Did some tests with mTLS in combination with Super Bot Fight Mode and it looks like even a valid mTLS client cert still gets blocked by SBFM.
Is that correct? If so, that’s a pretty odd choice.
- Setup mTLS rule for a specific URL
- Request allowed with client cert, 403 error without client cert
- Enable super bot fight mode
- Request gets 403 error with or without client cert
I also can’t workaround it with a firewall rule to bypass SBFM. When is the ability to bypass SBFM estimated to be released?