Does Bot fight mode Managed Challenge supersede WAF custom Block rule?

What is the name of the domain?

clipsync.app

What is the issue you’re encountering

I have Bot fight mode enabled, but I also have some custom WAF rules to block requests, and I’m seeing that sometimes they get caught with a Managed Challenge instead of just blocking the request. Is this expected behavior?

What steps have you taken to resolve the issue?

I have a custom WAF rule like http.request.uri.path contains "php" (this is not a php website, I don’t want any requests with php in the path to resolve) and yet I can see a recent request for
/pvt.php was given a Managed Challenge instead of just being blocked. I have other clauses in this rule for e.g. “wp” or “wordpress” contains, but all are ord together.

I have tried both http.request.full_uri and http.request.uri.path with the same results.

Is there a way to prioritize my block rule rather than allowing a managed challenge, and only falling back to the bot fight managed challenge as a possibility if the custom rule is not matched?

What is the current SSL/TLS setting?

Full (strict)

Screenshot of the error

Screenshot 2025-03-19 at 17.37.51.png1366×744 85.4 KB

May I ask if you’re using Free or paid plan type?

Yes, you are correct. In Cloudflare’s security architecture, (Super) Bot Fight Mode is executed before WAF (Web Application Firewall) rules. This is why you’re seeing the Managed Challenge even when your WAF rules should be blocking the request.

Cloudflare treats a Managed Challenge as a security feature that tries to block bots from accessing your site, even when your WAF rule would otherwise block the request.

Since Bot Fight Mode operates as an initial layer to prevent bots, it can issue challenges (like CAPTCHA) before the WAF has a chance to block the request based on your custom rules.

You can still block with your Custom WAF Rule in case if Bot Fight Mode doesn’t block or challenge the particular request, or somehow the bot manages to bypass and continues but then it hits the WAF and it’s shown as blocked in the Security Events.

Bot Fight Mode can still trigger if you have IP Access rules, but it cannot trigger if an IP Access rule matches the request. For example, the IP Access rule matches the connecting IP.

Furthermore, Bot fight mode cannot be skipped by WAF rules so if it is causing you issues, you will need to turn it off. A paid plan uses Super Bot Fight mode which can be skipped or rather we can add an Exception.

I am afraid it’s not possible to change the priority since there is a known Traffic Sequence and order of execution.

You can disable Bot Fight Mode, however from this moment I’d suggest you to use and create a Custom WAF Rule which does allow you to have more granular control over the traffic. E.g. (http.request.uri.path contains "php") and (cf.bot_management.bot_score > 50), but Bot Fight Mode is better in such case.

Otherwise, if you’re on a paid plan type, you can Adjust the Bot Management settings to better handle the traffic flow.

I like to have it enabled, but also for the known stuff I setup the Custom WAF Rule with the action block, just in case.

Yeah I’m on the free tier. I did disable bot fight mode, and I see all of the expected requests being blocked now in event history.

But you’re probably right that it makes the most sense to have it enabled and rely on the WAF rules as long as bot fight mode doesn’t result in WAF rules being skipped. I wouldn’t want a bot to somehow bypass the managed challenge and then be able to request a path that would normally be blocked by the WAF rules.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.