Skip to main content

Send Email Notification when IP is Blocked

Ian Butteriss
  • Updated

This rule will automatically send out an email to someone whenever an IP is blocked.

Adding the New Rule

  1. Go to the Event Rules page of the Event Manager
  2. Click the New button. The Add A New Event Rule dialog will appear.
  3. Select the IP Blocked Event Rule Type for your new rule. This event type is triggered whenever an IP has been blocked for any reason.
  4. Enter a name for your rule in the Rule Name edit box. For example, “Email when IP Blocked”.
  5. Press the Add New Rule button on the Add A New Rule dialog to add the new Event Rule. The event rule will be selected and ready for editing on the Edit Rules page.

event_manager_add_ip_block_rule.gif

The Add New Rule dialog
 

Select conditions for the rule to match

Under the 'Matches These Conditions' section, select the No Filters mode. In this example, we will want to monitor for any time any IP address is blocked, so conditions are not necessary in this use case.

Adding the Rule Actions

When an event matches all of the conditions of a rule then the rule actions are carried out. In this case, anytime any IP is blocked, we want to email someone to advise them.

  1. Click the green 'New' button below 'Perform these Actions'.
  2. Select Email Event Notification from the Action drop down
  3. Select an SMTP server as the operation sub-action from the Using drop down (this will only be selectable if you have added an SMTP Server on the Event Targets page)
  4. Enter the recipient's name in the To Name field
  5. Enter the email of the person you wish to email when this rule triggers in the To Email field
  6. If you want to select which variables are included in the email press the icon next to 'Variables:' and select the variables you wish to include. All are selected by default. The are:
    Date and Time the IP was blocked
    The blocked IP
    The reason the IP was blocked. See a list of reasons below.
  7. Enter the subject for the email in the Subject field, or leave it blank for the default email subject
  8. Enter desired text in the Body field, or leave it blank if you don't need any customized text. By default, this email will contain the Date and Time the IP was blocked, the blocked IP, and the reason.
    The reason can be any of the following:
    'Undefined Reason”
    “unknown OTP guest”
    “OTP guest”
    "Username/password incorrect, user disabled, or user logged in too many times"
    "Unable to authenticate provided 2FA method"
    "Unable to retrieve session after session regeneration"
    "Certificate failed authentication"
    "Password expired and account cannot change password"
    "Max logins exceeded"
    "Failed to authenticate User: Username / password incorrect, user disabled, or user logged in too many times"
    "Denial of Service (DoS) rules have triggered"
    "User logged in too many times"
    "SSH Access Error"
    "Two Factor Authentication required but not setup"
    "Unable to authenticate provided 2FA method"
    "Locked out"
    "Missing Duo state"
    <large amount of DUO error messages>

    Example Action Settings
  9. Press 'Add' to save the action

Related articles

Comments

0 comments

Please sign in to leave a comment.