FAQ

1. What types of crawlers can Bot Management protect against?

Bot Management supports baseline protection with general policies such as AI Bots, Public Bots, Definite Bots, and Liekly Bots. It also supports enhanced protection through scenario-based policies like Web Bot Detection, Workflow Detection, and supports fine-grained protections via Custom Bot policies.

It can help defend against the following types of crawlers and abnormal traffic:

• AI large model crawlers: Automated content collection used for purposes such as model training or retrieval-augmented generation.

• Common data scraping crawlers: Crawlers or scripts that perform high-frequency fetching of pages/APIs, comprehensive data scraping, or bulk downloading.

• Stealth and adversarial crawlers: Advanced crawlers that evade detection by forging User-Agent/request headers, simulating browser behaviors, and using proxy pools and IP rotation.

2. What should I do if legitimate traffic is blocked by mistake?

A false positive means legitimate users are incorrectly identified as malicious bots and get blocked. We recommend the following steps:

• Protect business availability first: Use Custom Bots, custom rules, or whitelist policies to mark known legitimate traffic as trusted, such as fixed IP addresses, compliant User-Agent values, or expected request patterns.

• Identify the trigger: Check logs and match records to see which policy was triggered and why.

• Report it for optimization: Share false positive samples, along with the relevant time range, URL, and client characteristics, with technical support engineer. We will add stable attack patterns into automated policies as soon as possible.

3. What should I do if malicious traffic is missed?

A false negative means malicious bots are not detected and are allowed to reach the origin. We recommend the following steps:

• Take temporary action first: If the traffic is already affecting your business, use existing capabilities to reduce the risk, such as blocking or rate limiting with custom policies, or applying stricter actions to key endpoints.

• Report it for optimization: Share traffic samples and analysis findings with technical support engineer. We will add stable attack patterns into automated policies as soon as possible.

4. Why is compatibility testing recommended before enabling Web Bot Detection?

Web Bot Detection mainly depends on embedded JavaScript code on Web / H5 pages to verify the browser environment and behavior. Compatibility testing is recommended before enabling it for the following reasons:

• JavaScript cannot run in non-HTML scenarios: For example, pure APIs, certain download/redirect scenarios, or specific rendering environments may prevent verification from being completed and trigger unexpected actions.

• Browser differences can affect results: Different browser versions, older browsers, or customized WebViews may support JavaScript differently, which can lead to false positives or user experience issues.

Note: Compatibility testing helps reduce the risk of false deny caused by differences in terminal environments.

5. Why is an APP SDK not supported? How can I protect mobile apps effectively?

Why is it not supported?

• Integration is complex: Customers need to embed the SDK and complete on-device integration, which increases development cost and may cause compatibility issues.

• App releases take time: Mobile app releases require approval by app stores (especially iOS), so urgent security updates cannot be rolled out quickly.

• Privacy and compliance risks: SDKs may involve permissions and data collection disclosures, which can increase compliance review costs.

How can mobile apps be protected effectively?

• Definite Bots and Likely Bots policies: Use heuristic rules and machine learning models to detect automation tools and abnormal malicious behavior, and then take actions.

• Workflow Detection policies: Detect and handle abnormal mobile traffic based on business flows and request frequency.

• Scenario-Based custom policies: If general policies are not enough, you can define targeted protection based on your business scenario and attack pattern.

For further assistance, please contact technical support team.