Based on my experience and recent firewall logs, “IP Access Rules” should take precedence over “Firewall Rules”. That is, if a request matches a blocked ASN or IP address range, it should be blocked right away and not matched against any “firewall rules”. This has changed since about 2 days ago: requests from blocked AS’s that would have been blocked by “IP Access Rules” were now being blocked by “Firewall Rules” (that managed to catch them).
In another zone, which is covered by the same (global) ASN-based “IP Access Rules”, but doesn’t have “Firewall Rules”, I noticed a request from a blocked ASN that was let through. More worryingly, when I created a test “Firewall rule” for this zone, the rule didn’t even work.
Is anyone else having similar issues?