Cloudflare Docs
Visit Bots on GitHub
Set theme to dark (⇧+D)

Get started with Bot Management for Enterprise

Bot Management for Enterprise is a paid add-on that provides sophisticated bot protection for your domain. Customers can identify automated traffic, take appropriate action, and view detailed analytics within the dashboard. Bot Management also supports custom solutions via Workers and Logs.

This Enterprise product provides the most flexibility to customers by:

  • Generating a bot score of 1-99 for every request. Scores below 30 are commonly associated with bot traffic.
  • Allowing customers to take action on this score with firewall rules or Workers.
  • Allowing customers to view this score in Bot Analytics or Logs.

​​ Enable Bot Management for Enterprise

Our Solutions Engineering team will work with you to begin setting up the product. Most customers choose to write firewall rules, but others use Bot Analytics or perform custom actions using our Workers platform.

​​ Before you begin

  • Make sure you have purchased Bot Management for Enterprise (should be visible at Security > Bots).

  • Review the following concepts:

​​ Step 1 — Configure Bot Management

Decide whether you want to enable JavaScript detections to help identify bots.

To enable this feature, go to Security > Bots.

​​ Step 2 — Monitor domain traffic

Before deploying Bot Management on live traffic, use Bot Analytics to determine your domain’s sensitivity to bot traffic.

Go to Security > Bots and examine the following traffic segments:

  • Automated traffic: Bot scores of 1
  • Likely automated traffic: Bots scores of 2 through 29
  • Other traffic groups: Any additional large spikes in bot scores

For automated traffic, sort through the IP addresses, ASNs, and other data points at the bottom of the page. Look for any traffic that should not be blocked — commonly API or mobile app traffic. Do the same for likely automated traffic.

Use the slider tool to identify other traffic groups. For example, you may find that traffic from your mobile app is routinely scored at 12.

Example of a bot score distribution

At the end of your analysis, you should:

  • Have a range of scores you can confidently block or challenge
  • Understand nuances in your traffic that may require special attention

​​ Step 3 — Create a firewall rule for automated traffic

Based on your analysis of automated traffic, create a firewall rule that challenges scores of 1 but still allows good, automated requests. Monitor that rule for a few days to make sure you are targeting the right traffic (user agents, IP addresses, API or mobile traffic).

(cf.bot_management.score eq 1) and not (cf.bot_management.verified_bot)JS Challenge

​​ Step 4 — Create additional firewall rules

Create firewall rules that address likely automated traffic and other traffic groups. For suggested bot thresholds and other considerations, see our Firewall Rules documentation or Bot Management variables.

Cloudflare recommends that most customers block or challenge bot scores below 30, but your domain might vary:

  • If you want to minimize false positives and lost revenue — such as ecommerce domains — you might permit requests with lower bot scores to access your domain.
  • If you want to increase protection and minimize bot traffic, you might challenge higher bot scores.
  • If your firewall rule has a Challenge Solve Rate (CSR) higher than 3%, consider lowering your challenge threshold.

The best approach is to start small and slowly increase your threshold to prevent widespread issues.

​​ Step 5 — Continue monitoring domain traffic

You can adjust your firewall rules at any point. Set aside time to review Bot Analytics and Security Events to see if your rules need additional tuning.

​​ Other considerations

​​ Static resources

Static resources are protected by default when you create firewall rules using cf.bot_management.score. To exclude static resources, include not (cf.botManagement.staticResource) as part of your firewall rule.

For more details, see Static resource protection.

​​ Verified bots

Some automated traffic is good! To allow good bots like Google or Bing, use the Verified Bot field in your rules. If you see a verified bot that Cloudflare is not currently tracking, fill out an online application. The waiting time is up to several weeks for verified bot requests to be evaluated.

​​ Mobile traffic

To treat mobile traffic differently, use the user agent or IP address fields when creating your firewall rules.