I use Inbound ssl decryption.
when virus detection, I want to display block page for client.
Can you is it?
I want to know design.
can do it, or can not do it?
Check this document for more information: https://live.paloaltonetworks.com/docs/DOC-3094
The virus block page can be modified (if needed) and is located in Device -> Response Pages where you have the "Antivirus Block".
You must also create a "interface management profile" where you enable "Response Pages" and attach this profile to the L3-interface of the dataplane you have towards your clients before your clients will see any block pages.
Note however that page 421 in PA-5.0_Administrators_Guide.pdf seems to have a bug regarding how the default response page for antivirus actually looks like.
I think in PANOS 5.x (or was this introduced in earlier versions?) you can attach a L3-interface (to which you attach the mgmt profile for response pages) to the VWIRE.
VWIRE - L3-interface(with mgmt-profile)
That is this L3-interface is virtually attached to the VWIRE configuration (meaning its not a physical interface available on the box in this case since the only physical interfaces are the inside/outside connected to the VWIRE).
Hmmm, I just tried to something like this.... and I cannot get a L3 interface on VWire. The advantage of VWire it has IP or mac address on it, so there is no associated Interface Mgmt profile that can be associated with it. I could be wrong in how I am trying to configure this, so please advise. On the other hand, it does make sense (if needed to be a feature request) to allow Response Pages on VWire interfaces.
I might have used the wrong terminology in this case.
What I mean is equal to if you think your PA (VWIRE) is like a hub. Then on this hub you have inside and outside interface - but you also connect a third host to this (which is the PA ip used for response pages).
This way, even if the hub is "transparent" for the hosts on inside and outside network - both of them can address this third host (and then this third host has a firewallsetting to only speak to hosts from inside network as an example).
But looking through the admin doc for PANOS 5.x this doesnt really seem to be described.
A layer3 subinterface can only be configured for a layer3 interface which on its own only can be configured for a physical interface (which if you use VWIRE is already being used).
Then there is VWIRE subinterface, but the docs here only seem to state that these can be used to "force route" (or whatever one could call it) traffic into various zones and vsys. Like if vlan = 123 and srcip = 10.0.0.0/8 handle this as zone "clients".
I guess loopback interface is the thing which (hopefully) might be used for this.
When you setup the loopback interface you can assign it to a VSYS. And since the VWIRE is part of a (the same) VSYS this should hopefully mean that this loopback interface can be reached by inside/outside who is part of this VWIRE.
Create a new zone for this loopback interface (so you can setup firewall rules on which srcip's etc would be allowed to speak to this interface) and then attach the management-profile (which is configured for only "response pages").
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!