I would like to blacklist IPs flagged as attackers multiple times, but I don’t see a way to do this with the firewall GUI, and I know the firewall writes the fail2ban rules so I don’t want to mess with them directly if possible. Is there any way to automatically block repeat offenders forever without cutting and pasting into blacklist?
It does not do that at all. The Firewall is iptables, which means everything is done at the interface level before it gets into the system. Fail2ban is a backup for stuff that makes it through/past the Firewall and actually is processed by something like Asterisk or Apache so logs are generated for fail2ban to read.
For this part you can go into the Advanced section of the Firewall and then Advanced Settings tab to enable the Custom Firewall Rules so you can add your own rules to the Firewall to be used. In this case you can add rules to do what you are looking for.