We have a Webhook which our 3rd party (Razorpay) will invoke. This is getting blocked by the Bot mode in Cloudflare. We tried adding a custom rule to skip All bots. But still the traffic is blocked by Bot mode. We had to disable Bot mode to make it work. Let us know how to get around this
Cloudflare keeps on blocking Razopay while it is invoking our webhook. The request is filtered by the default Bot detection. But we wanted to bypass and skip the rules for this request from Razorpay. We added a custom rule which will skip all other rules. But still this traffic was filtered by Bot detection. Currently we have disabled Bot detection which also disables Javascript based attacks. Our objective is to enable Bot detection but not filter this traffic from Razorpay
I am adding to this discussion - I realise it’s a year old, but I have the same issue.
According to the Traffic Sequence, we are also stuck with BOTS in the middle
- IP address for webhook callback is allowlisted.
- BOTS are still working
- Custom WAF rules permit the access to the callback URL
But Bot Fight Mode is in the middle… So how to allow custom WAF rules to skip the Bot Fight Mode ? Is there anything other than turning off bot fight mode? The problem is that IP addresses that are allowlisted may change…
Bot fight mode cannot be skipped by WAF rules so if it is causing you issues, you will need to turn it off. A paid plan uses Super Bot Fight mode which can be skipped. See…