AD Accounts locked by brute force despite MFA & ACL rule

Can you doublecheck the Firewall Log (ACL) if you have drops there? 
The ACL Rule looks fine to me. You could double check and create a blackhole rule as well: https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RulesAndPolicies/FirewallRules/FirewallRulesBlackHoleDNATRuleCreate/index.html 

Creating this DNAT Rule and using same Source IP like your ACL, will achieve the same. 

Hello and thanks for the fast answer!

ehm, could you tell me what log I need to look at? I'm struggling to find the correct firewall log - it's neither fwlog.log, firewall_rule.log nor fwmgmt.log...

And regarding your ACL Rule: I created one as described, but with countries instead of (only) IP addresses. This should be fine?

Nevertheless the question remains: why are our users locked out so quickly in our AD? Is there an authentication misconfiguration? Do others face this problem?

We are not logging Firewall captures on the log directory. You should see this in packet capture (Diagnostic) or logviewer. 

This rule will essentially take all the HTTPS traffic and send it somewhere else. 

We are currently looking in adjusting this behavior for the greater good. 

Ah, ok, so we are not the only ones facing locked out users through the VPN Portal... I'm looking forward for the next firewall version, then.

Mhm, we cannot have a look at the packet capture or logviewer any more. We closed the VPN Portal for the WAN interface since that was the only way to prevent our users from getting locked out. We want to open this again so everybody could re-download their VPN configurations, but we are still waiting a little bit. Would it be an option to simply keep the VPN Portal closed?