>> Now network folks want to install a physical firewall (fortigate) and software called MalwareBytes to filter out "bad requests"
Anyone who has watched their (public) web server for more than a few minutes will see that it's constantly being bombarded with requests that are clearly malicious. None of them do anything (because they're targeted at specific vulnerabilities in specific server software) but they happen all the time. If someone wants to filter those out, there's no harm in that.
>> and limit the requests only to certain ip-addresses (which is max. 25 in this case, but some don't have guaranteed fixed addresses).
This is a feature that sounds good on paper, but may end up being useless later on. But there's no real harm in turning it on, and then later deciding to turn it off if necessary.
>> Personally I think they are introducing a lot of costs for the client (fortigate)
That's the client's issue, not yours. The client has contracted with these Network folks, and can either take their advice or ignore it. It's not your money, so you don't need to worry. If the client asks you about it respond honestly. ("The server is secure, but there are no guarantees in life".)
>> and quite a lot of hassle to keep the ip-addresses up to date
presumably the Network folks will maintain this list, and they'll either decide it's too much hassle, or they won't.
>> (I know that I'm the one getting the first support calls when an ip-number has changed and traffic blocks ...)
Sure, and you just politely redirect the call to the network folks. If the client can't connect it's their problem anyway.
In my opinion you should stick to "your lane". The network folks are in charge of the network. Let them do their job. You want them onside. If they want your opinion, or the client wants your opinion, then they will ask you. If they want to know more about the server then there are ways to do that. But fighting network folk just means they aren't inclined to help you, and if something (anything, anywhere) breaks, suddenly it's your job to fix it.
So my advice; don't fight this - just smile.