diff --git a/handlers/main.yml b/handlers/main.yml
index 1301d56..600b186 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -35,8 +35,9 @@
 - name: Restart fail2ban
   ansible.builtin.systemd:
     name: fail2ban
-    state: restarted
+    state: reloaded
 
 - name: Reload pve firewall
   ansible.builtin.command: pve-firewall reload
+  when: fw_compile_check.rc == 0
   changed_when: false
diff --git a/tasks/fail2ban.yml b/tasks/fail2ban.yml
index f5db94a..f914566 100644
--- a/tasks/fail2ban.yml
+++ b/tasks/fail2ban.yml
@@ -148,6 +148,11 @@
   changed_when: false
   when: cluster_status.stat.exists
 
+- name: Validate Proxmox firewall configuration
+  ansible.builtin.command: pve-firewall compile
+  register: fw_compile_check
+  changed_when: false
+  
 # Then automatically whitelist it in Fail2Ban:
 # ignoreip = 127.0.0.1/8 {{ corosync_ip.stdout }}