Block traffic to WAF correctly

I'm struggling to block access to the WAF, I am trying to block all but Cloudflare IP ranges from accessing the WAF however there is still traffic hitting the WAF from non cloudflare IP's. If you are a non cloudflare IP then you get a forbidden page instead of an outright block.

I have tried creating a blackhole NAT Rule to try and fix this but it doesn't work.

I have my existing WAF rule that is up and working and I want to blackhole or block anything that isn't Cloudflare.
I have tried making a NAT Rule to firstly allow the Cloudflare IP's on HTTP/HTTPS, then a rule under it that does the black hole.

It doesn't work and I never see traffic hitting either of the rules. I even tried just having the blackhole and it still never logs anything against that rule.

A few years ago I did this same thing for a customer and it was so easy, maybe in v17, what am I missing?

Added TAGs
[edited by: Raphael Alganes at 11:48 PM (GMT -8) on 3 Mar 2024]