A new category has been added to Palo Alto Networks URL-filtering. The category is ”Command and Control” or ”C2” and the recommendation is to immediately set the action to BLOCK in your security profiles.
C2 was previously included in the Malware category but has now been separated to get more effective management. For the malware-category you will normally recognize that the threat was stopped by your Palo Alto Networks Firewall and no further compromises has been made. When C2 is logged an endpoint has likely been compromised, this happens when an compromised endpoint attempts to communicate with an attackers remote server to receive malicious commands or extract information.
The default URL-profile should automatically have C2 action to BLOCK if you are using PAN-OS version 8.0.2 or later. If you are using customized profiles or other versions you need to set it manually.
These are the steps required:
- Go to Objects > Security Profiles > URL Filtering
2. Click on your URL-profile and find ”command-and-control” in the list. Set the action to BLOCK and press OK.
Also make sure the URL-profile are applied to your security-profiles.
Press commit and you are done!
More information can be found on https://live.paloaltonetworks.com/t5/Management-Articles/Command-and-Control-C2-FAQ/ta-p/178617