🔴 End of Life: June 30, 2026 — 3.5 months remaining

Sophos UTM 9 is reaching end of life.
Your firewall needs a replacement now.

Sophos UTM 9 on SG hardware loses all security patches and vendor support on June 30, 2026. An unpatched perimeter firewall is not a theoretical risk — it is an open door. This guide covers the full timeline, what to export, every realistic migration option, and a step-by-step checklist to get you off UTM 9 before the deadline.

Last updated: March 14, 2026

⭐ Top migration paths from Sophos UTM 9
Sophos XGS Firewall Official upgrade path. Familiar vendor, new hardware platform, SFOS OS. Official upgrade path → pfSense Open-source firewall. Free CE edition or pfSense Plus with support. Free edition available → OPNsense Modern open-source firewall with weekly updates and active development. Free & open-source → Fortinet FortiGate Enterprise NGFW with ASIC acceleration. Strong SMB and enterprise lineup. Compare models →
In this guide:
  1. What's happening and why
  2. End-of-life timeline
  3. Why running UTM 9 past EOL is dangerous
  4. How to export your UTM 9 configuration
  5. Alternative firewall comparison
  6. Migration checklist (step-by-step)
  7. Frequently asked questions

1. What's happening and why

Sophos announced the end-of-life for Sophos UTM 9 on SG-series hardware in 2023. The decision follows a strategic shift by Sophos toward their next-generation Firewall OS (SFOS) platform, which runs on the newer XGS-series hardware.

UTM 9 was an excellent product in its time. It combined stateful packet inspection, intrusion prevention, web filtering, email security, application control, and site-to-site VPN in a single appliance. But it was built on an architecture that predates cloud-native security concepts, and Sophos has invested their engineering resources in the SFOS platform instead.

What this means for organizations still running UTM 9:

This is not like a SaaS tool shutting down. An unpatched firewall does not just "stop working." It keeps running — but every known (and future) vulnerability in UTM 9's codebase goes unpatched permanently. Threat actors actively scan for outdated firewall firmware. Sophos appliances have been targeted in the past precisely because they are perimeter devices with high privilege.

The urgency here is real. Unlike a project management tool or a chat platform, your firewall processes every single packet entering and leaving your network. An exploited firewall means full network visibility for an attacker, not just data loss in one application.

2. End-of-life timeline

April 2023
Sophos ends sales of SG-series hardware and new UTM 9 licenses. No new purchases possible after this date.
October 2023
License model restructured. Three-year UTM license renewals discontinued. Only shorter-term renewals available.
June 30, 2025
Final opportunity to renew existing UTM licenses. After this date, no license extensions are possible. Appliances running on expired licenses have restricted feature access.
March 2026 ← you are here
Migration window is open. 3.5 months until full EOL. This is the right time to plan and execute your migration — not after the deadline.
June 30, 2026 ⚠️
Complete end-of-life. No further software updates, security patches, or Sophos technical support. Running UTM 9 past this date is a security and compliance violation in most regulated environments.
After June 30, 2026
Any vulnerability discovered in UTM 9 after this date will never be patched. Sophos will not assist with hardware failures, crashes, or security incidents on SG-series hardware.

3. Why running UTM 9 past EOL is dangerous

Every network security professional knows this, but it bears stating clearly for anyone who needs to make the business case internally: running an unpatched firewall is categorically different from running any other unpatched software.

Perimeter exposure

Your firewall sits at the edge of your network, directly exposed to the public internet. It processes every connection attempt — from legitimate users, partners, and remote workers, and from automated scanners, botnet traffic, and targeted attacks. A vulnerability in the firewall code itself (not just the traffic it processes) means an attacker can exploit the appliance directly, bypassing all downstream security controls.

Sophos UTM vulnerabilities have been exploited before. CVE-2022-1040 (a critical auth bypass affecting Sophos Firewall) was actively exploited in the wild within days of disclosure. Once UTM 9 is past EOL, similar vulnerabilities will not receive patches — and attackers know exactly which firmware versions are unpatched.

Compliance impact

If your organization operates under any of the following frameworks, running unsupported software at the network perimeter is a direct violation:

Hardware failure risk

SG-series hardware is aging. Sophos will not help you RMA a failed unit after June 30, 2026. If your SG appliance suffers a hardware failure after EOL — failed power supply, disk failure, corrupted firmware — you are on your own. Sourcing replacement hardware or restoring a backup onto new hardware becomes your problem with no vendor assistance.

The business case for immediate migration: The cost of a firewall migration (typically $5,000–$50,000 in hardware and labor depending on environment complexity) is small compared to the cost of a breach facilitated by an unpatched perimeter device. Ransomware recovery averages $1.5M for SMBs. Migrate now while you control the timeline.

4. How to export your UTM 9 configuration

Before you decommission your UTM 9 appliance, capture everything. This is your reference for rebuilding on the new platform — and your safety net if something goes wrong mid-migration.

Full system backup (recommended first step)

  1. Log in to the UTM 9 web admin interface (WebAdmin)
  2. Navigate to Management → Backup/Restore
  3. Click Download Backup — this downloads a full encrypted backup of your UTM 9 configuration
  4. Store this backup in at least two locations: local server + off-site (cloud storage or tape)
  5. Verify the backup is complete and not corrupted — check the file size is reasonable for your config

The backup includes: firewall rules, network objects, NAT policies, routing table, VPN configurations, web filtering profiles, email gateway settings, authentication settings, DHCP leases, and certificates.

Document your firewall rule inventory

Even with a backup, you should create a human-readable inventory of your firewall rules. This is your migration reference and will also surface technical debt (rules for decommissioned systems, overly permissive rules, orphaned objects):

  1. Navigate to Network Protection → Firewall — review and export the rule list (screenshot or use the API)
  2. Navigate to Network Protection → NAT — document all DNAT and SNAT rules
  3. Navigate to Definitions & Users → Network Definitions — list all custom network objects
  4. Navigate to Definitions & Users → Service Definitions — list all custom service objects
  5. For each firewall rule, note: source zone, destination zone, service, action, schedule, logging setting, and any linked IPS/application control policy

Export VPN configurations

VPN is often the most complex part of a UTM 9 migration. Export and document everything:

  1. Site-to-site IPsec: Navigate to Site-to-site VPN → IPsec — document each tunnel: remote gateway IP, pre-shared key, IKE/ESP settings, phase 1 and phase 2 proposals, local and remote networks
  2. SSL VPN (remote access): Navigate to Remote Access → SSL — export the server configuration, user group assignments, and the CA certificate
  3. RED tunnels: Navigate to RED Management — document each RED device serial number, tunnel configuration, and assigned network
  4. PPTP/L2TP (if in use): Document user assignments and network settings
  5. Export your CA and any site certificates from Site-to-site VPN → Certificate Management

Export web and email filtering settings

  1. Web Filtering: Navigate to Web Protection → Web Filtering Profiles — document each profile's categories, exceptions, and HTTPS inspection settings
  2. Application Control: Navigate to Network Protection → Application Control — list all application control rules and policies
  3. Email Protection: Navigate to Email Protection → SMTP — document routing, antispam thresholds, quarantine settings, and allowed/blocked senders
  4. Exceptions and whitelists: These are almost always the hardest thing to recreate — export them all
Migration insight from the field: The hardest part of a UTM 9 migration is not the technical configuration — it is auditing your existing rules. Most UTM 9 appliances that have been running for 5+ years have accumulated rules for systems that no longer exist, rules created as "temporary fixes" that became permanent, and overly permissive rules that nobody dares to tighten. Use this migration as an opportunity to clean up, not just copy forward.

Network topology documentation

Before starting migration, document your current network topology:

5. Alternative firewall comparison

Five realistic migration targets for Sophos UTM 9, evaluated on feature parity, migration effort, licensing model, and fit for different organization sizes.

Sophos XGS pfSense OPNsense Fortinet FortiGate WatchGuard
Best for Sophos-familiar orgs wanting same vendor Technical teams wanting open-source control Open-source with modern UI + active dev Enterprise with performance requirements SMB wanting managed security bundles
Licensing model Hardware + annual subscription Free CE / pfSense Plus subscription Free / Business Support subscription Hardware + FortiGuard subscription Hardware + Total Security Suite
Firewall / NAT / routing ✅ Full ✅ Full ✅ Full ✅ Full (ASIC-accelerated) ✅ Full
IDS/IPS ✅ Xstream IPS ✅ Snort / Suricata ✅ Suricata ✅ FortiGuard IPS ✅ APT Blocker
Web filtering ✅ Full (cloud-assisted) ✅ pfBlockerNG / Squid ✅ Web Proxy / ads blocking ✅ FortiGuard Web Filtering ✅ WebBlocker
SSL/TLS inspection ✅ Yes ✅ via Squid ✅ via proxy ✅ Yes ✅ Yes
Site-to-site VPN ✅ IPsec, SD-WAN ✅ IPsec, WireGuard, OpenVPN ✅ IPsec, WireGuard, OpenVPN ✅ IPsec, FortiClient VPN ✅ IPsec, BOVPN
Remote access VPN ✅ Sophos Connect (SSL/IPsec) ✅ OpenVPN, WireGuard, IPsec ✅ OpenVPN, WireGuard, IPsec ✅ FortiClient EMS ✅ AuthPoint MFA
Email gateway ✅ Email Protection module ❌ (needs separate solution) ❌ (needs separate solution) ✅ FortiMail (separate) ❌ (needs separate solution)
High availability ✅ Active-passive HA ✅ CARP HA ✅ CARP HA ✅ Active-passive / active-active ✅ Active-passive
UTM 9 config migration ⭐⭐⭐ Partial tool available ⭐⭐ Manual rebuild ⭐⭐ Manual rebuild ⭐⭐ Manual rebuild ⭐⭐ Manual rebuild
Typical SMB cost (3yr TCO) $3,000–$15,000 $0–$2,000 (hardware only) $0–$2,000 (hardware only) $2,500–$12,000 $2,000–$10,000

Detailed review: each alternative

Sophos XGS FirewallOfficial upgrade path
🟢 Pros
  • Same vendor, familiar support channels
  • Sophos Central unified management console
  • Xstream Architecture with TLS inspection at line speed
  • Built-in SD-WAN and application-aware routing
  • Sophos provides a partial migration tool for UTM 9 configs
  • Strong SMB and mid-market sizing (XGS 107 through XGS 7500)
🔸 Considerations
  • SFOS is architecturally different from UTM 9 — do not expect a 1:1 migration
  • Web filtering and email protection require separate subscription bundles
  • Annual subscription costs add up; factor into 3-year TCO
  • Complex UTM 9 configs (especially email gateway) need full manual rebuild
💡 Best for: Organizations already invested in the Sophos ecosystem, using Sophos Intercept X for endpoint, and wanting single-vendor management. The migration path is the most supported of all options.

View Sophos XGS lineup →

pfSenseBest open-source option for technical teams
🟢 Pros
  • pfSense Community Edition is free — no licensing cost
  • Runs on commodity x86 hardware (Netgate appliances or DIY)
  • Mature, battle-tested codebase with large community
  • Full stateful firewall, NAT, routing, VLANs
  • WireGuard and OpenVPN for remote access VPN
  • Snort/Suricata IDS/IPS packages available
  • pfBlockerNG for DNS-based threat blocking
🔸 Considerations
  • No integrated email gateway (must move to separate solution)
  • Web filtering less polished than UTM 9's built-in solution
  • No commercial support in CE — community forums and documentation only
  • pfSense Plus (Netgate hardware) required for commercial support
  • UI can be overwhelming for teams new to open-source firewalls
💡 Best for: IT teams with Linux/BSD skills who want full control, zero license cost, and are comfortable with community support. Not for teams that relied heavily on UTM 9's email gateway.

Visit pfSense.org →

OPNsenseModern open-source with active development
🟢 Pros
  • Weekly security releases — one of the fastest patch cycles of any firewall
  • Modern, clean web UI built on Bootstrap
  • WireGuard native support (no package needed)
  • Suricata IDS/IPS with ET Open ruleset
  • HAProxy plugin for advanced reverse proxy / load balancing
  • Unbound DNS resolver with DNSSEC
  • Business Support subscriptions available from Deciso
  • Active community and excellent documentation
🔸 Considerations
  • No integrated email gateway
  • Smaller plugin ecosystem than pfSense for some niche features
  • Deciso Business Support can be expensive for small orgs
💡 Best for: Organizations that want open-source but prefer a more polished, actively maintained platform over pfSense. Excellent choice for teams comfortable with FreeBSD-based systems.

Visit OPNsense.org →

Fortinet FortiGateHigh-performance enterprise NGFW
🟢 Pros
  • ASIC-accelerated throughput — significantly outperforms software-based firewalls
  • Comprehensive UTM features (IPS, web filtering, application control, antivirus)
  • FortiGuard threat intelligence with excellent detection rates
  • Fabric integration with FortiEDR, FortiSIEM, FortiAnalyzer
  • Strong SD-WAN capabilities with application steering
  • Wide product range from desktop (FortiGate 40F) to data center
🔸 Considerations
  • FortiOS has had several high-severity CVEs in recent years — keep patching diligently
  • Annual FortiGuard subscription required for threat intelligence features
  • FortiOS has a steeper learning curve than UTM 9
  • Full feature set (FortiMail, FortiAnalyzer) requires additional licensing
💡 Best for: Organizations with higher throughput requirements (100Mbps+), enterprise security teams wanting Fortinet Security Fabric integration, or environments already using FortiClient endpoint protection.

View FortiGate lineup →

WatchGuard FireboxSMB-focused with bundled security services
🟢 Pros
  • Total Security Suite bundles all UTM services in one price
  • WatchGuard Cloud for centralized management
  • AuthPoint MFA integrated for VPN and admin access
  • Tabletop appliances well-suited to branch office deployments
  • WatchGuard TDR (Threat Detection and Response) for endpoint correlation
  • Good SMB support track record
🔸 Considerations
  • Less market share than Fortinet — smaller reseller ecosystem
  • Total Security Suite pricing adds significant cost over hardware
  • WatchGuard Cloud management has less depth than FortiManager or Sophos Central
  • Not ideal for organizations that need high throughput or complex routing
💡 Best for: SMBs wanting a straightforward Sophos UTM 9 replacement with comparable bundled security services and reasonable pricing. Good option if you currently use Sophos for SMB and want equivalent management simplicity.

View WatchGuard Firebox →

Recommendation by use case

Want to stay with Sophos
Sophos XGS Firewall
Official upgrade path with partial config migration tooling. Best choice if you use Sophos Intercept X for endpoint and want unified Sophos Central management.
Technical team, zero license cost
OPNsense or pfSense
Open-source platforms with full firewall capabilities on commodity hardware. OPNsense recommended for its faster patch cycle and modern UI.
Enterprise with performance needs
Fortinet FortiGate
ASIC-accelerated throughput, comprehensive threat intelligence, and Fortinet Security Fabric integration for enterprise security teams.
SMB wanting simple all-in-one
WatchGuard Firebox
Bundled Total Security Suite covers equivalent UTM features. Good SMB track record and WatchGuard Cloud management.

6. Migration checklist

A practical step-by-step plan for migrating from Sophos UTM 9. Adjust timeline based on your environment's complexity. Start immediately — June 30, 2026 is a firm deadline.

Phase 1: Audit and document (Weeks 1–2)
  • Take a full system backup from UTM 9 WebAdmin (Management → Backup/Restore)
  • Export and document all firewall rules — identify rules for decommissioned systems and clean up
  • Document all NAT rules (DNAT and SNAT)
  • Document all VPN configurations (IPsec tunnels, SSL VPN, RED devices)
  • Export all certificates from the UTM 9 certificate store
  • Document all web filtering profiles and exceptions
  • Document all network definitions and custom service objects
  • Document physical interface assignments, VLAN configurations, and routing table
  • Photograph or diagram the physical cabling at the appliance
Phase 2: Choose your replacement and order hardware (Weeks 2–3)
  • Select your replacement platform using the comparison above
  • Size the new appliance correctly — match your throughput, connection count, and feature requirements
  • Order hardware immediately — supply chain delays for network appliances can be 4–12 weeks
  • Plan your licensing/subscription model and get budget approval
  • If replacing email gateway function: evaluate standalone alternatives (Proofpoint, Microsoft Defender for Email, Mimecast)
Phase 3: Build and test in lab (Weeks 3–6)
  • Set up the new firewall in a test/lab environment — do NOT cut over production until fully tested
  • Rebuild firewall rules on the new platform (start with critical rules first)
  • Configure NAT rules and verify they work with test traffic
  • Rebuild all VPN tunnels — test each site-to-site tunnel and remote access profile
  • Configure IDS/IPS policies and tune to avoid false positives in your environment
  • Configure web filtering and verify critical business applications are not blocked
  • Test high availability failover (if applicable)
  • Document the new configuration as you build it
Phase 4: Cutover planning and execution (Weeks 6–8)
  • Schedule the cutover during a low-traffic maintenance window (weekend or overnight)
  • Notify all relevant stakeholders (IT team, management, VPN users) in advance
  • Prepare a rollback plan — keep UTM 9 cabled and ready to reconnect if needed
  • Execute the cutover: disconnect UTM 9 and connect the new appliance
  • Verify connectivity for all network segments immediately after cutover
  • Test all VPN tunnels — have remote site contacts on standby during cutover
  • Monitor firewall logs closely for the first 48–72 hours post-cutover
  • Keep UTM 9 in an accessible state for 2 weeks as rollback option
Phase 5: Post-migration cleanup
  • Archive all UTM 9 backups and configuration documentation permanently
  • Decommission the SG hardware or securely dispose of it
  • Update your network diagram and asset register
  • Update internal IT runbooks and procedures for the new platform
  • Remove Sophos UTM 9 from compliance scope documentation
  • Train relevant IT staff on the new platform's management interface
  • Set up monitoring alerts on the new firewall (CPU, memory, connection table utilization)
Order hardware now. Network appliance supply chains are under pressure in 2026. Some FortiGate and Sophos XGS models have lead times of 8–14 weeks. If you wait until June to order, you will not receive hardware before the EOL date. Order your replacement appliance this month.

7. Frequently asked questions

When does Sophos UTM 9 reach end of life?

Sophos UTM 9 on SG hardware reaches complete end-of-life on June 30, 2026. After that date, Sophos will provide no further software updates, security patches, or technical support. The last day to renew existing UTM licenses was June 30, 2025.

Can I still use Sophos UTM 9 after June 30, 2026?

Technically the software will still run, but you will receive no security patches, no bug fixes, and no vendor support. Running an unpatched firewall is a critical security risk — especially for a perimeter security device. Most compliance frameworks (ISO 27001, SOC 2, HIPAA, PCI DSS) explicitly prohibit using software beyond its vendor-supported lifecycle.

What is the official Sophos-recommended upgrade path from UTM 9?

Sophos recommends migrating to the XGS Firewall appliance running Sophos Firewall OS (SFOS). This is a new hardware platform with a redesigned operating system. Your existing UTM 9 configuration does not migrate automatically — you will need to recreate firewall rules, NAT policies, VPN tunnels, and network objects on the new platform.

Does Sophos UTM 9 configuration migrate to XGS Firewall?

Not automatically, and not completely. Sophos provides a configuration export/import tool that handles some objects (network definitions, some firewall rules), but the two platforms use different architectures. VPN configurations, web filtering policies, and advanced routing rules typically need to be recreated manually. Plan for 2–4 weeks of migration work even with the official tooling.

Is pfSense a good replacement for Sophos UTM 9?

pfSense (Community Edition or pfSense Plus) is a capable open-source firewall alternative. It handles stateful packet inspection, VPN (OpenVPN, WireGuard, IPsec), VLAN management, and traffic shaping. It lacks UTM 9's integrated email gateway. pfSense CE is free; pfSense Plus requires a Netgate subscription. Best for teams with internal IT expertise who want full control.

What about OPNsense — how does it compare?

OPNsense is an open-source firewall based on FreeBSD (forked from pfSense in 2015). It has a modern web UI, active development, weekly security updates, and a strong plugin ecosystem. It supports stateful firewall, VPN (WireGuard, OpenVPN, IPsec), IDS/IPS via Suricata, and HAProxy for reverse proxying. OPNsense is free, with Business Support subscriptions available from Deciso.

How long does migrating from Sophos UTM 9 take?

Simple setups (basic NAT, a few VPN tunnels, standard web filtering): 2–4 weeks. Complex environments (site-to-site VPNs, application control, web application firewall, email gateway, RED tunnels, high availability): 6–12 weeks. Order replacement hardware immediately — supply chain lead times can be 8–14 weeks.

What happens to my Sophos UTM 9 licenses after EOL?

License renewals ended June 30, 2025. If your license has already expired, you may have reduced functionality now. After the June 30, 2026 EOL date, the hardware appliance itself becomes unsupported — Sophos will not help you troubleshoot hardware failures, software crashes, or security incidents on SG-series hardware.

Will my cyber insurance still cover me if I'm running UTM 9 past EOL?

Potentially not. Many cyber insurance policies now include explicit exclusions for incidents involving systems running beyond vendor-supported EOL dates. Review your policy carefully. If you file a claim for a breach facilitated by an unpatched UTM 9 after June 30, 2026, your insurer may deny the claim. Consult your broker before the EOL date.

⚠️ Get EOL Alerts for Security Products

We track end-of-life dates for firewalls, network security appliances, and SaaS tools. Know before the deadline — not after.

June 30, 2026 is a hard deadline. Start now.

Sophos UTM 9's EOL is not a soft sunset — it is a firm security deadline. Order replacement hardware this month, begin your rule audit this week, and run your migration before the window closes.

An unpatched perimeter firewall is not a compliance risk. It is an open door.

See all EOL products → Migration survival guide →

More migration guides

Independent, no-BS guides for software products reaching end of life.

SharePoint Server & Exchange Server EOL Guide →
Exchange 2016/2019 ESU ends April 14, 2026. SharePoint 2016/2019 support ends July 14, 2026.

Atlassian OpsGenie Migration Guide →
Sunsetting April 5, 2027. On-call and alerting alternatives.

QuickBooks Desktop 2023 Migration Guide →
End of support May 31, 2026. Small business accounting alternatives.

Workplace from Meta Migration Guide →
Shutting down June 1, 2026. Enterprise communication alternatives.

Delighted Migration Guide →
Sunsetting June 30, 2026. NPS/CSAT survey alternatives.

The SaaSpocalypse Is Real (Blog) →
Data analysis: 47+ enterprise SaaS tools sunsetting in 2025-2027.

SaaSpocalypse Survival Kit (Blog) →
Your checklist for navigating the wave of SaaS sunsets.

All Blog Posts →
Analysis and insights on the SaaS sunsetting trend.

Drift Migration Guide →
Salesloft shutting down Drift. Conversational marketing alternatives.

Salesforce Quip Migration Guide →
No renewals after March 2027. Document collaboration alternatives.

SAP Marketing Cloud Migration Guide →
Sunsetting December 2026. Marketing automation alternatives.

Full Sunset Tracker →
All SaaS and software products being retired in 2025–2027.