Why is Anti-Spyware rule by Threat Name filter not working as expected when using 'C2' or 'C2 traffic' for the threat name.

Why is Anti-Spyware rule by Threat Name filter not working as expected when using 'C2' or 'C2 traffic' for the threat name.

6573
Created On 10/26/20 14:53 PM - Last Modified 01/23/26 14:57 PM


Question


Why is Anti-Spyware rule by Threat Name filter not working as expected when using 'C2' or 'C2 traffic' for the threat name.

Environment


  • Palo Alto NGFW Firewall
  • Supported PAN-OS
  • Anti Spyware

Answer


  1. Check to see if the C2 traffic signature is autogenerated. You can view this by going to https://threatvault.paloaltonetworks.com, searching for the signature then clicking on the name link. 

User-added image

 

  1. Looking under the category field will show you if the signature is an autogenerated spyware signature ('autogen').

User-added image


 

Additional Information


NOTE
Currently, automatically generated antispyware signatures are not able to be matched by a 'Threat name' filter/condition when creating a category policy under Antispyware Profile.
To set up a special category policy for C2 traffic with autogen signatures, you will need create it with "Category" set to "autogen" and "Threat Name" set to "any" (blank), as shown in the screenshot below:
 

Note: if this is in an Antispyware Profile with other categories, like the example above, make sure it is the top category in the list as shown in the example.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBL6CAO&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language