Blocking SAML Auth VPN login attempts - Fail2Ban?

Our Palo Alto frequently (under Monitor > System) shows scans of event Auth-Fail with people trying random, or what appears to frequent brute force attempts to login to our VPN with logins that make no logical sense, but appears to be a random dictionary style attempt, with login names like team, terminal, sysadmin, boardroom, ricoh etc.

I understand this is expected behavior, and the nature of the internet. But I still see it as another layer of swiss cheese that needs to be plugged for good security.

I have a few questions which I am trying to understand and hoping this community could assist me with.

  1. Our VPN is SAML based, so I don't understand how they are trying to login because if you go to our vpn address using the Global Protect client, it immediately redirects you back to our SAML provider. Is this attempt being done via some sort of SSH or other method of login attempt? They dont show up in our SAML system, because I assume it has not gone via the appropriate login pathway.

How are they making these connections, and can it be blocked so this open "connection" does not get allowed.

We do have country blocking in place to only restrict access to the region in which we travel.

  1. Does Palo not have some sort of Fail2Ban system where if the IP keeps logging and fails - that it can be blocked? These attempts are being made every 5-10mins.

Thanks.