Firewall Rule is the new thing. IP Access Rule is legacy.
You should use a Firewall Rule, as it allows for exceptions, which an IP Access Rule doesn’t.
For example, after blocking a whole ASN, you find out that it also blocks an online service your site depend on. You may then edit your Firewall Rule to block the ASN but exclude the IPs from that specific service.
Each Firewall Rule is limited in size to 4 KB, so it will vary because of the number of digits in the ASN. You should create a list using “is in”, as opposed to linking a bunch of ASNs with OR. That will save you a lot of characters in the final rule.
In this rule, I’m excluding the Known Bots, a list of Cloudflare-sanctioned “good bots” such as search indexes, as well as some URLs that I think should be open to all. Also, I use this rule with action Managed Challenge, instead of Block, as you never know when legit visitors will use some service (VPN, proxies etc) or ISP who might use one of those ASNs to reach your sites.
I believe there’s an issue with this statement, as this blocks many more ASNs than intended. For instance, if you list 399471, then any four or five digit ASNs that include any piece of 399471 will also be blocked, like 3994, 9947, 9471, etc. Isn’t that an issue?