I have created several WAF rules, and they say no one has passed, yet I still see data transfers. How can I prevent data transfer from anyone who does not pass a rule? I have them currently as ‘Managed Challenge’ or higher with a captcha.
And do you see any corresponding requests on the origin server? A WAF rule is executed by a web application firewall. That means at a minimim an HTTP(s) session has been initiated before a request can be evaluated against the rule(s). That requires some level of data transmission to occur.
If the users aren’t bypassing the WAF and connecting to the origin, then the WAF rules are working. Since you indicate no one has passed the rules that would also indicate that they are working.