Solved: Disable WebVPN Portal Only

m.santangelo · ‎01-08-2025

Hello all,

We have a link, https://remote.ourdomain.tld which is currently getting hammered by login attempts. Since our VPN uses AD, the failed logins are causing AD account lockouts.

We are on Cisco FMC 7.4.2 and the FTD units themselves (FP2140's) are also on 7.4.2 with FX-OS 2.14.1.

I have tried adding a flex config:

webvpn
_keepout "503 Service Unavailable"

and

webvpn
_portal-access-rule 1 deny any

and

webvpn
_no enable Outside

(I put the _ in there to indicate a space, but I have also tried without a space). Whenever I add these FlexConfigs, I get errors:

HOST >> error :
portal-access-rule 1 deny any
^
ERROR: % Invalid input detected at '^' marker.
Config Error -- portal-access-rule 1 deny any

and

HOST >> error :
keepout "503 Service Unavailable"
^
ERROR: % Invalid input detected at '^' marker.
Config Error -- keepout "503 Service Unavailable"

Is there any way to disable JUST the WebVPN access? We still need people to access the VPN, but they all have installed clients on their devices. Or failing that, is there a way to change the landing page url? something like https://remote.ourdomain.tld/randomtext would be fine because no one actually uses the WebVPN to get the software. We tried an alias, but the alias just adds the other url, not disabling the main page at https://remote.ourdomain.tld.

m.santangelo · ‎01-08-2025

Figured it out. We had another FlexConfig defined elsewhere to enable some other features (vpngina).

I had to combine the files into one, where the lines became:

---

webvpn
keepout "503: Service Unavailable"

group-policy GroupPolicy_Site_VPN attributes
_webvpn
__anyconnect modules value vpngina

---

Now I have enabled vpngina and the WebVPN is shuttered, but remote vpn access is still working.

Thanks all.

View solution in original post

MHM Cisco World · ‎01-08-2025

webvpn
keepout "503: Service Unavailable"

Without space

MHM

m.santangelo · ‎01-08-2025

As stated in the OP, with or without space, I get an error.

FMC >> webvpn
FMC >> keepout "503: Service Unavailable"
TECH-FP-2140-1 >> error :
keepout "503: Service Unavailable"
^
ERROR: % Invalid input detected at '^' marker.
Config Error -- keepout "503: Service Unavailable"

MHM Cisco World · ‎01-08-2025

Try

Keepout "message"

MHM

MHM Cisco World · ‎01-08-2025

Also for deployment use everytime

MHM

ccieexpert · ‎01-08-2025

It is all explained clearly in this post

https://www.linkedin.com/pulse/shutting-down-webvpn-portal-ftd-flexconfig-matt-albrecht/

**Please rate as helpful if this was useful**

m.santangelo · ‎01-08-2025

I found and followed that article. I am here posting because the steps in said article did not work.

m.santangelo · ‎01-08-2025

Figured it out. We had another FlexConfig defined elsewhere to enable some other features (vpngina).

I had to combine the files into one, where the lines became:

---

webvpn
keepout "503: Service Unavailable"

group-policy GroupPolicy_Site_VPN attributes
_webvpn
__anyconnect modules value vpngina

---

Now I have enabled vpngina and the WebVPN is shuttered, but remote vpn access is still working.

Thanks all.

MHM Cisco World · ‎01-08-2025

You are so welcome

Please close ticket.

Thanks and have a nice day

MHM