Cloudflare is detecting enterprise security product as bot

I am using a corporate Secure Web Gateway to access Internet and found out that, for many domains where Cloudflare bot management feature is enabled, a captcha is displayed or even worse some of the content of the domain (typically an external content provided by other domains protected by Cloudflare) is not at all displayed.
As far as I understood, Cloudflare is offering bot management feature to protect against traffic coming from VPN and/or proxies. This makes sense but, in this case, we are talking of an enterprise security product and not of an anonymizer. The only way to avoid it, is to bypass the company Secure Web Gateway which means that I am no more protected my company product.
Is there a way for Cloudflare to differentiate between an enterprise security product and an a proxy/vpn used to make activity untraceable?

Hi @mario.gallios82,

Can you check exactly what is blocking/challenging these requests in the firewall event log?

If it’s bot fight mode, you would have to either turn that off entirely or ask the vendor to apply to Cloudflare to be allowed:

If it’s another feature that’s blocking it, you should be able to allow it with a firewall rule.

1 Like

Cloudflare could be detecting this because the product is acting as a MITM, and the User-Agent does not match the TLS handshake. For more info, and to have your vendor submit a signature, see: https://blog.cloudflare.com/monsters-in-the-middleboxes/

1 Like

Is it sending a lot of requests? If so, that maybe why!

Thanks for your feedback. Unfortunately I cannot do such check since I am not the owner of the domain and this issue is affecting several domains.
I managed to contact one of the owner of a domain affected by the issue and once he whitelisted our company ips the issue was fixed. As you can understand, I cannot ask to all domain owners to turn-off bot detection functionality or whitelist our ips, it’s not a scalable (and I assume for them acceptable) solution.
Finally I already filled this form twice but nothing changed. I got this answer
"our corresponding team will review your report, depends on the current amount of request, it might take longer.

Do keep in mind that Cloudflare Technical Support does not control nor review Bot Verification, so you’ll need to wait for our team to proceed with the reviewing process."
But then no progress and I finally gave up because I didn’t get any answer.

Thanks for your feedback. Our company proxy is intercepting TLS traffic and is compliant to standard Internet rules.
In the article you posted is written: “The Blue Coat data loss prevention tools offered by Symantec are one example. In this case, HTTPS interception occurs to check if an employee is leaking sensitive information before sending the request to the intended destination.”
I assume that Cloudflare has a mechanism to detect Blue Coat proxy and it doesn’t trigger the captcha for it. How can I contact Cloudflare to do the same for the vendor we are using?

I’m not 100% clear on this. Are you the vendor of this product or just a client? I would imagine it’s the vendor who would have to discuss this with Cloudflare.

I am a client but I have a close relationship with the vendor and they told me they didn’t manage to contact Cloudflare. They are not a Cloudflare customer so they don’t have access to Cloudflare support and they didn’t find a way to approach Cloudflare

Also, I see that the article is of 2019 and the last commit in the git repo of 2020. So is Cloudflare really basing its detection of MITM on a tool that is not updated since 1,5 years?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.