Cloudflare Docs
WAF
Visit WAF on GitHub
Set theme to dark (⇧+D)

Bing’s Site Scan blocked by a WAF managed rule

Microsoft Bing Webmaster Tools provides a Site Scan feature that crawls your website searching for possible SEO improvements.

Site Scan does not use the same IP address range as Bingbot (Bing’s website crawler). Additionally, the Verify Bingbot tool does not recognize Site Scan’s IP addresses as Bingbot. Due to this reason, the WAF managed rule that blocks fake Bingbot requests may trigger for Site Scan requests. This is a known issue of Bing Webmaster Tools.

To allow Site Scan to run on your website, Cloudflare recommends that you temporarily skip the triggered WAF managed rule by creating a WAF exception. After the scan finishes successfully, delete the WAF exception to start blocking fake Bingbot requests again.

The rule you should temporarily skip is the following:

NameID
Managed RulesetCloudflare Managed Rulesetefb7b8c949ac4650a09736fc376e9aee
RuleAnomaly:Header:User-Agent - Fake Bing or MSN Botae20608d93b94e97988db1bbc12cf9c8

The WAF exception, shown as a rule with a Skip action, must appear in the rules list before the rule executing the Cloudflare Managed Ruleset, or else nothing will be skipped.

To check the rule order, use one of the following methods:

  • When using the Cloudflare dashboard, the rules listed in Security > WAF > Managed rules run in order.
  • When using the Cloudflare API, the rules in the rules object obtained using the Get a zone entry point ruleset API operation (for your zone and for the http_request_firewall_managed phase) run in order.

For more information on creating WAF exceptions, refer to Create WAF exceptions.