When you look in any web servers access logs, you will find hackers searching for things like cgi, wp-admin and scripts. It is a waste of connections and server resources.

Can a firewall block an IP based on the content of the GET or POST request?

Example log:
178.156.202.250 - - [19/Jul/2019:05:27:51 +0000] “POST /FCKeditor/editor/filemanager/connectors/asp/connector.asp?Command=FileUpload&Type=File&CurrentFolder=%2F HTTP/1.1” 301 351 “http://www.medicalcheckin.com/FCKeditor/editor/filemanager/connectors/asp/connector.asp?Command=FileUpload&Type=File&CurrentFolder=%2F” “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)”
178.156.202.250 - - [19/Jul/2019:05:27:52 +0000] “POST /FCKeditor/editor/filemanager/connectors/asp/connector.asp?Command=FileUpload&Type=File&CurrentFolder=%2F HTTP/1.1” 301 351 “http://www.medicalcheckin.com/FCKeditor/editor/filemanager/connectors/asp/connector.asp?Command=FileUpload&Type=File&CurrentFolder=%2F” “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)”
178.156.202.250 - - [19/Jul/2019:05:27:53 +0000] “GET /index.php?m=member&c=index&a=register&siteid=1 HTTP/1.1” 301 297 “http://www.medicalcheckin.com/index.php?m=member&c=index&a=register&siteid=1” “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)”

This is obviously a hacker. It would be nice to block the IP based on the /FCKeditor/ part of the request. If the request contains /FCKeditor/ drop the connection and ban the IP.