Bot Management Recommendations

What threshold do you use with cf.bot_management.score? We’d like to block those bad bots, but would like to be reasonably conservative so as not to block humans.

In general, does your Firewall Rule start like this…

(not cf.bot_management.verified_bot and cf.bot_management.score lt 6 and not…

What other tips might you have?

If you have just received the Bot Management feature, you might want to contact your CF customer representative or the Cloudflare success team to schedule a product walkthrough; they’ll be able to show you around the feature and some sane defaults other customers use.

For me, the Cloudflare representative suggested to first create a “log” action with a score check of less than 30

(not cf.bot_management.verified_bot and cf.bot_management.score lt 30)

With the “Log” running for a few days, you can gauge how many requests are blocked and review those requests in the Firewall Events dashboard. If any of them look legit, you can turn down the detection level or add more exclusions. Once you’re comfortable with the level of blocking, you can then use the “challenge” or “block” action for that firewall rule.


I would second exactly what @Judge said. Running through it with a CSM/SE is very valuable and running it for a test period will help you determine the proper threshold(s).

Aside from that, I would recommend one threshold for blocking, another range that is challenged and another range that is allowed through. The challenge section helps with the ML functions.

The only safe place to start, in my opinion, is to block scores less than 2…aka ‘1’. Outside of that, you’ll want to analyze traffic for a bit and customize.

I’ll assume you have an Ent plan with Bot Management so one other thing we did was log requests as various scores to help with analysis.

Ex. Rule 1: (cf.bot_management.score lt 2 and not cf.bot_management.verified_bot) action ‘Block’
Rule 2: (cf.bot_management.score eq 2 and not cf.bot_management.verified_bot) action ‘Log’

You could also place them in ranges, say 15-30, but I’d recommend being granular below 15, personally.


One other note, if you are using an API, challenging equals a block unless you want to use a Worker to inject a challenge so i would be careful there. You don’t want to block real users and mess with the ML.

We specify paths with wildcards to distinguish in those situations.

1 Like

For my usage case for Xenforo forum software I have bot management scores in several rules starting with scores for <=6 and 6-10 which are blocked and challenged respectively but only for login/rego/contact urls. Then have various ones for logging only to get a feel of the traffic.

This topic was automatically closed after 30 days. New replies are no longer allowed.