Explicit block rule NOT taking precedence over allow rule

According to this MS article, block rules are supposed to take precedence over any conflicting allow rules in the Defender firewall.

However, I do not see this happening. I have an allow rule which basically allows any traffic to an FTP server running on this Windows box. It does work because I cannot access the FTP server when I disable this allow rule. I have a script that creates a Windows firewall block rule for each IP address that tries to login using the admin account on the FTP server. I'm using this as a means of auto-banning IP's of bad bots and hackers.

I have tried every manner of granular settings on both the allow and block rules but I cannot make the block rule take precedence.

Another problem is that I cannot get the firewall to write to the log so I can't even view it to see what's going on. I followed these instructions but it only creates an empty log file.

Anyone know what I'm doing wrong? Please let me know what details you need from me.

UPDATE:
I fixed the log issue. I neglected to enable logging for all three profiles. With this fixed, I was able to see that the IP address that hits the Windows firewall is the local IP of my gateway, not the public IP address that is specified in my Windows firewall block rule. The traffic is proxied through my gateway device's WAF which does send the real IP via X-Forwarded-For headers.

Is there anyway to block using the X-Forwarded-For headers? I'm guessing the Defender firewall is not able to block based on headers.

If I NAT the traffic, the gateway device passes the real IP to the Windows box and my Defender block rule works but then I lose the protection of the gateway's WAF