is there anything common for those attackers IPs? Like coming from VPN/Anonymizers/etc ?
If there is then you could address it with Fortigate ISDBs more effectively/targeted as opposed to general threat feeds.
Regards to external feeds, technically Fortigate works excellently with them, but as to their effectiveness ... I haven't watched them closely, but when used for clients, seemed to me more of psychological help - to calm a bit admins that they have something in place. I don't recall anything being blocked by them. But of course it will differ based on the quality of those feeds. I can't comment on specific ones as haven't formed an opinion on them.
ANd there are no cons to using them as FGTs of last few years don't add any visible load on using those feeds.
Specifically in the context of SSL VPN - you can use external feeds in Local-in policies, but starting with 7.2.4 only, or you can use them in regular Security rules, provided you move SSL VPN to listen on Loopback/internal (not WAN) interface. You cannot use feeds directly in VPN SSL Settings even today, yet.
How to configure: https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/9463/threat-feeds