topic Re: How to disable webvpn from FMC? in Network Security

How to disable webvpn from FMC?

eeebbunee — Fri, 06 May 2022 21:27:13 GMT

Hello Experts,

Can you tell me how can I disable webvpn from FMC?

I found still 'webvpn enabled' from my firepower configuration after I deleted Remote Access VPN.

Can anyone tell me how to configure to 'no webvpn enable'?

Re: How to disable webvpn from FMC?

Udupi Krishna. — Sun, 08 May 2022 01:14:41 GMT

Webvpn is used by anyconnect and disabling it will stop clients from connecting to the firewall. If that's what you are intending to do, webvpn can be disabled via flex config.

1. Add a new flexconfig object with below parameters.

webvpn

portal-access-rule 1 deny any

2. If there's an existing flexconfig policy attached to the FTD, select this new user defined object into it.

3. Save and deploy the policy.

There's a enhancement request created to add the functionality to disable the webvpn via FMC/GUI - CSCvp81746

Re: How to disable webvpn from FMC?

AminRamadan — Wed, 08 Feb 2023 11:19:55 GMT

I got the following when i tried to shutdown portal login by using FlexConfig:

Lina messages
FMC >> no strong-encryption-disable
FMC >> no dp-tcp-proxy
FMC >> policy-map global_policy
FMC >> class class-default
FMC >> exit
FMC >> vpn-addr-assign local reuse-delay 0
FMC >> crypto isakmp nat-traversal
FMC >> webvpn
FMC >> portal-access-rule 1 deny any
fw-vpn >> error :
portal-access-rule 1 deny any
^
ERROR: % Invalid input detected at '^' marker.
Config Error -- portal-access-rule 1 deny any

Plus, I got the same result when I tried:

webvpn

keepout "NO SSL service available"

fw-vpn >> error :

keepout "NO SSL service available"

ERROR: % Invalid input detected at '^' marker.

Re: How to disable webvpn from FMC?

briwils3 — Fri, 22 Sep 2023 02:21:32 GMT

Clientless SSL VPN is deprecated in all versions of FTD (and in ASA from 9.17 onwards). Thus, the command to set an access rule for the webvpn portal no longer exists. You can simply remove the FlexConfig object.

Re: How to disable webvpn from FMC?

ejgreco — Mon, 16 Dec 2024 15:16:29 GMT

Found the solution in a LinkedIn post. Just tested this in our lab (FTD/FMC 7.4.2.1). FlexConfig is the right option, but the correct config is:

webvpn
keepout "<insert-text-for-browser"

For the "insert text" portion, I just used 503: Service Unavailable. With the amount of DDoS attacks (brute force/password sprays) VPNs are experiencing, I would just stick with standard HTTP error messages.