@bmeeks thanks a lot for the explanation. So, looking at the drawings, I understand that Inline Mode can act and drop "bad" traffic before it reaches the pfSense engine. In Legacy Mode, the traffic will reach the pfSense engine and then will be blocked based on block rules, but in this way use more CPU/mem resources of pfSense hardware, right?
From what I saw here, Suricata is acting and blocking the DoS attacks (I can see the IP sources in the block list), but it seems that the Suricata is acting after the traffic passed to the internal server, because I can see the lots of TCP_SYN arriving on port 443 of the internal server and the server is answering ACK.
In my mind, this traffic needs to be dropped and never reach the internal server.
I tried to change from Legacy to In Line Mode, but I received an error message "The 'opt9' interface does not support Inline IPS Mode with native netmap". In my scenario, I'm using all 4 pfSense physical ethernet ports configured in LAGG between pfSense and switches, for redundancy reasons. May this can be it can be the cause, right?