I’ve been using Cloudflare’s Access for a couple weeks now. My website was being visited daily by a bot requesting certain URLs. The bot was being blocked by a Firewall rule targeting a specific User Agent. As soon as I created an Access rule that included (among others) the URLs this bot was probing, the visits stopped, so I thought Access was doing its job before Firewall.
However, today another bot managed to be blocked by Cloudflare’s Firewall (because of another User-Agent rule) while requesting URLs that also fell within the Access rule I mentioned above.
Which of course left me confused. Did Access failed to stop the bot and request authentication? Or is the Firewall rule supposed to act first? Or it doesn’t matter?