None of your listed goals have anything to do with fail2ban or intrusion detection. Furthermore, this line:
is not correct. Assuming a normal setup, i.e.:
- responsive is disabled
- interface(s) set to Internet zone
- internet zone disabled for SIP services
Then the PBX firewall does block SIP signaling ports by default.
Take a look at this vid if you haven’t already seen it: Open Source Pro Tips #2 - Firewall Basics