How to find the source of a XML API call?

How to find the source of a XML API call?

2784
Created On 10/23/23 11:05 AM - Last Modified 02/22/25 04:22 AM


Objective


The purpose of this article is to help find the source of an API call seen on the firewall or Panorama

Environment


  • Panorama appliances
  • Palo Alto Networks firewalls
  • All PAN-OS versions

Procedure


  1. From Monitor > IP-Tag logs below, we see the API calls to register and unregister dynamic IPs with no information about the source of the API calls

rtaImage.png

  1. Login to the firewall CLI, open the access.log file with the command less webserver-log access.log and search for the timestamp when the API call happened to find the source of the API calls
::ffff:10.38.122.25 - - [31/Jul/2023:05:12:52 -0500] "POST /php/utils/router.php/MonitorDirect.enqueueLogRequest" 200 276 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36"
::ffff:10.38.122.25 - - [31/Jul/2023:05:12:52 -0500] "POST /php/utils/router.php/MonitorDirect.pollLogRequest" 200 27035 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36"
::ffff:10.38.122.25 - - [31/Jul/2023:04:32:57 -0500] "POST /php/utils/router.php/PanDirect.resolveTidToThreatName" 200 133 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36"

Note: You can also look at the php.debug.log file with the command less mp-log php.debug.log to find the content of the API call
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000Xh1VCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language