diff --git a/public/__redirects b/public/__redirects
index d57abd3e990bd4c..c0282a3fd7bf481 100644
--- a/public/__redirects
+++ b/public/__redirects
@@ -278,6 +278,7 @@
/bots/concepts/bot/verified-bots/ip-validation/ /bots/reference/bot-verification/ip-validation/ 301
/bots/concepts/bot/verified-bots/web-bot-auth/ /bots/reference/bot-verification/web-bot-auth/ 301
/bots/concepts/bot/verified-bots/overview/ /bots/concepts/bot/verified-bots/ 301
+/bots/frequently-asked-questions/ /bots/ 301
#browser-rendering
/browser-rendering/get-started/browser-rendering-with-DO/ /browser-rendering/workers-bindings/browser-rendering-with-do/ 301
diff --git a/src/content/docs/bots/changelog.mdx b/src/content/docs/bots/changelog.mdx
index cac67c7f06f7a30..b93a7167783c0d1 100644
--- a/src/content/docs/bots/changelog.mdx
+++ b/src/content/docs/bots/changelog.mdx
@@ -4,7 +4,7 @@ title: Changelog
release_notes_file_name:
- bots
sidebar:
- order: 13
+ order: 10
---
import { ProductReleaseNotes } from "~/components";
diff --git a/src/content/docs/bots/concepts/bot-score.mdx b/src/content/docs/bots/concepts/bot-score.mdx
index 96a3ee3a588de94..a7eb6a7afe87cf7 100644
--- a/src/content/docs/bots/concepts/bot-score.mdx
+++ b/src/content/docs/bots/concepts/bot-score.mdx
@@ -52,8 +52,6 @@ The Heuristics engine immediately gives automated requests a score of 1.
-The ML engine produces scores 2 through 99.
-
### Anomaly detection
diff --git a/src/content/docs/bots/concepts/bot/verified-bots/index.mdx b/src/content/docs/bots/concepts/bot/verified-bots/index.mdx
index 5424605da54ea54..6d9cbdfb62e4b5d 100644
--- a/src/content/docs/bots/concepts/bot/verified-bots/index.mdx
+++ b/src/content/docs/bots/concepts/bot/verified-bots/index.mdx
@@ -83,6 +83,19 @@ Verified Bot Categories is available on all plans.
| Webhooks | `Webhooks` | Payment processors, WordPress Integration tools |
| Other | `Other` | |
+
+### Known issues
+
+The Yandex bot is classified as a Verified Bot, but traffic may occasionally be blocked by a [WAF Managed Rule](/waf/managed-rules/) (such as the rule with ID `...f6cbb163`).
+
+This typically occurs when Yandex updates its source IP address ranges. The new IPs are temporarily unrecognized by the WAF Managed Rules until the updated Verified Bot IP list is fully synchronized across the Cloudflare network.
+
+To restore Yandex traffic, deploy a [WAF exception](/waf/managed-rules/waf-exceptions/) that temporarily skips the managed rule with ID `` when a request is coming from the **Yandex IP** and the user-agent contains **Yandex**. This ensures that legitimate Yandex traffic bypasses the blocking rule without disabling security features for other traffic.
+
+You can also create a [WAF Custom Rule](/waf/custom-rules/skip/) with the _Skip_ action targeting the managed ruleset that contains the blocking rule. The rule expression should specifically match the request's Yandex IP and User-Agent.
+
+The issue is transient and will resolve automatically once the new Yandex IP addresses are fully propagated to Cloudflare's systems. This propagation typically takes up to 48 hours. If the bot remains blocked after 48 hours, contact [Cloudflare Support](/support/contacting-cloudflare-support/).
+
---
## Availability
diff --git a/src/content/docs/bots/frequently-asked-questions.mdx b/src/content/docs/bots/frequently-asked-questions.mdx
deleted file mode 100644
index 9be3da58a05163c..000000000000000
--- a/src/content/docs/bots/frequently-asked-questions.mdx
+++ /dev/null
@@ -1,220 +0,0 @@
----
-pcx_content_type: faq
-title: FAQ
-structured_data: true
-sidebar:
- order: 11
----
-
-import { Render, RuleID, APIRequest } from "~/components";
-
-## Bots
-
-### How does Cloudflare detect bots?
-
-Cloudflare uses multiple methods to detect bots, but these vary by plan. For more details, refer to [Plans](/bots/plans).
-
----
-
-### How do I know what is included in my plan?
-
-To know what's included in your plan, refer to our [Plans](/bots/plans).
-
----
-
-### How do I set up my bot product?
-
-To learn how to set up your bot product, refer to [Get started](/bots/get-started/).
-
----
-
-### Yandex bot unexpectedly blocked by the WAF managed rule with ID `...f6cbb163`
-
-Yandex updates their bots very frequently, you may see more false positives while these changes are propagated. New and recently updated bots will occasionally be blocked by a Cloudflare WAF managed rule, as the IP list of Yandex bots has not yet synced with Yandex's most recent changes.
-
-**Workarounds:**
-
-- Create an [exception](/waf/managed-rules/waf-exceptions/) to temporarily skip the managed rule with ID when a request is coming from the **Yandex IP** and the user-agent contains **Yandex.**
-- Create a [WAF custom rule with the _Skip_ action](/waf/custom-rules/skip/) to temporarily bypass WAF Managed Rules when a request is coming from the **Yandex IP** and the user-agent contains **Yandex.**
-
-If you are using the [legacy WAF managed rules](/waf/reference/legacy/old-waf-managed-rules/), disable the WAF managed rule with ID `100203` temporarily.
-
-**Solution:**
-
-Once the new Yandex IP is propagated to our system, the requests will not be blocked anymore and you can remove any workaround you configured. This can take up to 48 hours. If you see any Yandex bots still being blocked after 48 hours with no change to the bot, contact [Cloudflare Support](/support/contacting-cloudflare-support/).
-
----
-
-### How does machine learning work?
-
-Supervised machine learning takes certain variables (X) like gender and age and predicts another variable (Y) like income.
-
-In Bot Management and Super Bot Fight Mode, the X variables are request features, while the Y variable represents the probability of solving a challenge based on X values.
-
-Cloudflare uses data from millions of requests and re-train the system on a periodic basis. You can learn about this data from your own request logs such as Cloudflare Logpull and Logpush as well as the Firewall API.
-
----
-
-### Why am I seeing a Managed Challenge action for WAF rules?
-
-When you choose to challenge different bot categories with Bot Fight Mode or Super Bot Fight Mode, you will see Security Events with an **Action Taken** of **Managed Challenge**.
-
-You may also see Managed Challenge due to a triggered [WAF custom rule](/cloudflare-challenges/challenge-types/challenge-pages/#managed-challenge-recommended).
-
-This does not mean that your traffic was blocked. It is the challenge sent to your user to determine whether they are likely human or likely bot.
-
-To understand if the result of the challenge was a success or a failure, you can verify using [Logpush](/logs/logpush/).
-
-### Does the WAF run before Super Bot Fight Mode?
-
-Yes. WAF rules are executed before Super Bot Fight Mode. If a WAF custom rule performs a [terminating action](/ruleset-engine/rules-language/actions/) such as _Block_, your Super Bot Fight Mode configuration will not be evaluated.
-
----
-
-### What is cf.bot_management.verified_bot?
-
-A request's _cf.bot_management.verified_bot_ value is a boolean indicating whether such request comes from a Cloudflare allowed bot.
-
-Cloudflare has built an allowlist of good, automated bots, for example Google Search Engine, Pingdom, and more.
-
-This allowlist is large based on reverse DNS verification, meaning that the IPs we allow really match the requesting service. In addition to this, Cloudflare uses multiple validation methods including ASN blocks and public lists. If none of these validation types are available for a customer, we use internal Cloudflare data and machine learning to identify legitimate IP addresses from good bots.
-
-To allow traffic from good bots, use the [Verified Bot](/ruleset-engine/rules-language/fields/reference/cf.bot_management.verified_bot/) field in your WAF custom rule.
-
----
-
-### Why might the ja3hash or JA4 be empty in HTTP logs?
-
-
-
----
-
-### I run a good bot and want for it to be added to the allowlist (cf.bot_management.verified_bot). What should I do?
-
-Cloudflare maintains a sample list of verified bots in [Cloudflare Radar](https://radar.cloudflare.com/verified-bots).
-
-As a bot operator, in order to be listed by Cloudflare as a Verified Bot, your bot must conform with our [verified bot public policy](/bots/concepts/bot/verified-bots/policy/). If your bot meets this criteria, submit this [online application](https://docs.google.com/forms/d/e/1FAIpQLSdqYNuULEypMnp4i5pROSc-uP6x65Xub9svD27mb8JChA_-XA/viewform?usp=sf_link).
-
----
-
-### What information do I need to troubleshoot my bot issues?
-
-If you are experiencing errors with your bot solution and need to submit a Support request, include the following information:
-
-:::caution
-
-The following information gathering are required when you are experiencing issues (for example, false positives) with Enterprise Bot Management only (Enterprise plan).
-
-Because Bot Fight Mode (BFM) and Super Bot Fight Mode (SBFM) are set at a domain level, we often find that disabling these features is the best solution to false positives.
-
-Please follow instructions in the following questions on how to disable BFM and SBFM features. We conduct more thorough investigations for Enterprise Bot Management.
-:::
-
-- [Ray IDs](/fundamentals/reference/cloudflare-ray-id/)
-- IP addresses
-- WAF custom rule IDs, rule expression, Challenge solve rates
-- Common user-agents among false positives
-- Common ASNs among false positives
-- Screenshots of strange activity from the WAF, such as a huge spike in challenged traffic on the graph
-- Problematic URIs or paths
-- Rough description of how your domain is configured.
- - Is one zone Cloudflare for SaaS while the others are not?
- - Is most API traffic sent to a particular URI?
- - How much mobile traffic do you expect?
-
----
-
-### What should I do if I am getting False positives caused by Bot Fight Mode (BFM) or Super Bot Fight Mode (SBFM)?
-
-:::caution[Important considerations you need to be aware of before turning on BFM or SBFM]
-
-- BFM and SBFM are high security features intended to quickly help customers under active attack stop as many bots as possible. Due to the high security threshold, false positives do sometimes happen.
-- BFM has limited control. You cannot bypass or skip BFM using the _Skip_ action in WAF custom rules or using Page Rules. BFM will be disabled if there are any IP Access rules present. If you turned on BFM during an attack, and the attack has subsided, we recommend either disabling the feature using IP Access rules to bypass BFM, or looking at [Bot Management for Enterprise](/bots/plans/bm-subscription/), which gives you the ability to precisely customize your security threshold and create exception rules as needed.
-- SBFM can be bypassed with IP Access _Allow_ action rules. You can use the _Skip_ action in [WAF custom rules](/waf/custom-rules/skip/) to specify where Super Bot Fight Mode should not run.
-
-:::
-
-**How to disable BFM/SBFM feature?**
-
-If you encounter any issues with BFM/SBFM feature (for example, false positive), you can disable it under **Security** > **Settings**.
-
-For **Free** plans
-
- 1. Filter by **Bot traffic**.
- 2. Turn **Bot Fight Mode** off.
-
-For **Pro** plans
-
- 1. Filter by **Bot traffic**.
- 2. Go to **Super Bot Fight Mode**.
- 3. Set **Definitely automated traffic** and **Verified bots** to **Allow**
- 4. Turn **Static resource protection** and **JavaScript detections** off.
-
-For **Business** and **Enterprise** (with no Bot Management add-on) plans
-
- 1. Filter by **Bot traffic**.
- 2. Go to **Super Bot Fight Mode**.
- 3. Set each of **Definitely automated traffic**, **Likely automated** and **Verified bots** to **Allow**.
- 4. Turn **Static resource protection** and **JavaScript detections** off.
-
-
-
-You cannot bypass or skip Bot Fight Mode using the _Skip_ action in WAF custom rules or using Page Rules. _Skip_, _Bypass_, and _Allow_ actions apply to rules or rulesets running on the [Ruleset Engine](/ruleset-engine/). While Super Bot Fight Mode rules are implemented in the Ruleset Engine, Bot Fight Mode checks are not. This is why you can skip Super Bot Fight Mode, but not Bot Fight Mode. If you need to skip Bot Fight Mode, consider using [Super Bot Fight Mode](/bots/get-started/super-bot-fight-mode/).
-
-Bot Fight Mode can still trigger if you have IP Access rules, but it cannot trigger if an IP Access rule matches the request. For example, the IP Access rule matches the connecting IP.
-
----
-
-## Web Bot Auth
-
-### What key algorithms does Cloudflare support?
-
-Cloudflare supports Ed25519 key algorithm.
-
----
-
-### What `web-bot-auth` features from the IETF draft are not supported?
-
-The following derived components are not supported, and we will fail to verify a message if they are included:
-
-- `@query-params`: Cloudflare recommends signing the whole query using the `@query` component instead of signing an individual parameter.
-- `@status`: This is not possible to include in the request path.
-
-The following component parameters defined in IETF RFC 9421 are not supported, and Cloudflare will fail to verify a message if they are included:
-
-- `sf` (for HTTP header fields)
-- `bs` (for HTTP header fields)
-- `key` (for HTTP header fields)
-- `req` (for HTTP header fields or derived components)
-- `name` (for `@query-param` support - this requires `@query-param` support)
-
----
-
-### Should I supply a `nonce` parameter in `Signature-Input`?
-
-The `nonce` parameter allows you to supply a `nonce` to prevent attackers from replaying past messages against a server.
-
-While Cloudflare recommends including it, there is currently no `nonce` validation, nor does Cloudflare guard against replay attacks using a database of seen `nonces`.
-
-Instead, Cloudflare recommends short `expires` as a protection against replay attacks. A minute is often sufficient.
-
----
-
-### How do I know my JSON Web Key set directory will be accepted?
-
-Cloudflare uses [`http-signature-directory` tool](https://crates.io/crates/http-signature-directory) to validate your directory. Please ensure this works against your directory before registering with us.
-
----
-
-### My message is failing validation. What could be the cause?
-
-- Ensure you have a [`Signature-Agent` header](/bots/reference/bot-verification/web-bot-auth/#signature-agent-header), and that its value is in double-quotes.
-- Ensure you include `signature-agent` in the component list in your [`Signature-Input` header](/bots/reference/bot-verification/web-bot-auth/#signature-agent-header).
-- Ensure your `expires` timestamp is not too short, such that, by the time it arrives at Cloudflare servers, it has already expired. A minute is often sufficient.
-- Ensure you are not signing components containing non-ASCII values, or on the unsupported list.
-
----
-
-### I want to use HTTP message signatures / Web Bot Auth on my zone, and do not want Cloudflare's verification to intervene. What do I do?
-
-You can request the Web Bot Auth feature be disabled for your zone by contacting Cloudflare support. This will disable usage of Web Bot Auth specifically with Cloudflare, and verified bots will fallback to other modes to validate traffic.
diff --git a/src/content/docs/bots/get-started/super-bot-fight-mode.mdx b/src/content/docs/bots/get-started/super-bot-fight-mode.mdx
index cd68ed74da06b5a..a4f67964bbec111 100644
--- a/src/content/docs/bots/get-started/super-bot-fight-mode.mdx
+++ b/src/content/docs/bots/get-started/super-bot-fight-mode.mdx
@@ -25,6 +25,14 @@ Accounts with an Enterprise subscription but not the [Bot Management add-on](/bo
+### WAF custom rules
+
+[WAF custom rules](/waf/custom-rules/) are executed before Super Bot Fight Mode.
+
+This order has a critical impact on traffic processing. If a WAF custom rule performs a terminating action (such as _Block_, _Managed Challenge_, or _JS Challenge_), the request will not be processed further, and the Super Bot Fight Mode configuration will not be evaluated.
+
+To configure exceptions to Super Bot Fight Mode, you should use the [_Skip_ action in your WAF custom rules](/waf/custom-rules/skip/). The _Skip_ action allows the request to bypass the Super Bot Fight Mode phase without terminating the request, enabling it to continue through the rest of the security stack.
+
## Enable Super Bot Fight Mode
diff --git a/src/content/docs/bots/glossary.mdx b/src/content/docs/bots/glossary.mdx
index aa370cd7f7a0f9f..da52044bbc8c296 100644
--- a/src/content/docs/bots/glossary.mdx
+++ b/src/content/docs/bots/glossary.mdx
@@ -2,7 +2,7 @@
title: Glossary
pcx_content_type: glossary
sidebar:
- order: 12
+ order: 9
---
diff --git a/src/content/docs/bots/reference/bot-management-variables.mdx b/src/content/docs/bots/reference/bot-management-variables.mdx
index 4a4da34092f6438..af12f7be62bcaa9 100644
--- a/src/content/docs/bots/reference/bot-management-variables.mdx
+++ b/src/content/docs/bots/reference/bot-management-variables.mdx
@@ -13,7 +13,11 @@ import { Render } from "~/components"
Bot Management provides access to several [new variables](/ruleset-engine/rules-language/fields/reference/?field-category=Bots) within the expression builder of Ruleset Engine-based products such as [WAF custom rules](/waf/custom-rules/).
- **Bot Score** (`cf.bot_management.score`): An integer between 1-99 that indicates [Cloudflare's level of certainty](/bots/concepts/bot-score/) that a request comes from a bot.
-- **Verified Bot** (`cf.bot_management.verified_bot`): A boolean value that is true if the request comes from a good bot, like Google or Bing. Most customers choose to allow this traffic. For more details, see [Traffic from known bots](/waf/troubleshooting/faq/#how-does-the-waf-handle-traffic-from-known-bots).
+- **Verified Bot** (`cf.bot_management.verified_bot`): A boolean value that indicates whether a request originates from a Cloudflare allowed bot.
+
+ Cloudflare maintains a large allowlist of good, automated bots (such as Google Search Engine and Pingdom) that perform beneficial tasks. Cloudflare identifies and verifies these bots primarily through reverse DNS validation, ensuring the source IP matches the requesting service.
+
+ We also use additional validation methods, including checking ASN blocks and public lists. If these methods are unavailable, Cloudflare utilizes internal data and machine learning to identify and verify legitimate IP addresses from good bots. Most customers choose to [allow this traffic](/ruleset-engine/rules-language/fields/reference/cf.bot_management.verified_bot/).
- **Serves Static Resource** (`cf.bot_management.static_resource`): An identifier that matches [file extensions](/bots/additional-configurations/static-resources/) for many types of static resources. Use this variable if you send emails that retrieve static images.
- **ja3Hash** (`cf.bot_management.ja3_hash`) and **ja4** (`cf.bot_management.ja4`): A [**JA3/JA4 fingerprint**](/bots/additional-configurations/ja3-ja4-fingerprint/) helps you profile specific SSL/TLS clients across different destination IPs, Ports, and X509 certificates.
- **Bot Detection IDs** (`cf.bot_management.detection_ids`): List of IDs that correlate to the Bot Management heuristic detections made on a request (you can have multiple heuristic detections on the same request).
diff --git a/src/content/docs/bots/reference/bot-verification/web-bot-auth.mdx b/src/content/docs/bots/reference/bot-verification/web-bot-auth.mdx
index c6d50229050a587..b6e6cc3bbf9b831 100644
--- a/src/content/docs/bots/reference/bot-verification/web-bot-auth.mdx
+++ b/src/content/docs/bots/reference/bot-verification/web-bot-auth.mdx
@@ -22,10 +22,13 @@ You need to generate a signing key which will be used to authenticate your bot's
{/* prettier-ignore */}
1. Generate a unique [Ed25519](https://ed25519.cr.yp.to/) private key to sign your requests. This example uses the [OpenSSL](https://openssl-library.org/) `genpkey` command:
+ :::note
+ Cloudflare supports Ed25519 key algorithm.
+ :::
- ```sh
- openssl genpkey -algorithm ed25519 -out private-key.pem
- ```
+ ```sh
+ openssl genpkey -algorithm ed25519 -out private-key.pem
+ ```
2. Extract your public key.
```sh
@@ -158,6 +161,14 @@ Construct a [`Signature-Input` header](https://www.rfc-editor.org/rfc/rfc9421#na
| `created` | This should be equal to a `Unix` timestamp associated with when the message was sent by your application. |
| `expires` | This should be equal to a `Unix` timestamp associated with when Cloudflare should no longer attempt to verify the message. A short `expires` reduces the likelihood of replay attacks, and Cloudflare recommends choosing suitable short-lived intervals. |
+:::tip[`nonce`]
+The `nonce` parameter allows you to supply a `nonce` to prevent attackers from replaying past messages against a server.
+
+While Cloudflare recommends including it, there is currently no `nonce` validation, nor does Cloudflare guard against replay attacks using a database of seen `nonces`.
+
+Instead, Cloudflare recommends short `expires` as a protection against replay attacks. A minute is often sufficient.
+:::
+
#### `Signature` header
Construct a [`Signature` header](https://www.rfc-editor.org/rfc/rfc9421#name-the-signature-http-field) over your chosen components.
@@ -191,11 +202,48 @@ Signature: sig2=:jdq0SqOwHdyHr9+r5jw3iYZH6aNGKijYp/EstF4RQTQdi5N5YYKrD+mCT1HA1nZ
You can test how Cloudflare interprets your signed requests against https://crawltest.com/cdn-cgi/web-bot-auth. This endpoint returns an HTTP `401` if your message is formatted correctly but your key is unknown, an HTTP `200` if the key is known and your message is verified, and an HTTP `400` otherwise. You may also see an HTTP `401` if your key is known but the message failed to verify.
:::
+---
+
+## Limitations
+
+Cloudflare's implementation of Web Bot Auth does not support every component and parameter defined in IETF RFC 9421. If you include any of the following in your request's Signature-Input header, verification will fail.
+
+- `@query-params`: Cloudflare recommends signing the whole query using the `@query` component instead of signing an individual parameter.
+- `@status`: This is not possible to include in the request path.
+
+The following component parameters defined in IETF RFC 9421 are not supported, and Cloudflare will fail to verify a message if they are included:
+
+- `sf` (for HTTP header fields)
+- `bs` (for HTTP header fields)
+- `key` (for HTTP header fields)
+- `req` (for HTTP header fields or derived components)
+- `name` (for `@query-param` support - this requires `@query-param` support)
+
+---
+
+## Troubleshooting
+
+### Failed message validation
+
+If your message is failing validation, the cause(s) may include:
+
+- Ensure you have a [`Signature-Agent` header](/bots/reference/bot-verification/web-bot-auth/#signature-agent-header), and that its value is in double-quotes.
+- Ensure you include `signature-agent` in the component list in your [`Signature-Input` header](/bots/reference/bot-verification/web-bot-auth/#signature-agent-header).
+- Ensure your `expires` timestamp is not too short, such that, by the time it arrives at Cloudflare servers, it has already expired. A minute is often sufficient.
+- Ensure you are not signing components containing non-ASCII values, or on the unsupported list.
+
+### Use HTTP message signatures / Web Bot Auth on a zone without Cloudflare's verification
+
+If you wish to use HTTP Message Signatures (Web Bot Auth) for your own origin processing and do not want Cloudflare's verification to intervene or populate the `cf.bot_management.verified_bot` field, you can request that the Cloudflare verification feature be disabled for your zone.
+
+To disable Web Bot Auth verification, contact [Cloudflare Support](/support/contacting-cloudflare-support/).
+
+Disabling this feature means that Cloudflare will not validate incoming signatures. Verified bots will then fall back to other methods (such as reverse DNS validation) to determine if traffic is legitimate.
+
## Additional resources
You may wish to refer to the following resources.
-- [Bots FAQs](/bots/frequently-asked-questions/).
- Cloudflare blog: [Message Signatures are now part of our Verified Bots Program](https://blog.cloudflare.com/verified-bots-with-cryptography).
- Cloudflare blog: [Forget IPs: using cryptography to verify bot and agent traffic](https://blog.cloudflare.com/web-bot-auth/).
- Cloudflare's [`web-bot-auth` library in Rust](https://crates.io/crates/web-bot-auth).
diff --git a/src/content/docs/bots/troubleshooting/false-positives.mdx b/src/content/docs/bots/troubleshooting/false-positives.mdx
new file mode 100644
index 000000000000000..d5e6e0d0cf558ab
--- /dev/null
+++ b/src/content/docs/bots/troubleshooting/false-positives.mdx
@@ -0,0 +1,25 @@
+---
+pcx_content_type: troubleshooting
+title: Handle False Positives from Bot Fight Mode or Super Bot Fight Mode
+sidebar:
+ order: 3
+ label: False positives
+
+---
+
+import { Render } from "~/components";
+
+[Bot Fight Mode (BFM)](/bots/get-started/bot-fight-mode/) and [Super Bot Fight Mode (SBFM)](/bots/get-started/bot-fight-mode/) are designed to stop active attacks quickly. Due to their aggressive nature, false positives can occur where legitimate human or automated traffic is incorrectly challenged or blocked.
+
+When dealing with false positives, consider the following key differences and solutions:
+
+- Bot Fight Mode has limited control. You cannot bypass or skip Bot Fight Mode using the _Skip_ action in WAF custom rules or using Page Rules. Bot Fight Mode will be disabled if there are any IP Access rules present. If you turned on BFM during an attack, and the attack has subsided, we recommend either disabling the feature using IP Access rules to bypass BFM, or looking at [Bot Management for Enterprise](/bots/plans/bm-subscription/), which gives you the ability to precisely customize your security threshold and create exception rules as needed.
+- Super Bot Fight Mode can be bypassed with IP Access _Allow_ action rules. You can use the _Skip_ action in [WAF custom rules](/waf/custom-rules/skip/) to specify where Super Bot Fight Mode should not run.
+
+
+
+You cannot bypass or skip Bot Fight Mode using the _Skip_ action in WAF custom rules or using Page Rules. _Skip_, _Bypass_, and _Allow_ actions apply to rules or rulesets running on the [Ruleset Engine](/ruleset-engine/). While Super Bot Fight Mode rules are implemented in the Ruleset Engine, Bot Fight Mode checks are not. This is why you can skip Super Bot Fight Mode, but not Bot Fight Mode. If you need to skip Bot Fight Mode, consider using [Super Bot Fight Mode](/bots/get-started/super-bot-fight-mode/).
+
+Bot Fight Mode can still trigger if you have IP Access rules, but it cannot trigger if an IP Access rule matches the request. For example, the IP Access rule matches the connecting IP.
+
+If you encounter persistent false positives, you can [disable the feature in the Cloudflare dashboard](/bots/get-started/bot-fight-mode/#disable-bot-fight-mode).
\ No newline at end of file
diff --git a/src/content/partials/bots/bots-ml.mdx b/src/content/partials/bots/bots-ml.mdx
index 4f272dab9e8448c..df1136f568be04c 100644
--- a/src/content/partials/bots/bots-ml.mdx
+++ b/src/content/partials/bots/bots-ml.mdx
@@ -3,6 +3,13 @@
---
-The **Machine Learning (ML)** engine accounts for the majority of all detections, human and bot.
+The **Machine Learning (ML)** engine accounts for the majority of all detections, distinguishing between human and bot traffic. This approach leverages our global network, which proxies billions of requests daily, to identify both automated and human traffic.
-This approach leverages our global network, which proxies billions of requests daily, to identify both automated and human traffic. We constantly train the ML engine to become more accurate and adapt to new threats. Most importantly, this engine learns from traffic across all Cloudflare domains and uses these insights to score traffic while honoring our [strict privacy standards](https://www.cloudflare.com/privacypolicy/).
+The ML system uses a supervised machine learning methodology to determine the final Bot Score (1–99).
+
+The core model relies on the following process:
+
+- Input Variables (X): Various request features (headers, session characteristics, and browser signals) collected from traffic across the Cloudflare network.
+- Output Variable (Y): The predicted probability that a client is human (such as the probability of successfully solving a Challenge). This probability is mapped to the final 1–99 Bot Score.
+
+We constantly train the ML engine on a periodic basis using vast, anonymized data to ensure it remains accurate and adapts to new threats. Customers can analyze the request features used by these models via their own logs, such as Cloudflare [Logpull](/logs/logpull/) or [Logpush](/logs/logpush/).
\ No newline at end of file
diff --git a/src/content/partials/bots/ja3-ja4-null.mdx b/src/content/partials/bots/ja3-ja4-null.mdx
index 0d635667074dae1..28b3d133bac4b2e 100644
--- a/src/content/partials/bots/ja3-ja4-null.mdx
+++ b/src/content/partials/bots/ja3-ja4-null.mdx
@@ -3,6 +3,10 @@
---
-The [JA3/JA4 fingerprint](/bots/additional-configurations/ja3-ja4-fingerprint/) can be null or empty in some cases. The most common case is for HTTP requests because JA3 and JA4 are calculated in TLS. It can also be empty due to the Worker sending requests within the same zone or to a zone that is not proxied (or a third party).
+The JA3 or JA4 fingerprint is an SSL/TLS-based identifier and can be null or empty in logs under specific circumstances:
-[Orange to Orange (O2O)](/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/) should not cause null or empty JA3 or JA4 fingerprints, unless the eyeball zone is routing traffic to the target zone using a Worker.
\ No newline at end of file
+- Since JA3 and JA4 are calculated during the TLS (SSL) handshake, they will not be present for non-encrypted HTTP traffic.
+- The field may be empty when a [Worker](/workers/) sends a request to a zone that is either internal to Cloudflare's network (Orange-to-Orange traffic that is not proxied) or to a third-party origin, or when a Worker is routing traffic to the target zone.
+- The fingerprints may be absent when Bot Management itself is skipped for a request, as the feature is responsible for calculating and populating these values.
+
+Generally, [Orange to Orange (O2O) traffic](/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/) should include JA3 or JA4 fingerprints unless a Worker is used to route traffic from the eyeball (client-facing) zone to the target zone.
\ No newline at end of file