Bing’s Site Scan blocked by a WAF managed rule
Microsoft Bing Webmaster Tools provides a Site Scan feature that crawls your website searching for possible SEO improvements.
Site Scan does not use the same IP address range as Bingbot (Bing’s website crawler). Additionally, the Verify Bingbot tool does not recognize Site Scan’s IP addresses as Bingbot. Due to this reason, the WAF managed rule that blocks fake Bingbot requests may trigger for Site Scan requests. This is a known issue of Bing Webmaster Tools.
To allow Site Scan to run on your website, Cloudflare recommends that you temporarily skip the triggered WAF managed rule by creating a WAF exception. After the scan finishes successfully, delete the WAF exception to start blocking fake Bingbot requests again.
The rule you should temporarily skip is the following:
|Managed Ruleset||Cloudflare Managed Ruleset|
|Rule||Anomaly:Header:User-Agent - Fake Bing or MSN Bot|
The WAF exception, shown as a rule with a Skip action, must appear in the rules list before the rule executing the Cloudflare Managed Ruleset, or else nothing will be skipped.
To check the rule order, use one of the following methods:
- When using the Cloudflare dashboard, the rules listed in Security > WAF > Managed rules run in order.
- When using the Cloudflare API, the rules in the
rulesobject obtained using the Get a zone entry point ruleset API operation (for your zone and for the
http_request_firewall_managedphase) run in order.
For more information on creating WAF exceptions, refer to Create WAF exceptions.