See failed direct login attempts user_saml

Hey there

Current setup:
NC17, Apache2, Ubuntu LTS, user_saml w. ADFS

I keep getting the

“We have detected multiple invalid login attempts from your IP. Therefore your next login is throttled up to 30 seconds.”

and would like to see, where the requests come from.
Is there a possibility to log failed loggin attemps via the direct login URL ( ?

I’m not sure if I’m getting brute-forced or not since I do not know if the built-in Nextcloud brute-force protection can handle the cloud being behind a NAT.

Whats the best practice for the direct link?
Only allow requests to this specific URL from internal network via firewall?
If so, host or network firewall?
Whitelist only internal IPs on the Nextcloud brute-force settings app?

Thanks in advance and BR