WAF Rule Status Change

Cloudflare has updated its Web Application Firewall (WAF) Managed Ruleset to change the default action for one security rule.

What Changed

The Anomaly:Header:User-Agent - Fake Google Bot rule (ID: ...6aa0bef8) has been transitioned from an enabled blocking state to disabled. This means the WAF will no longer block requests identified as fake Google Bot traffic by default.

Impact

Sites using Cloudflare's Managed Ruleset will see this rule disabled in their WAF configuration. If you were relying on this rule to block spoofed bot traffic, you may need to manually re-enable it or implement alternative bot detection and mitigation strategies.

Action Items

• Review your WAF configuration to confirm the rule status
• If you need continued protection against fake Google Bot requests, manually enable this rule or configure custom WAF rules
• Monitor your traffic patterns for any changes in bot traffic after this update