@Nick Howitt
I found this issue from 2013! https://github.com/fail2ban/fail2ban/issues/540 according to the bug tracker this issue has been resolved years ago however the solution provided there worked for me.
The "bantime = xxx" line is for fail2ban and for ipset add the bantime in the "action" line (so we have to separate bantime's)

action   = iptables-ipset-proto6-allports[name=SSH, bantime=86400]

IMPORTANT: I found this the hard-way when using in this format its sensitive to the spaces it must be "bantime=86400" not "bantime = 86400"

Many thanks for all your help

I checked and checked again multiple times, it ignores the bantime from the jail.local and uses the bantime from the action file, 2 points.
1. This is only when using ipset however when using iptables-allports it does not ignore
2. After the ban expires (600) if I restart fail2ban it will get banned again as its still in the fail2ban bantime

I have:
/etc/fail2ban/action.d/iptables-ipset-proto6.conf:

[INCLUDES]

before = iptables-common.conf

[Definition]

actionstart = ipset create <ipmset> hash:ip timeout <bantime><familyopt>

              <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -m set --match-set <ipmset> src -j <blocktype>

actionflush = ipset flush <ipmset>

actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -m set --match-set <ipmset> src -j <blocktype>

             <actionflush>

             ipset destroy <ipmset>

actionban = ipset add <ipmset> <ip> timeout <bantime> -exist

actionunban = ipset del <ipmset> <ip> -exist

[Init]

bantime = 600

ipmset = f2b-<name>

familyopt =

[Init?family=inet6]

ipmset = f2b-<name>6

familyopt = <sp>family inet6

/etc/fail2ban/jail.d/clearos-postfix.conf:

[postfix]

enabled  = true

bantime  = 432000

findtime = 36000

[root@server ~]# ipset list f2b-postfix

Name: f2b-postfix

Type: hash:ip

Revision: 4

Header: family inet hashsize 1024 maxelem 65536 timeout 432000

Size in memory: 1464

References: 1

Number of entries: 9

Members:

185.143.223.164 timeout 275602

46.173.211.201 timeout 381729

185.143.223.163 timeout 92695

185.143.223.161 timeout 336351

213.202.212.45 timeout 368541

185.143.223.97 timeout 138399

185.143.223.168 timeout 305944

93.186.202.46 timeout 365056

62.173.149.250 timeout 401322

Nick Howitt wrote:
4 - Specific jail defaults overrule the 600s default. Have a look in /etc/fail2ban/jail.d/clearos-sshd.conf. Then, if you get any bans, have a look at "ipset list f2b-sshd" to see the timeout remaining.

I did and the jail bantime was 2147483 but ipset showed expiry after 600 ipset list

1 - you can create a file iptables-ipset-proto6-allports.local. This will overrule iptables-ipset-proto6-allports.conf and it will not get updated. These rules only help for an f2b restart or reboot and not a firewall restart.
2 - Sorry, wrong file name. It should be /etc/clearos/firewall.d/90-attack-detector. You can add any file here. It must start with a number, I believe and it may have to be below 99. The lowest numbers get run first.
3 - the interface may not matter if you specify an external source IP in your rule.
4 - Specific jail defaults overrule the 600s default. Have a look in /etc/fail2ban/jail.d/clearos-sshd.conf. Then, if you get any bans, have a look at "ipset list f2b-sshd" to see the timeout remaining.

@Nick Howitt many thanks for your response.

A few further clarifications.
1. Is there any local config file I can add the iptables rule for the FORWARD chain instead of iptables-ipset-proto6-allports.conf incase it gets overwritten on a update?
2. I do not have this file /etc/clearos/firewall.d/20-ipset_blocks (ls output below)
3. I didn't notice any issues between LANs after adding the FORWARD rule but I will add the "-i ppp+" to the rule
4. Regarding the bantime, do I understand correctly that if the ipset bantime = 600 as soon as that expires it will ban it again until the fail2ban bantime expires?

[root@gateway ~]# ls -l /etc/clearos/firewall.d
total 56
-rw-r--r-- 1 root root 2284 Jan 14 16:43 10-netify-fwa
-rwxr-xr-x 1 root root 95 Feb 4 2018 10-ntp
-rw-r--r-- 1 root root 1156 Jun 18 2019 10-snortsam
-rwxr-xr-x 1 root root 1440 Sep 9 12:27 90-attack-detector
-rwxr-xr-x 1 root root 4586 Feb 12 00:59 custom
-rwxr-xr-x 1 root root 326 May 3 2017 custom.rpmnew
-rwxr-xr-x. 1 root root 115 Aug 7 2016 local
-rwxr-xr-x 1 root root 455 Feb 9 2019 local.rpmnew
-rwxr-xr-x 1 root root 1467 Jan 23 15:46 types

<chain> is the default chain. See /etc/fail2ban/action.d/action.d/iptables-common.conf. That means the line does a command:

iptables -w -I INPUT -m set --match-set <ipmset> src -j <blocktype>

The bantime is overridden by the value specified in the jails.

The bantime is specified in ipset sets, because ipset sets have their own timeout mechanism which avoids needing f2b to unban the IP's at the end of the ban time.

For a firewall restart, see if you can work out what /etc/clearos/firewall.d/20-ipset_blocks does. Be wary of blocking in the FORWARD chain if you have more then one LAN so you don't cut off LAN <> LAN traffic. Consider also using the "-i" switch for your WAN interfaces.

For a reboot you are OK. F2b has a database of the bans so it survives an f2b restart. The firewall restart is the problem.