Firewall Rules and Bot Fight Mode

I’ve activated bot fight mode on my site however, we use parsley for a few things and their bot is being blocked. I’ve tried to add parsley to the firewall rules to allow the user agent and the IP address ( but they are still being challenged. What am I missing?

Unfortunately, as you’ve discovered, there’s no way to bypass Bot Fight Mode. :slightly_frowning_face:

Should I turn bot fight mode off and just use the firewall rules to JS challenge anything?

You can try a JS Challenge for a threat score. I actually challenge for any threat score >0. You can also add countries and ASNs to your challenge rule. That does a pretty good job of getting rid of most of the bots.

I followed How to Use Cloudflare Firewall Rules to Protect Your Web Application as examples. I’ve added the known bots that cloudflare provides as well as the two user agents of the bots we like. Should I add the IP address rather than the user agents?

Thank you for the Threat Score suggestion. I’ve added a rule for threat scores greater than 0 to have a JS challenge.

Are there any other resources you can provide of other rules I should add or do I have to periodically look and manage it myself?

I personally block anything with Threat Score GE 2.

I block some BOTs/Crawlers based on a regex with parts of their UA.

I then allow Known Bots.

After this I block Azure, AWS, GCP ASNs as those are frequently used by bots.

Also blocked at HTTP 1.0 requests as well as anything with IE 10 and below.

Also blocked some countries.

These (plus a couple of other rules) in general block about 35k - 70k requests (depending on the day).


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.