WAF Skip rule not working as expected

A Managed Challenge is popping up for a request that should not be popping up based on my understanding of the rules I set up.

Very simple, I have 2 rules.

Rule #1: Always Allow
Rule definition: (http.request.uri.query contains “?wc-api=TEST” and ip.geoip.asnum eq XYXYX)
Action: Skip All Remaining Custom Rules + All Super Bot Fighting Mode Rules

Rule #2: Managed Challenge
Rule definition: (ip.geoip.country ne “XX”)
Action: Managed Challenge

Both Fighting Mode: ON

An external connection using Query String ?wc-api=TEST&referenceid=XXXXX from ASXYXYX is triggering the Managed Challenge rule and shows as Super Bot Fight:

In the above case, the country matches the country in Rule #2 (which should be right trigger the Managed Challenge as expected), but it should skip it because of Rule #1 as it matches the ASN and the query contains the trigger ?wc-api=TEST.

Am I missing something?

Apologies, I meant to say: it shouldnt trigger the Managed Challenge as the country matches the one under ne. Yet, it still triggers it. Additionally it also doesnt trigger Rule #1, even though the query string and the AS number match.

It looks like you’re trying to skip Bot Fight Mode (free plan). You can only skip Super Bot Fight Mode (Pro or higher).

It currently is not possible to skip Bot Fight Mode with Custom Rules, although they announced they plan on supporting it eventually: Super Bot Fight Mode is now configurable!

1 Like

Thank you for highlighting that! No wonder it wasnt working at all :slight_smile:

Can I check if disabling Bot Fight Mode will also disable Super Bot Fight Mode? Or its network wide and cant be customized for free plan users at all? (eg no way to make these connections go through without fully disabling Cloudflare on my domains)

Actually it appears that the function to Skip Super Bot Fight Mode was already enabled for our account (under the WAF rule), yet it still blocks the transactions?

Screenshot 2023-07-05 at 11.53.32 AM

The transactions do seem to go through if I disable Bot Fight Mode altogether…

Perhaps I was a bit unclear in my response
Free Domains/Zones have access to Bot Fight Mode, no configuration other then on/off per domain
Paid Domains/Zones (Pro or higher) have access to Super Bot Fight Mode. You have more configuration over what it blocks, and also the ability to skip it via Custom Rules.

Same feature, Super Bot Fight Mode just unlocks more toggles. Setting Allow for both Definitely Automated and Verified, and disabling all of the other toggles is the same as turning off the single switch for BFM.

You can turn off Bot Fight Mode for that domain under Security → Bots, magic link: https://dash.cloudflare.com/?to=/:account/:zone/security/bots


Aaah ok I think I got it… So its not Super Bot Fight Mode that’s causing the problem. It’s Bot Fight Mode. So the only way to fix it is to disable Bot Fight Mode, as the Skip rule only allows to skip Super Bot Fight Mode, not “normal” Bot Fight Mode.



A post was split to a new topic: WAF rule with Skip action is not working as desired

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.