Are you using Bot Fight Mode in a production environment? What has your experience been?
We were inclined to turn it on and watch how well it performs. we have an enterprise cloudflare instance with over 400 domains flowing through cloudflare nicely. However…
There is no log, so you cannot see what Bot Fight Mode is taking action on. Yes, it does not block, but it does slow responses when it determines a “bad bot”. Unfortunately, you cannot see what traffic it is affecting.
There is a warning “Bot Fight Mode may affect visitor access to your APIs” in the article https://support.cloudflare.com/hc/en-us/articles/360035387431-Understanding-Bot-Fight-Mode (thank you for the warning) which makes us feel appropriately wary. We use Web Service calls in our web-based applications and would not be able to operate well if those were slowed by Bot Fight Mode.
There is no ability to exclude *.asmx end points.
So, considering all three of the above challenges, we have deemed it ill-advised to even try it out. Seems we would either need some type of bypass feature or a page rule to turn off Bot Fight Mode for *.asmx pages.
Are you using Bot Fight Mode successfully in an environment with APIs?