WAF rules cannot bypass @cloudflare’s new unmetered rate limiter, so be careful using it as it will unavoidably catch good bots (like Googlebot) unless you pay for Enterprise / Bot Management.
WAF rules *can* bypass the old rate limiter, so this feels like forcing people to pay.