May I ask have you followed the instructions from below article?:
Furthermore, if you added the IPs (from Wordfence article above + your origin host / server IP) to the IP Access Rules (with Allow) and therefore created a Firewall Rule (again, with Allow) putting it on the 1st (from above), I think it should work.
Nevertheless, in the Wordfence options you have to select and choose “ CF-Connecting-IP ” option (Use the Cloudflare “CF-Connecting-IP”). Do not forget to save to apply the changes.
There could be a temporary workaround as like, before running a scan, you could temporarly select Pause Cloudflare on Site from the Cloudflare dashboard for your domain, or switch to the (DNS-only). After the scan completes, switch back to proxied
I admit I see them too at Firewall events intentionally due to my Firewall Rules to catch empty user-agents and HTTP/1.0 requests as follows on the great Firewall tutorials provided from below:
In this particular case, you have to add your origin host / server IP to both IP Access Rules and a Firewall Rule with the action Allow - as far as I saw and tested, it could be triggered due to too much same behaviour requests from the same IP address via HTTP/1.0 and empty user-agent too.