Bot Fighting Mode blocks Coinbase Commerce payment notifications despite the firewall rules for Coinbase. We are setting up payments via Coinbase Commerce and the Coinbase server cannot connect our server due to Bot Fighting Mode (“Failed to establish a connection to the remote server”). This is only possible if the anti-bot mode is disabled at all.
I tried to create firewall rules to allow Coinbase requests using its IP 220.127.116.11/27 (took it from official Coinbase documents), user agent (“weipay-webhooks”) or ASN number (“AS14618”) and nothing helped. I changed the IP to 18.104.22.168/24 (as I understand from the Cloudflare documentation that only /24 and /16 are supported for IPv4), and this also did not help.
I see clearly in the Firewall Overview requests from Coinbase and “Bot fight mode” result (see the screenshot).
Please tell me how to create a rule for a firewall correctly and can it be that Bot Fighting Mode ignores the rule and blocks Coinbase anyway for some reason?
Thank you in advance.
Bot Fight Mode only has two modes: On or Off. Currently there’s no way to selectively disable Bot Fight Mode for specific traffic.
Thanks for the reply. We have developed other payment systems before and had the same blocks and then just added the Allow rule with a certain IP for other payment system… Apparently the mechanism worked somehow differently then, so I was convinced that Bot Fight Mode can be selectively disabled. But what should we do in the current situation? Disable Bot Fight Mode at all for the sake of Coinbase?
That makes sense. I think the deeper issue is the priority given to bot fight mode vs user created Allow rules. I ran into the same problem as the OP: cannot use bot fight mode because one valuable bot (Checkly, a for-pay monitor service) is blocked, incorrectly in my opinion. I was not able to create an Allow rule which would be respected. Instead I had to disable bot Blocking, and created my own bot blocking rules.
@dmitryblkv and @robb, you may want to suggest to your providers that they apply to Cloudflare to become verified bots.
This reminds me of someone who tried to use IP Access Rules to whitelist certain IP address that eventually bypass Bot Fight Mode. Can you give it a try?
I want to second this issue. We have the same problem. User set ‘Allow’ rules seem to take priority over other features, so it doesn’t make sense that the Bot Fight Mode would be the one exception.
It’s a common issue with being unable to selectively bypass the new bot fight mode. Just had to disable it entirely for another client today because a new third-party integration with their site is blocked as a bot, and doesn’t have a way to specify a different subdomain that isn’t proxied by Cloudflare.
Hello, I work with a payments company who’s services is getting blocked by Cloudfare. We applied to become verified bots using the google form. Can you confirm if this google form is still the correct process?
Thank you!- Kenton
Yes, as far as I’m aware, that’s still the correct place to submit the details.
Hi @domjh ,
I have not received any update on our form submission. Do you have any PIC I can reach out to? Would love to solve this for our customers. They have had to turn off cloudfare as a result. Is there a way to PM me?
Thank you, Kenton
I’m afraid there is nothing more that the community can do with this, that form is the only way to go about it, as far as I know.
They should just be able to turn off the specific feature that is blocking you under Firewall → Bots.
I’ve certainly tried that — it simply doesn’t work. Bot Fight Mode will always (by design) override everything else in the WAF rules.