Best Practice for using cf.threat_score

We have created a Firewall Rule using cf.treat_score.

cf.threat_score ge 50 then block

and expected that this would be helpful in protecting our website.
However, we noticed that SEMRushBot was blocked. This is a legitimate SEO/SEM tool and we were surprised that it was given such a high threat score.

Are we using cf.threat_score correctly? Or does Cloudflare’s default medium level Security Level blocking algorithm suffice, meaning that we do not need to code our own Firewall Rule like this?

We’ve since handled this situation using a more complex and specific rule:
(cf.threat_score ge 50 and not http.user_agent contains “SEMrushBot”)

But this seemed odd and we wanted to verify that we were using cf.threat_score in an appropriate and best practice manner. Thanks!

This topic was automatically closed after 30 days. New replies are no longer allowed.