Skip to main content

Firewall integrations

The Firewall integration feature allows users to consume blocklists without installing any CrowdSec Security Engine. This feature provides flexibility by enabling users to pull blocklists from an endpoint in various formats.

Create an integration

You will find the integration page under the blocklist menu. When it's your first time, you will encounter this page showing you all the possible integrations available.

To create a new integration, click on the desired provider or the generic vendor format. The generic vendor format is a one-IP per-line format that will suit many situations. If you need another format, please ask us by clicking the Request integration button.
Once you have an integration, the page is built differently, and you can click on the "Add Integration" button at the top right corner to complete the same action. A popup will then appear, asking for the integration name and an optional description to help you organize your future integrations.

In the next step, we will provide the necessary details for retrieving the IP addresses from a secure endpoint. It will include your unique endpoint URI and credentials.

Use an integration

| Don't forgot to subscribe to a blocklist to make the integration useful.

Every product product has its way to handle external blocklists. We provide a simple URL to retrieve the IPs in a format that suits your needs. You can find the supported provider documentations and output format examples in the following array.

info

Some providers have technical limits on the number of IPs they can pull at once. That's why we recommand to monitor the number of IPS returned by the integration and use the pagination feature if needed.

Provider's documentationFormatExample
CiscoPlain text192.168.38.187
192.168.38.186
CheckpointCustomAccessobserv2,192.168.38.187,IP,high,high,AB,C&C server IP
Accessobserv2,192.168.38.188,IP,high,high,AB,C&C server IP
F5Custom192.168.38.187,32,BL,crowdsec-myf5Integration
192.168.38.188,32,BL,crowdsec-myf5Integration
FortinetPlain text192.168.38.187
192.168.38.186
Palo AltoPlain text192.168.38.187
192.168.38.186
SophosPlain text192.168.38.187
192.168.38.186
Generic vendorPlain text192.168.38.187
192.168.38.186

How to bypass provider limit?

Some providers have technical limits on the number of IPs they can pull at once. That's why we recommand to monitor the number of IPS returned by the integration and use the pagination feature if needed. For this, you can use the page and page_size query parameters in the URL.

https://admin.api.crowdsec.net/v1/integrations/123/content?page=1&page_size=1500

You can then use the page parameter to get the next page of IPs.

I lost my credentials

Remember that you can only view your credentials once when you create the integration. If you lose them, you must generate new credentials and update your firewall configuration. You can do this under the "Configure" menu, which is located on the corresponding integration catalog item.