mTLS doesn't bypass Super Bot Fight Mode?

Did some tests with mTLS in combination with Super Bot Fight Mode and it looks like even a valid mTLS client cert still gets blocked by SBFM.

Is that correct? If so, that’s a pretty odd choice.

  • Setup mTLS rule for a specific URL
  • Request allowed with client cert, 403 error without client cert
  • Enable super bot fight mode
  • Request gets 403 error with or without client cert

I also can’t workaround it with a firewall rule to bypass SBFM. When is the ability to bypass SBFM estimated to be released?


1 Like

Unfortunately they don’t interact @ this time. In the future that may be something we can look into if there is a large demand, but more likely we’ll offer customizations that would allow bypass for the mTLS endpoint(s).

We don’t currently have an ETA on more customization, but it’s definetly on the roadmap for the future.

1 Like

It looked like from other threads not being able to bypass SBFM in Page Rules has significant demand (and not being able to really limits SBFM’s usefulness, IMO).

I think that a valid mTLS client automatically bypasses SBFM would be a reasonable default. I don’t think bad bots, or any bots I don’t control, are going to have a valid mTLS client cert from my assigned root.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.