Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: Importing User definitions into Sophos Firewall after v18.0 MR3 and v17.5 MR14

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Overview

In recent MR releases there have been several changes to improve the security of Sophos Firewall and to make it more difficult for attackers to get hold of sensitive information if something does go wrong. 

One of the changes was to remove the ability to export and import user accounts using csv files. There were several security concerns about this feature, in particular the added risk of exposure of password material that it encourages. Many customers now manage users by connecting their firewalls to an external directory service, such as Active Directory, which overall creates a much more secure and manageable environment.

However some customers have established processes that rely on importing lists of users from time to time. What can they do?

SFOS has an XML API that provides a way to automatically manage most objects and features that can be controlled via the Webadmin user interface, and User objects are no exception.

Using the XML API is a great alternative to the old CSV import feature for bulk adding of on-device user accounts.

But how? Well, here's an example. The attached Python program can read basic user data from a csv file and post it directly to your firewall's XML API. It basically replicates the old CSV import functionality.

*NOTE* If Python is not your thing, please check out the reply below in this thread where I added a Powershell version of this script. This can be run directly in Powershell on Windows without installing any other software.

If you have a process where, from time to time, you create a csv file with new user information in it, you can now use this script instead to import it directly instead of navigating through the WebAdmin UI.

PLEASE NOTE: The attached script does not currently work on SFOS installations where the Default Configuration Language is not English. I am working on an update and will post it here soon.

Here's how to do it. Not all steps will be required for everyone - if you already use Python, or if you use a Mac that has Python built-in, you should be pretty much set to go. 

Enabling XML API on your firewall

  1. Log in to your Sophos Firewall as an Administrator account
  2. Navigate to Backup & firmware > API
  3. Under API configuration, check the 'Enabled' box
  4. Under Allowed IP address, enter the IP address of the computer where you are going to run this program

Installing Python 3 and preparing dependencies

  1. Install Python 3 on your computer.
    1. Python 3 comes built in to some Unix-based systems, including MacOS.
    2. For Windows systems, you can download and install the latest Python installer from https://www.python.org
    3. For Linux distributions, your system's default package manager will almost certainly have a suitable package ready to install.
  2. When installing Python on Windows, make sure to select the option to "Add Python to PATH" on the first screen of the installer. This will allow you to run python scripts from a Windows command prompt.
  3. After installation completes, open a new Command Prompt window.
  4. Install additional libraries that are required to run this program - run
    C:\Users\John> pip install requests python-certifi-win32
  5. If you have enabled TLS decryption on your Sophos Firewall and get a certificate error running this command, you can either create a decryption exclusion for the domain pypi.org or get a copy of your firewall's root CA certificate in a file and rerun the command as follows:
    C:\Users\John> pip install requests python-certifi-win32 --cert mycacert.pem

Prepare your CSV file

This script expects you to provide a csv file, with fields separated by commas. Users with regional preferences that create csv files with semicolons or other characters may find that it works, or may need to adjust the script accordingly.

The file must have the following columns - Name, Username, Password, Email Address, Group:

Example file:

Name,Username,Password,Email Address,Group
Nigel Brown,nbrown,Pa5s!w0rd19,nigel.brown@example.com,Open Group
Gina Lopez,glopez,e1Azjr8q9^21,gina.lopez@example.com,Open Group

Downloading and running the script

Download this zip file and extract it to a directory on your computer. The rest of these instructions assume you saved it in 'Downloads', and that the csv file containing the users you want to add is in 'Documents' and called users.csv

Run the following command, substituting your firewall's hostname or IP address, admin username and password. If you're using an account with multi-factor authentication (OTP) then don't forget to append the authentication code to the end of the password:

C:\Users\John> python Downloads\UserImport.py -f myfirewall.example.com -i Documents\users.csv -u admin -p A1B2c3d4!!E5 -a

If you see exception messages related to certificate trust issues, try running the same command again, but add '-n' as an additional command-line qualifier. The argument '-n' tells Python to ignore any certificate validation errors when connecting to the firewall - python does not automatically pick up any additional root CAs from your Windows installation:

C:\Users\John> python Downloads\UserImport.py -f myfirewall.example.com -i Documents\users.csv -u admin -p A1B2c3d4!!E5 -a -n

As long as the details of all the users are correct, the import should proceed successfully. If it does not, check the message responses for clues as to what went wrong.

Troubleshooting

  • Error code 534: API operations are not allowed from the requester IP address.
    • You need to add the IP address of your computer to the 'Allowed IP' list on your Sophos Firewall at Backup & firmware > API
  • Login status: Authentication Failure
    • The username or password were incorrect.
    • The user specified is not an Administrator.
    • If the user is configured to use multi-factor authentication using one-time passwords, you'll need to add the current authentication code at the end of the user's password at the command line.
  • Error code 532: You need to enable the API Configuration.
    • You need to enable API configuration as shown in the steps above, under "Enabling XML API on your firewall"
  • Status 599, Message: Not having privilege to add/modify configuration.
    • The admin account specified is configured with a Device access profile that does not allow 'Write' operations for User objects.
  • Status 502, Message: A user with the same name already exists
    • You are in add mode (with the command line argument '-a') and there is already a user matching the name specified in your csv
    • If you want to update existing user records with the same name, omit the '-a' command line argument. This tells the script to send an 'update' command instead of an 'add' command to the XML API.
  • Status 511, Message: Operation failed. Please contact Support.
    • Run the following command to check applog.log:

      grep "common-password db" /log/applog.log

      Example:

      XGS107_SN01_SFOS 19.0.1 MR-1-Build365# grep "common-password db" /log/applog.log
      Nov 30 18:11:38Z Given password is found in common-password db, Try with different password

    • If this log line matches with the recent timestamp, then try using a different password in the csv file.

Python code

If you don't want to download the code as a zip file, you can copy and paste it from here:

# UserImport
#
# Takes basic User definitions from a CSV file and posts
# them to an XG Firewall using the XML API

import xml.etree.ElementTree as ET
import argparse
import requests
import sys
import configparser
import csv

serial = 0

UserAPIAddResults = {
    "200": (True, "User registered successfully"),
    "500": (False, "User couldn't be registered"),
    "502": (False, "A user with the same name already exists"),
    "503": (False, "A user with the same L2TP/PPTP IP already exists"),
    "510": (False, "Invalid password - doesn't meet complexity requirements")
}

UserAPIUpdateResults = {
    "200": (True, "User registered successfully"),
    "500": (False, "User couldn't be updated"),
    "502": (False, "A user with the same name already exists"),
    "503": (False, "A user with the same L2TP/PPTP IP already exists"),
    "510": (False, "Invalid password - doesn't meet complexity requirements"),
    "541": (False, "There must be at least one Administrator"),
    "542": (False,
            "There must be at least one user with Administrator profile")
}


def eprint(*args, **kwargs):
    # Print to stderr instead of stdout
    print(*args, file=sys.stderr, **kwargs)


def getArguments():
    parser = argparse.ArgumentParser(
        description='Grab a list of video IDs from a YouTube playlist')

    parser.add_argument(
        '-f', '--firewall',
        help=("To call the API directly, specify a firewall hostname or IP. "
              "Without this, an XML API document will be output to stdout."),
        default=argparse.SUPPRESS)
    parser.add_argument(
        '-i', '--input', metavar="FILENAME",
        help=("Name of CSV file containing these columns:"
              " Name, Username, Password, Email Address, Group"),
        default=argparse.SUPPRESS)
    parser.add_argument(
        '-u', '--fwuser', metavar="ADMIN-USERNAME",
        help='Admin username for the XG firewall',
        default='admin')
    parser.add_argument(
        '-p', '--fwpassword', metavar="ADMIN-PASSWORD",
        help='Password for the XG user - defaults to "admin"',
        default='password')
    parser.add_argument(
        '-a', '--add',
        help=('Call API in "Add" mode - use first time only (otherwise'
              ' Update will be used)'),
        action='store_true')
    parser.add_argument(
        '-n', '--insecure',
        help="Don't validate the Firewall's HTTPS certificate",
        action='store_false')
    parser.add_argument(
        '-1', '--oneshot',
        help=("Create a single enormous XMLAPI transaction instead "
              " of multiple smaller ones. Only used when outputting "
              "to stdout "),
        action='store_true')
    parser.add_argument(
        '-x', '--useimpex',
        help=("Create an Entities.xml-style file for inclusion in an "
              " Import tarball"),
        action='store_true')

    return parser.parse_args()


def readConfig():
    # Read in the temp config file (if it exists)
    global config
    global workingPath

    config = configparser.ConfigParser()
    config.read(workingPath)


def getserial():
    # Returns an incrementing serial number. Used to reference individual
    # XMLAPI transactions.
    global serial
    serial = serial + 1
    return str(serial)


def xgAPIStartUser(username, name, password, email,
                   group="Open Group", usertype="User",
                   surfquota="Unlimited Internet Access",
                   accesstime="Allowed all the time",
                   datatransferpolicy="", qospolicy="", sslvpnpolicy="",
                   clientlesspolicy="", status="Active", l2tp="Disable",
                   pptp="Disable", cisco="Disable",
                   quarantinedigest="Disable", macbinding="Disable",
                   loginrestriction="UserGroupNode",
                   accessschedule="All The Time", loginrestrictionapp="",
                   isencryptcert="Disable", simultaneouslogins="Enable"):
    # Returns a complete XML User record with some sane defaults which can
    # be modified later, if you want.

    userblock = ET.Element('User', transactionid=getserial())
    ET.SubElement(userblock, 'Username').text = username
    ET.SubElement(userblock, 'Name').text = name
    ET.SubElement(userblock, 'Password').text = password
    ET.SubElement(ET.SubElement(userblock, 'EmailList'),
                  'EmailID').text = email
    ET.SubElement(userblock, 'Group').text = group
    ET.SubElement(userblock, 'SurfingQuotaPolicy').text = surfquota
    ET.SubElement(userblock, 'AccessTimePolicy').text = accesstime
    ET.SubElement(userblock, 'DataTransferPolicy').text = datatransferpolicy
    ET.SubElement(userblock, 'QoSPolicy').text = qospolicy
    ET.SubElement(userblock, 'SSLVPNPolicy').text = sslvpnpolicy
    ET.SubElement(userblock, 'ClientlessPolicy').text = clientlesspolicy
    ET.SubElement(userblock, 'Status').text = status
    ET.SubElement(userblock, 'L2TP').text = l2tp
    ET.SubElement(userblock, 'PPTP').text = pptp
    ET.SubElement(userblock, 'CISCO').text = cisco
    ET.SubElement(userblock, 'QuarantineDigest').text = quarantinedigest
    ET.SubElement(userblock, 'MACBinding').text = macbinding
    ET.SubElement(userblock, 'LoginRestriction').text = loginrestriction
    ET.SubElement(
        userblock, 'ScheduleForApplianceAccess').text = accessschedule
    ET.SubElement(
        userblock, 'LoginRestrictionForAppliance').text = loginrestrictionapp
    ET.SubElement(userblock, 'IsEncryptCert').text = isencryptcert
    ET.SubElement(
        userblock, 'SimultaneousLoginsGlobal').text = simultaneouslogins

    return userblock


def xgAPILogin(fwuser, fwpassword):
    # Returns a root Login element for an XMLAPI call

    requestroot = ET.Element('Request')
    login = ET.SubElement(requestroot, 'Login')
    ET.SubElement(login, 'Username').text = fwuser
#  ET.SubElement(login, 'Password', passwordform = 'encrypt').text = fwpassword
    ET.SubElement(login, 'Password').text = fwpassword

    return requestroot


def xgImpExBegin():
    return ET.Element('Configuration', APIVersion="1702.1", IPS_CAT_VER="1")


def xgAPIPost(requestroot):
    # Posts an XMLAPI document to the firewall specified in command line -f arg
    # If there is no -f arg, it prints the document to stdout
    # Parameter 'requestroot' provides the root element of the XML document

    postdata = {
        'reqxml': ET.tostring(requestroot, 'unicode')
    }
    result = 0

    try:
        callurl = ('https://' + stuff.firewall +
                   ':4444/webconsole/APIController')
        eprint("Sending XMLAPI request to %s" % callurl)

        r = requests.post(callurl, data=postdata, verify=stuff.insecure)
#        eprint(r)
#        eprint(r.text)
        result = 1
    except AttributeError:
        print(ET.tostring(requestroot, 'unicode'))
        result = 0
    return (result, r)

# Fun starts here


# Check command line
stuff = getArguments()

try:
    eprint("Reading from file: %s" % stuff.input)
except AttributeError:
    eprint("No filename provided. Run this command with --help for more info.")
    sys.exit()

# If there's a firewall address set, make sure we're in oneshot mode
try:
    eprint("Config will be posted to " + stuff.firewall)
    stuff.oneshot = True
except AttributeError:
    eprint("No firewall set")

if stuff.add:
    method = 'add'
else:
    method = 'update'

# Start building the XMLAPI Request
if stuff.useimpex:
    fwRequestroot = xgImpExBegin()
    fwRequestSet = fwRequestroot
else:
    fwRequestroot = xgAPILogin(stuff.fwuser, stuff.fwpassword)
    fwRequestSet = ET.SubElement(fwRequestroot, 'Set', operation=method)

usernames = []

# Open the csv for reading
with open(stuff.input, encoding="utf-8-sig") as input_csv:
    csv_parser = csv.DictReader(input_csv, delimiter=',')
    count = 0
    for row in csv_parser:
        #       eprint(row)

        fwRequestSet.append(xgAPIStartUser(row["Username"], row["Name"],
                                           row["Password"],
                                           row["Email Address"],
                                           group=row["Group"]))
        usernames.append(row["Username"])
        count = count + 1

    eprint("Read %d users from file %s\n" % (count, stuff.input))

if stuff.oneshot or stuff.useimpex:
    result, r = xgAPIPost(fwRequestroot)

if result == 1:
    resultcontent = ET.fromstring(r.text)
    for child in resultcontent:
        if child.tag == "Login":
            status = child.find('status').text
            if status == '200':
                eprint("API login successful")
            else:
                eprint("Login status: %s" % child.find('status').text)

        if child.tag == "User":
            Status = child.find('Status')
            eprint("Line %s (%s), Status %s" % (
                child.attrib["transactionid"], usernames[int(
                    child.attrib["transactionid"]) - 1],
                Status.attrib["code"]))
            try:
                if stuff.add:
                    eprint("     %s" %
                           UserAPIAddResults[Status.attrib["code"]][1])
                else:
                    eprint("     %s" %
                           UserAPIUpdateResults[Status.attrib["code"]][1])
            except KeyError:
                eprint("Message: %s" % Status.text)
                continue

        if child.tag == "Status":
            eprint("Error code %s: %s" % (child.attrib['code'], child.text))

# Take the xml output from this program and send it to your firewall with curl,
# for example:
# $ curl -k https://<firewall ip>:4444/webconsole/APIController -F "reqxml=<foo.xml"

# To create an API Import file, use '-x', write the XML output to a file
# 'Entities.xml' and create a tarball with the following (group/owner options 
# to make it anonymous):
# $ tar --group=a:1000 --owner=a:1000 --numeric-owner -cvf ../API-O365.tar Entities.xml

______________________________________________________________________________________________________________________________________



Added TAGs
[edited by: Raphael Alganes at 5:18 AM (GMT -7) on 18 Sep 2024]
Parents
  • Hello,

    I downloaded the zip and ran the program as suggested. I am using a MacOS but am getting a Syntax error on line 37

    File "Downloads/UserImport.py", line 37
        print(*args, file=sys.stderr, **kwargs)
              ^
    SyntaxError: invalid syntax"

    My user.csv is formatted like so:

    Name,Username,Password,Email Address,Group
    atlantis sci0,sci0,sci0,sci0@atlantis.whoi.edu,SCIENCE
    Craig Young,sci1,Young,sci1@atlantis.whoi.edu,SCIENCE

    Please recommend on how to fix the syntax error.

  • Hi , the syntax error is in the code not your data file. Python 2 is reporting the error because my code uses python 3.

    Although Python 3 is now included in MacOS (since version 10.15), python 2 is still the default.

    Try running the program with the command line 'python3' instead of just python.

    You may find it complains about missing the 'requests' module, in which case you can install the python3 version with:

    python3 -m pip install requests

  • Hi , is there a way to change the port the program is sending the API? I noticed that I get this on the command line:

    Sending XMLAPI request to https://192.168.11.254:4444/webconsole/APIController

    Where it looks to port :4444; however in configuring the SOPHOS we changed the admin port to :443

    I think this might be the problem as I keep getting error messages about the connection timing out:

    Traceback (most recent call last):
      File "Downloads/UserImport.py", line 239, in <module>
        result, r = xgAPIPost(fwRequestroot)
      File "Downloads/UserImport.py", line 179, in xgAPIPost
        r = requests.post(callurl, data=postdata, verify=stuff.insecure)
      File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/requests/api.py", line 119, in post
        return request('post', url, data=data, json=json, **kwargs)
      File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/requests/api.py", line 61, in request
        return session.request(method=method, url=url, **kwargs)
      File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/requests/sessions.py", line 542, in request
        resp = self.send(prep, **send_kwargs)
      File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/requests/sessions.py", line 655, in send
        r = adapter.send(request, **kwargs)
      File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/requests/adapters.py", line 516, in send
        raise ConnectionError(e, request=request)
    requests.exceptions.ConnectionError: HTTPSConnectionPool(host='192.168.11.254', port=4444): Max retries exceeded with url: /webconsole/APIController (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x10d3af470>: Failed to establish a new connection: [Errno 60] Operation timed out'))

    Another issue I'm coming across, is a password complexity error.

    Line 36 (sci35), Status 510
         Invalid password - doesn't meet complexity requirements

    Is there a way to circumvent the password complexity requirement? I have turned it off in the GUI for the firewall but I still get this response. The whole point of importing the users with a csv file was to make it quick and easy during turnaround periods. The idea is to give a very generic password for login and then having the users login and change their passwords that would conform to the complexity rules.

Reply
  • Hi , is there a way to change the port the program is sending the API? I noticed that I get this on the command line:

    Sending XMLAPI request to https://192.168.11.254:4444/webconsole/APIController

    Where it looks to port :4444; however in configuring the SOPHOS we changed the admin port to :443

    I think this might be the problem as I keep getting error messages about the connection timing out:

    Traceback (most recent call last):
      File "Downloads/UserImport.py", line 239, in <module>
        result, r = xgAPIPost(fwRequestroot)
      File "Downloads/UserImport.py", line 179, in xgAPIPost
        r = requests.post(callurl, data=postdata, verify=stuff.insecure)
      File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/requests/api.py", line 119, in post
        return request('post', url, data=data, json=json, **kwargs)
      File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/requests/api.py", line 61, in request
        return session.request(method=method, url=url, **kwargs)
      File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/requests/sessions.py", line 542, in request
        resp = self.send(prep, **send_kwargs)
      File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/requests/sessions.py", line 655, in send
        r = adapter.send(request, **kwargs)
      File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/requests/adapters.py", line 516, in send
        raise ConnectionError(e, request=request)
    requests.exceptions.ConnectionError: HTTPSConnectionPool(host='192.168.11.254', port=4444): Max retries exceeded with url: /webconsole/APIController (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x10d3af470>: Failed to establish a new connection: [Errno 60] Operation timed out'))

    Another issue I'm coming across, is a password complexity error.

    Line 36 (sci35), Status 510
         Invalid password - doesn't meet complexity requirements

    Is there a way to circumvent the password complexity requirement? I have turned it off in the GUI for the firewall but I still get this response. The whole point of importing the users with a csv file was to make it quick and easy during turnaround periods. The idea is to give a very generic password for login and then having the users login and change their passwords that would conform to the complexity rules.

Children
  • The quick answer is to edit the text on line 175/6 of the Python code. Where it currently reads:

            callurl = ('https://' + stuff.firewall +
                       ':4444/webconsole/APIController')

    Change 4444 to 443

            callurl = ('https://' + stuff.firewall +
                       ':443/webconsole/APIController')

    Regarding the complexity requirements, I'm not aware of any way to disable those checks in the API. My only suggestion would be that it shouldn't be hard to find a simple password that still meets the complexity requirements. Something like "StartupPW01!" would probably do the trick...