I'm posting this observation separate from my earlier reply because the first dealt solely with adding a FQDN alias to a pass list.
From your shared screenshots from the BLOCKS tab, I assume you are running Suricata on the WAN and capturing these scans from that interface. Understand that Legacy Mode Blocking in Suricata depends on the pfSense pf firewall engine to actually implement the blocks of traffic. Suricata is not blocking the traffic itself. It is simply pulling out the IP addresses in the packets and adding them to a pf firewall table called snort2c.
The default firewall rule in place on the WAN drops all unsolicited inbound traffic already. So, you have the default DROP rule that is going to drop this scan attempt, then you have Suricata adding the IP to an internal pf table that is mapped to another firewall rule that is also going to just drop this traffic. Why do that? You are creating double work on your firewall by essentially dropping the same traffic twice. If you don't actually have any open ports on the WAN side that accept unsolicited inbound traffic, what's to be gained by this double blocking?
Lastly, these SCAN rules are somewhat prone to false positives. The Snort portscan preprocessor is notorious for false positives. There exists "normal" web traffic these days that such rules will misinterpret and trigger on producing a false positive. I suspect that is what's happening in this case.