Bot Fighting Mode blocks Coinbase Commerce payment notifications despite the firewall rules for Coinbase

Bot Fighting Mode blocks Coinbase Commerce payment notifications despite the firewall rules for Coinbase. We are setting up payments via Coinbase Commerce and the Coinbase server cannot connect our server due to Bot Fighting Mode (“Failed to establish a connection to the remote server”). This is only possible if the anti-bot mode is disabled at all.
I tried to create firewall rules to allow Coinbase requests using its IP (took it from official Coinbase documents), user agent (“weipay-webhooks”) or ASN number (“AS14618”) and nothing helped. I changed the IP to (as I understand from the Cloudflare documentation that only /24 and /16 are supported for IPv4), and this also did not help.

I see clearly in the Firewall Overview requests from Coinbase and “Bot fight mode” result (see the screenshot).

Please tell me how to create a rule for a firewall correctly and can it be that Bot Fighting Mode ignores the rule and blocks Coinbase anyway for some reason?
Thank you in advance.

Bot Fight Mode only has two modes: On or Off. Currently there’s no way to selectively disable Bot Fight Mode for specific traffic.

1 Like

Thanks for the reply. We have developed other payment systems before and had the same blocks and then just added the Allow rule with a certain IP for other payment system… Apparently the mechanism worked somehow differently then, so I was convinced that Bot Fight Mode can be selectively disabled. But what should we do in the current situation? Disable Bot Fight Mode at all for the sake of Coinbase?

That makes sense. I think the deeper issue is the priority given to bot fight mode vs user created Allow rules. I ran into the same problem as the OP: cannot use bot fight mode because one valuable bot (Checkly, a for-pay monitor service) is blocked, incorrectly in my opinion. I was not able to create an Allow rule which would be respected. Instead I had to disable bot Blocking, and created my own bot blocking rules.

1 Like

@dmitryblkv and @robb, you may want to suggest to your providers that they apply to Cloudflare to become verified bots.


This reminds me of someone who tried to use IP Access Rules to whitelist certain IP address that eventually bypass Bot Fight Mode. Can you give it a try?

1 Like

I want to second this issue. We have the same problem. User set ‘Allow’ rules seem to take priority over other features, so it doesn’t make sense that the Bot Fight Mode would be the one exception.

1 Like

It’s a common issue with being unable to selectively bypass the new bot fight mode. Just had to disable it entirely for another client today because a new third-party integration with their site is blocked as a bot, and doesn’t have a way to specify a different subdomain that isn’t proxied by Cloudflare.