F5 ASM Start Page + Brute Force Protection - SoftLockout

From OLH - A brute force attack can be automated but a hacker can outsource CAPTCHA challenges to turks (a.k.a. CAPTCHA farm) to pass the CAPTCHA challenges. CAPTCHA Bypass is detected only after a source-based brute-force attack has been detected and mitigation has been applied. The system counts occurrences of a combination of two simultaneous events: successful CAPTCHA challenge solution by a client and a failed login attempt. There are separate counters for Device ID and Source IP. When a counter is higher than the threshold enforcement action is applied. CAPTCHA Bypass detection is not applicable to username. CAPTCHA is the strictest mitigation available for username, which guarantees login availability for legitimate users even if their account is under a brute force attack.

Alarm+Block will affect a legitimate user logging in.