now. The audit process takes time, and you want buffer before the deadline.