Any customer with an existing WAF rule set to challenge visitors with a bot score below 30 (our recommendation) automatically blocked all of this AI bot traffic with no new action on their part. The same will be true for future AI bots that use similar techniques to hide their activity.
However:
May I ask if you’re on a Free or Paid plan?
Are you already using the maximum allowed WAF rules for your plan type?
I have had WAF rule as follows from the post below.
Also have had the warning message as you.
Once enabled, the WAF rule is disabled → hopefully a Managed Rule in the background is being enabled and active further
Might have to check Firewall Events in coming days and keep an eye on it.
EDIT: Could be a ruleset and might depend per plan type if it’s available to search up for it
Wonder if it’s also realted to the “old” and “new” WAF as it was in past