What is the name of the domain?
grillpartssearch.com
What is the issue you’re encountering
Should we use Super Bot Fight Mode or Cloudflare Managed Rules?
What steps have you taken to resolve the issue?
Hi, currently we are using Super Bot Fight Mode. It stops bots from submitting fraudulent orders in the checkout process on our website. The only setting we have turned on is Definitely automated, managed challenge (screenshot). Everything else in Super Bot Fight Mode is turned off. We see the option to use Cloudflare’s Managed Ruleset. Recently, we had a customer say they tried to access our website and were could not. We are afraid Super Bot Fight Mode could be causing false positives and stopping potential customers from entering our website, although it is stopping bots from causing other issues. Should we switch to Cloudflare’s Managed Ruleset? In the description, it says it can, “reduce false positives”. Please advise, thank you.
Was the site working with SSL prior to adding it to Cloudflare?
Yes
What is the current SSL/TLS setting?
Full
Screenshot of the error
That doesn’t make sense. You set it up to challenge bots, not block them. So even if your customer has something super weird to be caught as definitely automated, it would just need to go through the “captcha”.
As for using Cloudflare’s Managed Rules, you have the option of configuring it to only record logs instead of blocking or challenging. That way you can check your firewall to see if the rules are interfering with traffic that shouldn’t be. You can even customize the rules individually.
For example: let’s say you’ve activated Cloudflare’s Managed Rules and the firewall logs show that two specific rules triggered a false positive, but the others did their job of detecting malicious traffic correctly. Instead of disabling all of Cloudflare’s Managed Rules, you can customize the rules and disable only the ones that are giving you trouble.
Its also a good idea to use AI Labyrinth if you have configured your robots.txt and also block AI Bots if you don’t need them to access your website.
The OWASP’s rules also have the option to just log the anomalies detected, so that you can test and decide whether or not it is worth using.
Cheers! 
Thank you. I turned on Cloudflare’s Managed Rules so I could check it out and saw there were hundreds of rules. Is there an online guide on how to implement this properly?
You’re welcome!
I don’t know.
It was created by Cloudflare engineers to be something like click here and easily have several layers of protection for your website without having to think too much. You can get a sense of what each rule does from the description. I understand if it seems a bit confusing, but I recommend that you just leave everything as log and take a look in the analytics and events tab of your WAF. If a rule is triggered and you see that it’s a false positive, you can take the id of that rule in the WAF and search for it within the Cloudflare Managed Ruleset and disable it. Do this for a few days and once no more false positives have been triggered, you can set the rest of the rules to block and leave the false positives disabled.
It may take a bit of work at first, but it’s worth the effort. 
