I ignore them. And if you have a reasonable security posture, you should too.
Your servers should have no ports open to the general public other than those that you use to serve the general public.
For example, your web server should have open port 80, 443, and maybe 22; everything else should be SSH-tunneled or otherwise VPN'ed if you need to connect to it, unless you expect random nobodies on the Internet to be using the listening service. Perhaps you may want to remap SSH to port 222 or or something in the upper range to avoid filling your auth logs with failed logins, and that should be as exciting as your servers get.
If instead the port scan is hitting your outbound corp gateway, then the scan should show zero ports open, because your corp gateway isn't a server. And you, like a wise IT admin, run all your servers elsewhere on the internet, not inside your corp network, for a whole raft of reasons I won't go into here.
A port scan should reveal to the attacker nothing that they couldn't reasonably guess. And if this is not the case, then your problem isn't the port scan, it's the public secrets you're trying to hide by blocking port scans.