I agree that the request to add a block of IPs (rather than one at a time) is a good one - no idea why it hasn’t been implemented yet. Everyone who wants and needs this should make their voices heard on threads like this one Firewall: Bulk Pasting List of IP or IP Networks & Geolocation Blocking - #28 by tzmmtz
I also agree that the best place to block an external IP from getting access to a service is in the firewall - that’s what its for after all.
However, personally I would not want to waste my time - or ask one of my team to waste their time, in trying to block each and every individual IP that is trying to brute force a service. If the person or bot that is attempting to brute force one of my services is any good at what they do it would be like trying to plug a dam with your finger.
Instead, I would move services away from standard ports so that they are harder to find, I would enable all intrusion detection features within the application that under attack (eg SIP servers can block IPs with too many failed auth attempts, apache can use Mod_Security and Mod_evasive to protect content from brute force and DDoS attacks), and then I would add two factor authentication to all public facing applications / services where possible - to negate the brute force attack completely.
Then - if needed, I would potentially install a UTM appliance WAN side to protect those services even further. Watchguards firewall authentication portal (where firewall ports for a service are only opened for your IP once you’ve authenticated with the firewall itself), is pretty neat for issues like this.
You’re not wrong in wanting to block these attacks at the firewall by source IP - its just playing an endless game of cat and mouse with tens of thousand node botnets is not how I would want to spend my time.