Why is Anti-Spyware rule by Threat Name filter not working as expected when using 'C2' or 'C2 traffic' for the threat name.

Why is Anti-Spyware rule by Threat Name filter not working as expected when using 'C2' or 'C2 traffic' for the threat name.

6040
Created On 10/26/20 14:53 PM - Last Modified 09/20/25 03:05 AM


Question


Why is Anti-Spyware rule by Threat Name filter not working as expected when using 'C2' or 'C2 traffic' for the threat name.

Environment


  • Palo Alto NGFW Firewall
  • Supported PAN-OS
  • Anti Spyware

Answer


  1. Check to see if the C2 traffic signature is autogenerated. You can view this by going to https://threatvault.paloaltonetworks.com, searching for the signature then clicking on the name link. 

User-added image

 

  1. Looking under the category field will show you if the signature is an autogenerated spyware signature ('autogen').

User-added image


 

Additional Information


NOTE
Currently automatically generated antispyware signatures are not able to be matched by a Threat name filter.
To set up a special rule for C2 traffic and other autogen signatures, you will need create that separate rule with "Category" set to "autogen" and "Threat Name" set to "any" (blank). 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBL6CAO&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language