CrowdSec Windows Firewall Bouncer Isn't Making Decisions
Greetings,
I've been using CrowdSec for a good minute now. I think I've always had this issue, but I managed to mitigate it briefly by applying the blocklists to my firewall through a script. However, this worked for only so long. Anywho, the firewall bouncer doesn't log any firewall rules whatsoever. I've made test decisions, waited a few seconds, and checked my firewall and found nothing. I'm unsure how to solve this, or if there is a YAML file I should be updating. Below is what I mean. For the most part, I've had no issues with this program. However, I'd like to make full use of it if I can. I'm not on the enterprise version, I should mention. I'm using the community lists.
As seen above, no rules have been made. Am I doing something incorrectly? I updated my security engine to the most recent version, so I'm unsure if that had a factor, or if this is the program/my PC itself. If anything, I'm open to suggestions and ideas. Thanks!
PS C:\Users\Salem> cscli decisions add --ip 1.2.3.4 --duration 4h
level=info msg="Decision successfully added"
PS C:\Users\Salem> cscli decisions list
╭─────────┬────────┬─────────────┬──────────────────────────────────────────────────────────────┬────────┬─────────┬────┬────────┬────────────┬──────────╮
│ ID │ Source │ Scope:Value │ Reason │ Action │ Country │ AS │ Events │ expiration │ Alert ID │
├─────────┼────────┼─────────────┼──────────────────────────────────────────────────────────────┼────────┼─────────┼────┼────────┼────────────┼──────────┤
│ 3639675 │ cscli │ Ip:1.2.3.4 │ manual 'ban' from │ ban │ │ │ 1 │ 3h59m56s │ 706 │
│ │ │ │ '0e5ac7c68e374ffb832bb0401dd4c924jY74qhfXyUE2haYF' │ │ │ │ │ │ │
╰─────────┴────────┴─────────────┴──────────────────────────────────────────────────────────────┴────────┴─────────┴────┴────────┴────────────┴──────────╯
1 duplicated entries skipped
PS C:\Users\Salem> Get-NetFirewallRule | Select-String CrowdSec
PS C:\Users\Salem>
PS C:\Users\Salem> cscli decisions add --ip 1.2.3.4 --duration 4h
level=info msg="Decision successfully added"
PS C:\Users\Salem> cscli decisions list
╭─────────┬────────┬─────────────┬──────────────────────────────────────────────────────────────┬────────┬─────────┬────┬────────┬────────────┬──────────╮
│ ID │ Source │ Scope:Value │ Reason │ Action │ Country │ AS │ Events │ expiration │ Alert ID │
├─────────┼────────┼─────────────┼──────────────────────────────────────────────────────────────┼────────┼─────────┼────┼────────┼────────────┼──────────┤
│ 3639675 │ cscli │ Ip:1.2.3.4 │ manual 'ban' from │ ban │ │ │ 1 │ 3h59m56s │ 706 │
│ │ │ │ '0e5ac7c68e374ffb832bb0401dd4c924jY74qhfXyUE2haYF' │ │ │ │ │ │ │
╰─────────┴────────┴─────────────┴──────────────────────────────────────────────────────────────┴────────┴─────────┴────┴────────┴────────────┴──────────╯
1 duplicated entries skipped
PS C:\Users\Salem> Get-NetFirewallRule | Select-String CrowdSec
PS C:\Users\Salem>
1 Reply
OK. I did some digging and found where the log file is stored. The log says as such:
So, it's an API problem obviously. I copied the API key and put it in the file
Should I remove the bouncer and readd it?
2025-11-04 01:39:58.0968|ERROR|Manager.DecisionsManager|Could not get decisions from LAPI. (startup: True)
2025-11-04 01:40:03.4568|ERROR|Api.ApiClient|Could not get decisions: Response status code does not indicate success: 403 (Forbidden).
2025-11-04 01:40:03.4568|ERROR|Manager.DecisionsManager|Could not get decisions from LAPI. (startup: True)
2025-11-04 01:40:08.1066|ERROR|Api.ApiClient|Could not get decisions: Response status code does not indicate success: 403 (Forbidden).
2025-11-04 01:40:08.1066|ERROR|Manager.DecisionsManager|Could not get decisions from LAPI. (startup: True)
2025-11-04 01:40:13.4661|ERROR|Api.ApiClient|Could not get decisions: Response status code does not indicate success: 403 (Forbidden).
2025-11-04 01:40:13.4661|ERROR|Manager.DecisionsManager|Could not get decisions from LAPI. (startup: True)
2025-11-04 01:40:18.1267|ERROR|Api.ApiClient|Could not get decisions: Response status code does not indicate success: 403 (Forbidden).
2025-11-04 01:40:18.1267|ERROR|Manager.DecisionsManager|Could not get decisions from LAPI. (startup: True)
2025-11-04 01:40:23.4755|ERROR|Api.ApiClient|Could not get decisions: Response status code does not indicate success: 403 (Forbidden).
2025-11-04 01:40:23.4755|ERROR|Manager.DecisionsManager|Could not get decisions from LAPI. (startup: True)
2025-11-04 01:40:28.1361|ERROR|Api.ApiClient|Could not get decisions: Response status code does not indicate success: 403 (Forbidden).
2025-11-04 01:40:28.1361|ERROR|Manager.DecisionsManager|Could not get decisions from LAPI. (startup: True)
2025-11-04 01:40:33.4952|ERROR|Api.ApiClient|Could not get decisions: Response status code does not indicate success: 403 (Forbidden).
2025-11-04 01:40:33.4952|ERROR|Manager.DecisionsManager|Could not get decisions from LAPI. (startup: True)
2025-11-04 01:40:38.1564|ERROR|Api.ApiClient|Could not get decisions: Response status code does not indicate success: 403 (Forbidden).
2025-11-04 01:40:38.1564|ERROR|Manager.DecisionsManager|Could not get decisions from LAPI. (startup: True)
2025-11-04 01:39:58.0968|ERROR|Manager.DecisionsManager|Could not get decisions from LAPI. (startup: True)
2025-11-04 01:40:03.4568|ERROR|Api.ApiClient|Could not get decisions: Response status code does not indicate success: 403 (Forbidden).
2025-11-04 01:40:03.4568|ERROR|Manager.DecisionsManager|Could not get decisions from LAPI. (startup: True)
2025-11-04 01:40:08.1066|ERROR|Api.ApiClient|Could not get decisions: Response status code does not indicate success: 403 (Forbidden).
2025-11-04 01:40:08.1066|ERROR|Manager.DecisionsManager|Could not get decisions from LAPI. (startup: True)
2025-11-04 01:40:13.4661|ERROR|Api.ApiClient|Could not get decisions: Response status code does not indicate success: 403 (Forbidden).
2025-11-04 01:40:13.4661|ERROR|Manager.DecisionsManager|Could not get decisions from LAPI. (startup: True)
2025-11-04 01:40:18.1267|ERROR|Api.ApiClient|Could not get decisions: Response status code does not indicate success: 403 (Forbidden).
2025-11-04 01:40:18.1267|ERROR|Manager.DecisionsManager|Could not get decisions from LAPI. (startup: True)
2025-11-04 01:40:23.4755|ERROR|Api.ApiClient|Could not get decisions: Response status code does not indicate success: 403 (Forbidden).
2025-11-04 01:40:23.4755|ERROR|Manager.DecisionsManager|Could not get decisions from LAPI. (startup: True)
2025-11-04 01:40:28.1361|ERROR|Api.ApiClient|Could not get decisions: Response status code does not indicate success: 403 (Forbidden).
2025-11-04 01:40:28.1361|ERROR|Manager.DecisionsManager|Could not get decisions from LAPI. (startup: True)
2025-11-04 01:40:33.4952|ERROR|Api.ApiClient|Could not get decisions: Response status code does not indicate success: 403 (Forbidden).
2025-11-04 01:40:33.4952|ERROR|Manager.DecisionsManager|Could not get decisions from LAPI. (startup: True)
2025-11-04 01:40:38.1564|ERROR|Api.ApiClient|Could not get decisions: Response status code does not indicate success: 403 (Forbidden).
2025-11-04 01:40:38.1564|ERROR|Manager.DecisionsManager|Could not get decisions from LAPI. (startup: True)
api_endpoint: http://localhost:8080
api_key: qbZw9GxZ/pagf/h1IS0HP3MXq+24gVsN2 (removed characters for privacy)
update_frequency: 10
log_media: file
log_dir: C:\\ProgramData\\CrowdSec\\log\\
api_endpoint: http://localhost:8080
api_key: qbZw9GxZ/pagf/h1IS0HP3MXq+24gVsN2 (removed characters for privacy)
update_frequency: 10
log_media: file
log_dir: C:\\ProgramData\\CrowdSec\\log\\
time="2025-11-04T01:43:03-05:00" level=info msg="127.0.0.1 - [Tue, 04 Nov 2025 01:43:03 EST] \"GET /v1/heartbeat HTTP/1.1 200 0s \"crowdsec/v1.7.3-c8aad699-windows\" \""
time="2025-11-04T01:43:03-05:00" level=info msg="127.0.0.1 - [Tue, 04 Nov 2025 01:43:03 EST] \"POST /v1/usage-metrics HTTP/1.1 201 515.3µs \"crowdsec/v1.7.3-c8aad699-windows\" \""
time="2025-11-04T01:43:03-05:00" level=info msg="127.0.0.1 - [Tue, 04 Nov 2025 01:43:03 EST] \"GET /v1/decisions/stream?startup=true&scope=ip,range HTTP/1.1 403 546.1µs \"cs-windows-fw-bouncer/0.0.5\" \""
time="2025-11-04T01:43:08-05:00" level=info msg="127.0.0.1 - [Tue, 04 Nov 2025 01:43:08 EST] \"GET /v1/decisions/stream?startup=true&scope=ip,range HTTP/1.1 403 621µs \"cs-windows-fw-bouncer/0.0.5\" \""
time="2025-11-04T01:43:03-05:00" level=info msg="127.0.0.1 - [Tue, 04 Nov 2025 01:43:03 EST] \"GET /v1/heartbeat HTTP/1.1 200 0s \"crowdsec/v1.7.3-c8aad699-windows\" \""
time="2025-11-04T01:43:03-05:00" level=info msg="127.0.0.1 - [Tue, 04 Nov 2025 01:43:03 EST] \"POST /v1/usage-metrics HTTP/1.1 201 515.3µs \"crowdsec/v1.7.3-c8aad699-windows\" \""
time="2025-11-04T01:43:03-05:00" level=info msg="127.0.0.1 - [Tue, 04 Nov 2025 01:43:03 EST] \"GET /v1/decisions/stream?startup=true&scope=ip,range HTTP/1.1 403 546.1µs \"cs-windows-fw-bouncer/0.0.5\" \""
time="2025-11-04T01:43:08-05:00" level=info msg="127.0.0.1 - [Tue, 04 Nov 2025 01:43:08 EST] \"GET /v1/decisions/stream?startup=true&scope=ip,range HTTP/1.1 403 621µs \"cs-windows-fw-bouncer/0.0.5\" \""