====== Importing User .csv file via XML API ====== ***This fix is for firmware after v18.0 MR3 and v17.5 MR14** SFOS has an XML API that provides a way to automatically manage most objects and features that can be controlled via the Webadmin user interface, and User objects are no exception. The current work around to the old CSV import feature for bulk adding of on-device user accounts is to use this service. For more detailed explanation visit this site [[https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/124698/importing-user-definitions-into-xg-firewall-after-v18-0-mr3-and-v17-5-mr14]] ===== Enabling XML API on your firewall ===== 1) Log in to your XG Firewall as an Administrator account 2) Go to **Backup & firmware** -> **API** 3) Under **API configuration**, check the **Enabled** box 4) Under Allowed IP address, enter the IP address of the computer where you are going to run this program ===== Installing Python 3 and preparing dependencies ===== Install Python 3 on your computer * Python 3 comes built in to some Unix-based systems, including MacOS * For Windows systems, you can download and install the latest Python installer from [[https://www.python.org]] * For Linux distributions, your system's default package manager will almost certainly have a suitable package ready to install ==== For MacOS ==== Although Python 3 is now included in MacOS (since version 10.15), python 2 is still the default. To solve this run the program as **python3** instead of **python**. When run this way you may get an error about missing the 'requests' module, in which case you can install the python3 version: python3 -m pip install requests ==== For Windows ==== 1) When installing Python on Windows, make sure to select the option to "Add Python to PATH" on the first screen of the installer. This will allow you to run python scripts from a Windows command prompt 2) After installation completes, open a new Command Prompt window 3) Install additional libraries that are required to run this program - run C:\Users\John> pip install requests python-certifi-win32 4) If you have enabled TLS decryption on your XG Firewall and get a certificate error running this command, you can either create a decryption exclusion for the domain pypi.org or get a copy of your firewall's root CA certificate in a file and rerun the command as follows: C:\Users\John> pip install requests python-certifi-win32 --cert mycacert.pem ===== Prepare your csv file ===== This script expects you to provide a csv file, with fields separated by commas. The file must have the following columns - **Name, Username, Password, Email Address, Group**: Example: Name,Username,Password,Email Address,Group Nigel Brown,nbrown,Pa5s!w0rd19,nigel.brown@example.com,Open Group Gina Lopez,glopez,e1Azjr8q9^21,gina.lopez@example.com,Open Group ===== Downloading and running the script ===== 1) Download this [[https://community.sophos.com/cfs-file/__key/communityserver-discussions-components-files/258/userimport_2D00_py.zip | zip]] and extract it to a directory on your computer. The rest of these instructions assume you saved it in **'Downloads'**, and that the csv file containing the users you want to add is in **'Documents'** and called **users.csv** 2) Run the following command, substituting your firewall's hostname or IP address, admin username and password. python3 Downloads/UserImport.py -f x.x.x.x -i Documents/users.csv -u admin -p A1B2c3d4!!E5 -a 3) If you see exception messages related to certificate trust issues, try running the same command again, but add '-n' as an additional command-line qualifier. python3 Downloads/UserImport.py -f x.x.x.x -i Documents/users.csv -u admin -p A1B2c3d4!!E5 -a -n ===== Troubleshooting ===== === 1) If you get an error message of the connection timing out: === Confirm what port is being utilized in the Admin settings 1) Go to **Administration** -> **Admin and User Settings** 2) Under **Admin console and end-user interaction** check the **Admin console HTTPS port** * The default for the python program is port **4444** * If your port is different edit the text on **line 175/6** of the Python code; it should then read callurl = ('https://' + stuff.firewall + ':4444/webconsole/APIController') === 2) My passwords do not meet password complexity === Line 36 (sci35), Status 510 Invalid password - doesn't meet complexity requirements 1) Go to **Administration** -> **Admin and User Settings** -> **User password complexity settings** 2) Disable **Enable password complexity check** 3) Reboot device and double check that **Enable password complexity check** is still disabled 4) Re-run the python command