Followup: I’m disabling Super Bot Fight Mode.
This feature badly breaks website functionality without sufficient warning. It blocked origin requests! It what world is bot traffic from origin considered something to block by default? This interfered with payment gateway transactions on our site.
There’s no way to whitelist known good bots. It blocked social media sites like Flipboard from accessing our rss feed to update content. Flipboard uses dozens of IPs that are not in any clear range. Whitelisting by ASN would be possible, but would disable all security including firewall rules for all traffic from that ASN which leave a significant hole in the security.
I’m surprised there is not a beta tag or warning on this feature.