# Use Alert for Faster Response to Firewall Brute Force Attack

This contextual alert provides notifications about the attacker’s IP address and geolocation when a possible brute force attack is detected.

A contextual alert template is available for download below.

 [Download Alert](https://logmanager.com/wp-content/uploads/2026/05/alert.xml_.zip) 

## What Is a Firewall Brute Force Attack?

A firewall brute force attack is a systematic attempt to gain unauthorized access to a network by repeatedly and automatically trying a large number of login credentials until the correct combination is found (for example, for VPN or SSH access).

## Why Use This Alert?

The usefulness of sending an alert with the geolocation of the attack source, for example, after 10 failed attempts from a single source IP address, lies in the rapid detection of incidents and threat identification.

Knowing the geographic origin of the attack (e.g., outside predefined trusted countries) allows the security team to immediately assess the risk and, if necessary, automatically block either the specific IP address or the entire geographic region. This minimizes the attacker’s opportunity window and improves the overall incident response capability.

## Configure a Context-Aware Firewall Alert in Logmanager

After a defined number of invalid login attempts on the firewall from a single IP address, the alert sends a notification containing the source IP address of the potential attack and the country from which the attack originates.

## Step 1: Create a Correlation Window

In the **Alerts &amp; Actions** menu, under the **Correlations** tab, create a new correlation window with the desired duration (for example, 60s). Name the window something like `Firewall`.

![Creating new correlation window in Logmanager](https://logmanager.com/wp-content/uploads/2026/05/new-correlation-window-logmanager-1024x219.png)Save the window by clicking the **Save** button.

## Step 2: Create an Email Alert Template

In the **Email message templates** section, create a new template and insert the following details:

**Name:**

too many login failed from one IP

**Subject:**

LM Alert – {{name}} / {{ msg.failed\_remote\_ip }}  
  
**Body:**

```
{% extends "base.html" %}

{% block title %}Alert{% endblock %}

{% block content %}
<h4>VPN alert - neplatné přihlášení z jedné IP adresy. Uživatel <font color="red"><b>{{ msg.username }}</b></font> překročil limit.</h4>

<p>Reason: <b>{{ msg.logdesc }}</b></p>
<p>Reason: <b>{{ msg.msg }}</b></p>
<p>Reason: <b>{{ msg.reason }}</b></p>
<p>Remote IP & Country: <b>{{ msg.failed_remote_ip }}</b></p>
<h3>Uživatel: <font color="red"><b>{{ msg.username }}</b></font></h3>

<hr>

<h1>Alert message</h1>
Alert name: {{ name }}<br>
Alert description: {{ description }}<br>

<h2>Message meta information</h2>
<table style="border: 1px solid rgb(0, 102, 153); border-collapse: collapse;">
    <tr>
        <td style="border: 1px solid rgb(0, 102, 153);font-weight: bold;">Name</td>
        <td style="border: 1px solid rgb(0, 102, 153);font-weight: bold;">Value</td>
    </tr>
    {% for key in meta|sort %}
        {% if key == "src" %}
            {% for src in meta.src|sort %}
                <tr>
                    <td style="border: 1px solid rgb(0, 102, 153);" align="left">{{ key }}.{{ src }}</td>
                    <td style="border: 1px solid rgb(0, 102, 153);" align="left">{{ meta.src[src] }}</td>
                </tr>
            {% endfor %}
        {% else %}
            <tr>
                <td style="border: 1px solid rgb(0, 102, 153);" align="left">{{ key|e }}</td>
                <td style="border: 1px solid rgb(0, 102, 153);" align="left">{{ meta[key]|e }}</td>
            </tr>
        {% endif %}
    {% endfor %}
</table>

<h2>Message data</h2>
<table style="border: 1px solid rgb(0, 102, 153); border-collapse: collapse;">
    <tr>
        <td style="border: 1px solid rgb(0, 102, 153);font-weight: bold;">Name</td>
        <td style="border: 1px solid rgb(0, 102, 153);font-weight: bold;">Value</td>
    </tr>
    {% for key in msg|sort %}
        <tr>
            <td style="border: 1px solid rgb(0, 102, 153);" align="left">{{ key|e }}</td>
            <td style="border: 1px solid rgb(0, 102, 153);" align="left">{{ msg[key]|e }}</td>
        </tr>
    {% endfor %}
</table>

{% if dropped > 0 %}
    <div style="color: #E81E1E">Dropped similar messages: {{ dropped }}</div>
{% endif %}
{% endblock %}
```

![email template alert setup in Logmanager](https://logmanager.com/wp-content/uploads/2026/05/email-template-alert-logmanager-1024x309.png)Save the template by clicking **Save**.

## Step 3: Import and Configure the Alert Rule

Under the **Rules** tab, create a new alert and paste the alert code into the XML window.

Then switch to the **Blocks** window.

Assign the alert a name, for example:  
`<strong>too many login failed from one IP</strong>`

Enter the recipient email address for the alert and switch the alert status to **Enabled**.

![alert rule configuration in Logmanager UI](https://logmanager.com/wp-content/uploads/2026/05/new-alert-rule-setup-logmanager-1024x374.png)## Step 4: Set the Failed Login Threshold

In the Blockly code of the alert, configure the required threshold for failed login attempts after which the alert should be triggered.

In this example, the value is set to `10`.

![Threshold setup in Logmanager](https://logmanager.com/wp-content/uploads/2026/05/threshold-setup-logmanager-1024x230.png)## Step 5: Select the Correlation Context

In the **Context** block, select the previously created correlation window.

![Blockly firewall alert final configuration in Logmanager](https://logmanager.com/wp-content/uploads/2026/05/blockly-firewall-alert-configuration-1024x199.png)## Step 6: Assign the Email Template to the Alert

At the end of the alert configuration, in the **send alert** block, select the previously created email template.

![blockly email template Logmanager](https://logmanager.com/wp-content/uploads/2026/05/blockly-email-template-logmanager-1024x171.png)## Contextual Firewall Alert Is Ready

You are now fully prepared to send alerts containing both the attacker’s IP address and geolocation.
