I’ve set a WAF rule to skip bot fight mode (free plan) when the url path contains ‘export’, but this skip rule is not applied in all cases when it should be:
SKIP rule is NOT applied:
While it does work in other cases:
This is a known limitation. You can only skip Super Bot Fight Mode (pro or higher)
Generally it is recommended not to keep Bot Fight Mode (BFM) on unless you are under attack.
- BFM and SBFM are high security features intended to quickly help customers under active attack stop as many bots as possible. Due to the high security threshold, false positives do sometimes happen.
- BFM has limited control. You cannot bypass or skip BFM using the Skip action in WAF custom rules or using Page Rules. BFM will be disabled if there are any IP Access rules present. If you turned on BFM during an attack, and the attack has subsided, we recommend either disabling the feature using IP Access rules to bypass BFM, or looking at Bot Management for Enterprise, which gives you the ability to precisely customize your security threshold and create exception rules as needed.
It may allow you to skip Bot Fight Mode (Free) one day:
https://blog.cloudflare.com/configurable-super-bot-fight-mode/
While we’ve added flexibility to customers’ Super Bot Fight Mode deployments, we know that Free plan customers want the same level of customization that self-serve customers do. Now that our migration of Super Bot Fight Mode to the new WAF is complete, we plan to do the same for the original Bot Fight Mode to allow more free customers than ever before to join us in the fight against bots.
1 Like