Get started with Bot Management for Enterprise
Bot Management for Enterprise is a paid add-on that provides sophisticated bot protection for your domain. Customers can identify automated traffic, take appropriate action, and view detailed analytics within the dashboard. Bot Management also supports custom solutions via Workers and Logs.
This Enterprise product provides the most flexibility to customers by:
- Generating a of 1-99 for every request. Scores below 30 are commonly associated with bot traffic.
- Allowing customers to take action on this score with firewall rules or .
- Allowing customers to view this score in Bot Analytics or Logs.
Enable Bot Management for Enterprise
Our Solutions Engineering team will work with you to begin setting up the product. Most customers choose to write firewall rules, but others use Bot Analytics or perform custom actions using our Workers platform.
Before you begin
Make sure you have purchased Bot Management for Enterprise (should be visible at Security > Bots).
Review the following concepts:
Step 1 — Configure Bot Management
To enable this feature, go to Security > Bots.
Step 2 — Monitor domain traffic
Go to Security > Bots and examine the following traffic segments:
- Automated traffic: Bot scores of 1
- Likely automated traffic: Bots scores of 2 through 29
- Other traffic groups: Any additional large spikes in bot scores
For automated traffic, sort through the IP addresses, ASNs, and other data points at the bottom of the page. Look for any traffic that should not be blocked — commonly API or mobile app traffic. Do the same for likely automated traffic.
Use the slider tool to identify other traffic groups. For example, you may find that traffic from your mobile app is routinely scored at 12.
At the end of your analysis, you should:
- Have a range of scores you can confidently block or challenge
- Understand nuances in your traffic that may require special attention
Step 3 — Create a firewall rule for automated traffic
Based on your analysis of automated traffic, create a that challenges scores of 1 but still allows good, automated requests. Monitor that rule for a few days to make sure you are targeting the right traffic (user agents, IP addresses, API or mobile traffic).
Step 4 — Create additional firewall rules
Cloudflare recommends that most customers block or challenge bot scores below 30, but your domain might vary:
- If you want to minimize false positives and lost revenue — such as ecommerce domains — you might permit requests with lower bot scores to access your domain.
- If you want to increase protection and minimize bot traffic, you might challenge higher bot scores.
- If your firewall rule has a higher than 3%, consider lowering your challenge threshold.
The best approach is to start small and slowly increase your threshold to prevent widespread issues.
Step 5 — Continue monitoring domain traffic
Static resourcesStatic resources are protected by default when you create firewall rules using
cf.bot_management.score. To exclude static resources, include
not (cf.botManagement.staticResource)as part of your firewall rule.
Some automated traffic is good! To allow good bots like Google or Bing, use the Verified Bot field in your rules. If you see a verified bot that Cloudflare is not , fill out an . The waiting time is up to several weeks for verified bot requests to be evaluated.
To treat mobile traffic differently, use the
user agent or
IP address fields when creating your firewall rules.