Firewall Integration Offline

The Firewall Integration Offline issue appears when a firewall that is configured to pull blocklists directly from CrowdSec's Blocklist-as-a-Service (BLaaS) endpoint has not pulled the list for more than 24 hours.
This means your firewall is no longer receiving the latest threat intelligence and blocked IPs.

What Triggers This Issue

Trigger condition: No pull from BLaaS endpoint for 24 hours
Criticality: 🔥 Critical
Impact: Firewall blocklist is not being updated - new threats are not being blocked - Firewall potentially malfunctioning.

Common Root Causes

Firewall rule disabled or removed: The firewall rule that pulls from external blocklists no longer exists or has been disabled.
BLaaS credentials invalid: The basic auth credentials configured in the firewall for accessing the BLaaS endpoint is incorrect, expired, or has been regenerated.
Network connectivity issues: The firewall cannot reach the BLaaS endpoint due to network problems, DNS issues, or routing failures.
Firewall offline: The firewall itself is powered off, unreachable, or not processing rules.

Diagnosis & Resolution

Firewall rule disabled or removed

🔎 Verify the CrowdSec blocklist rule exists and is enabled

Access your firewall's management interface and check if the CrowdSec blocklist rule is present and enabled.

External blocklist configuration location varies by vendor. Check your firewall's documentation for "External Threat Feeds", "External Dynamic Lists", or "URL Aliases". See Blocklist Integration Setup for vendor-specific guidance.

Verify:

CrowdSec blocklist rule is present and enabled
URL points to https://admin.api.crowdsec.net/...
Use the firewall's "test" or "refresh" function if available

🛠️ Re-enable or recreate the external blocklist rule

If the rule is disabled - Re-enable it in your firewall's configuration
If the rule is missing - Recreate it following your firewall's integration documentation
Trigger manual update - Use "Refresh Now" or "Update" button and check logs for errors

BLaaS credentials invalid

Credentials are available on creation, it's recommended to write them down in your password management system.
You can re-generate them from the console UI.

🛠️🔎 Verify credentials and test connectivity

🔎 Make sure your Firewall configuration uses both the BLaaS endpoint url AND the Basic auth credentials.
🛠️ Use the Configuration/Refresh Credentials action on your integration if you lost them

🔎 Some firewalls provide forms to fill in basic auth but some version have bugs.
🛠️ Try to inject the basc auth directly into the url provided to your firewall:

https://<username>:<password>@admin.api.crowdsec.net/v1/integrations/<yourIntegId>/content

Network connectivity issues

🔎 Test connectivity and review logs

Test network connectivity from a host on the same network or from the firewall's CLI:

# Test basic connectivity
curl -I https://admin.api.crowdsec.net/

# Test DNS resolution
nslookup admin.api.crowdsec.net

Review your firewall's logs for errors related to external blocklist updates. Look for:

failed to download - connectivity issue
authentication failed or 401 - API key invalid
SSL certificate verification failed - certificate trust issue
timeout - network connectivity or endpoint unreachable

Log locations vary by firewall vendor. Check your firewall's documentation for system event logs. See Blocklist Integration Setup for vendor-specific guidance.

🛠️ Fix network connectivity issues

Check firewall outbound rules - Ensure outbound HTTPS (443) is allowed to admin.api.crowdsec.net
Verify DNS resolution - Configure public DNS (8.8.8.8, 1.1.1.1) if needed
Check proxy settings - Verify proxy configuration if using one
Update SSL/TLS certificates - Ensure firewall trusts public CA certificates

See Network Management documentation for required endpoints.

Firewall offline

🔎 Check if firewall is accessible and running

Verify basic firewall accessibility:

Can you access the firewall's management interface?
Is the firewall responding to ping requests?
Are firewall services running normally?

🛠️ Restore firewall connectivity

Physical/Virtual access - Check hardware is powered on or VM is running
Management access - Connect via console/KVM if needed and verify network configuration
After restoring connectivity - Trigger manual blocklist update and verify in Console

Verify Resolution

After making changes:

Trigger manual update - Use the firewall's "Refresh" or "Update Now" function and wait 30-60 seconds
Check in CrowdSec Console - Navigate to Integrations → Blocklists and verify the "Last Pull" timestamp has updated. The offline alert should clear automatically.
Verify blocklist is populated - Check your firewall shows IP addresses in the blocklist (number should match your subscription tier)

Firewall Integration Documentation

For detailed setup and configuration specific to your firewall vendor:

Blocklist Integration Setup Guide
Vendor-specific integration pages (FortiGate, Palo Alto, pfSense, OPNsense, etc.)

Remediation Component Integration Offline - Similar issue for remediation components (bouncers)
Security Engine Offline - If using agent-based deployment

Getting Help

If your firewall integration still shows as offline after following these steps:

Consult your firewall's integration documentation
Share firewall logs on Discourse
Ask on Discord with firewall model and error messages
Contact CrowdSec support via Console if BLaaS endpoint issues persist

What Triggers This Issue​

Common Root Causes​

Diagnosis & Resolution​

Firewall rule disabled or removed​

🔎 Verify the CrowdSec blocklist rule exists and is enabled​

🛠️ Re-enable or recreate the external blocklist rule​

BLaaS credentials invalid​

🛠️🔎 Verify credentials and test connectivity​

Network connectivity issues​

🔎 Test connectivity and review logs​

🛠️ Fix network connectivity issues​

Firewall offline​

🔎 Check if firewall is accessible and running​

🛠️ Restore firewall connectivity​

Verify Resolution​

Firewall Integration Documentation​

Related Issues​

Getting Help​