Excellent insight, thank you. I asked the question because when experimenting with the router, I saw that the Firewall (FW) would generally block IPs before Threat Protection (TP), but I would also see, to a lesser degree, the FW blocked IP show up in TP. So probably the reason for the occasional TP reaction to a FW blocked IP is your explanation of "existing connections." Nice Job!
I'm arriving at the conclusion that it's probably a lot of busy work to set up the FW to block IP ranges when TP will handle them per their policies (I've selected all the Poor Reputation and known threat policies). I started using the FW to block entire ranges where a TP-identified IP resided within rather than the individual IP. Because I was still seeing attacks from IPs whose regions were blocked (basically blocked all regions but the U.S.), I was thinking blocking at the FW would lessen the processor burden, but now I dont think it makes a difference and has some bad consequences.
The bad consequences? When torrenting (Qbittorent) large files with fewer seeds and peers, the torrent frequently stops and shows an error. I looked at the Qbittorrent peer's IP addresses and saw some of them were in my FW blocked IP ranges. I removed the FW IP and region blocks, and the torrent ran beautifully for several hours and completed without error, AND the download was much faster than I'd seen before.
I think now I will just use the region blocks, remove the IP range blocks and let TP do its work.
BTW, I agree Synology support is excellent, but the official forum "the other place" is lightly used and not much help.