I set up in Security > WAF a simple rule. Count is not in Canada or US to block. However, I still see IPs in the logs of users who are outside this geographical region. This is an example: https://whatismyipaddress.com/ip/116.212.156.197
You haven’t given the domain so I can’t check, but usual reasons are:
domain isn’t active on Cloudflare
DNS records are not proxied and instead are set to “DNS only”
you are using a host that also uses Cloudflare (so requests go direct to their account and not through yours) and you need to use only proxied CNAMEs to point at them, see…
DNS is proxied, might need to look at proxied CNAMES, thank you for the link. One additional piece of info is that the WAF is working for some addresses so wondering why these others aren’t being caught: