If we look at the example from below, of the user-agent, it does contains Bytespider (can be seen and read at the end) visits your website with your Firewall Rule where you are using “equals” instead of “contains”, will never catch such requests and would always pass through, ending you’d nevers see any “bytespider” being blocked/challenged with your Firewall Rule with “equals” operator:
Mozilla/5.0 (Linux; Android 8.0; Pixel 2 Build/OPD3.170816.012) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.1511.1269 Mobile Safari/537.36; Bytespider
So, the HTTP request comming to your Website passes the rule.
If you change it to “contains”, then if there’s any “bytespider” seen in such long user-agent name, it will block it as we want it.
Correct, only try to use “contains” as the operator 
In my example from below, I catch a lot of bots with “contains”, therefore a lot of combinations are covered with “contains”.
Otherwise, I’d have to know all of the combinations and full user-agent names as they exist or will be created in future.
More useful and helpful examples of blocking bots with Custom Firewall Rules can be read at the posts from below: