Many webmasters have noticed their websites suddenly “disappearing” from Google’s search results — and more often than not, it’s because Cloudflare’s firewall mistakenly blocked Googlebot, preventing search engines from properly crawling the site.
Cloudflare’s default protection rules are quite strict, especially toward high-frequency bot traffic. A slight misconfiguration can trigger blocks, leading to delayed indexing or even a dramatic drop in keyword rankings.
In this post, we’ll walk through 4 practical steps to fix Google indexing issues caused by Cloudflare firewall rules — from diagnosing the root cause to tweaking basic settings and whitelisting Googlebot the right way.
First, confirm whether you’re actually being blocked
When a site isn’t showing up in Google, it’s tempting to start changing settings right away — but in many cases, Cloudflare might not be the issue at all. Other SEO factors (like content quality or robots.txt) might be to blame.
So before making any changes, check for real signs of blocking to avoid making the problem worse.
Google Search Console Crawl Error Report
- Path: Go to GSC dashboard → “Indexing” on the left → “Pages” → Check the “Excluded” section for “Crawl Anomalies.”
- Key indicators: If error types show “Access Denied” (403/5xx) or “Redirected,” it could be due to firewall blocks.
Compare with Cloudflare Firewall Logs
Steps: Log into Cloudflare → Go to “Security” → “Events” → Filter the time range, and search for requests with “User-Agent” containing “Googlebot.”
Focus on the status:
- Block: Explicit block (needs to be allowed)
- Challenge: CAPTCHA triggered (may slow down crawling)
- JS Challenge: Browser check (may break mobile crawlers)
Use Google’s Official URL Inspection Tool
- Tool link: https://search.google.com/search-console/inspect
- Enter the URL suspected of being blocked, click “Test Live URL,” and check the result.
- If it shows “Crawl blocked,” and the HTTP response code is 403, then it’s likely Cloudflare is the cause.
Know the difference: CAPTCHA vs. Full Block
CAPTCHA challenge: Googlebot gets a CAPTCHA page (HTTP 200 with verification content), which it can’t parse, resulting in indexing failure.
Full block: Returns a 403/5xx error directly, meaning Googlebot gets no content at all.
Check Cloudflare’s basic firewall settings
Cloudflare’s default security setup protects your site — but it may also “accidentally” block Googlebot.
Especially when bots crawl frequently, they might get flagged as attackers, triggering rate limits or full blocks.
Start by checking these 4 core settings — small changes here can greatly reduce false positives.
Adjust the Security Level
- The issue: If the level is set to “High” or “I’m Under Attack,” more than 30% of legit Googlebot traffic might get blocked.
- How to fix: Go to Cloudflare dashboard → “Security” → “Settings” → Lower the Security Level to “Medium” or “Low.”
- Note: After lowering, keep an eye on the logs, and use custom rules to still block real threats precisely.
Disable region-based blocking if necessary
- Risk: If you’ve enabled Geo IP blocking and blocked North America or Europe, you may be blocking Googlebot (its servers are mostly US-based).
- How to check: Go to “Security” → “WAF” → “Regions” → See if Geo Blocking is enabled. Either disable it temporarily or allow ASN 15169 (Google’s network).
Turn off Under Attack Mode (red shield icon)
- Impact: This mode forces every visitor to pass a JavaScript check with a 5-second delay — which Googlebot can’t handle, leading to total blockage.
- Fix: On the Cloudflare homepage, look for the “Under Attack Mode” switch and make sure it’s turned off.
Disable JS Challenges for Search Bots
Big mistake: When “Browser Integrity Check” is on, some bots (especially mobile Googlebot) can’t execute JS, which blocks their crawl.
Fix: Go to “Security” → “Settings” → Find “Browser Integrity Check” → Check the option to exclude search engines.
Extra tip: You can also create a custom rule to skip JS challenge for requests with User-Agent that contains Googlebot.
Must-set firewall whitelist rules
Simply lowering your security level might expose your site to risks — a better way is to whitelist Googlebot specifically using Cloudflare’s powerful rules engine.
You can whitelist by User-Agent, IP source, or ASN (Autonomous System Number).
User-Agent Whitelist (Top Priority)
What it does: Allows all requests that include Googlebot in the User-Agent to bypass firewall checks.
How to set it up:
Cloudflare dashboard → “Security” → “WAF” → “Rules” → Create a new rule
- Field:
User-Agent→contains→ Use regex:.*Googlebot.* - Action: Choose “Bypass” or “Skip”
Note: Make sure to include variations like Googlebot-Image (image bot), Googlebot Smartphone (mobile crawler), etc.
ASN Whitelist (to prevent spoofing)
Why it matters: Some bad bots spoof Googlebot’s User-Agent, so checking the IP origin helps verify if it’s really from Google.
How to do it: In your firewall rule, add this condition:
- Field:
ASN→equals→ Enter15169(Google’s global ASN)
Many site owners have found their websites suddenly “disappearing” from Google search results — and in many cases, the culprit is Cloudflare’s firewall mistakenly blocking Googlebot. This prevents the search engine from properly crawling your site.
Cloudflare’s default protection rules are pretty strict, especially toward bots with high-frequency visits. If you’re not careful, you can easily trigger the firewall, which can slow down indexing or — in worse cases — cause your rankings to nosedive.
This article walks you through 4 practical steps to solve indexing issues caused by Cloudflare. We’ll guide you step-by-step: from diagnosing whether Googlebot is actually being blocked, adjusting basic firewall settings, to safely whitelisting Google’s crawler.
First, confirm whether it’s actually being blocked
A lot of webmasters jump straight into tweaking settings when their site isn’t being indexed. But Cloudflare might not be the issue at all — it could be something else, like low-quality content or restrictions in your robots.txt file.
Use the steps below to verify if Googlebot is truly being blocked. This helps avoid unnecessary changes that could cause even more problems.
Google Search Console Crawl Error Report
- Path: Go to GSC → Left menu “Indexing” → “Pages” → Check the “Excluded” pages for any “Crawl Errors.”
- Key indicator: If the error shows as “Denied” (403/5xx) or “Redirected,” Cloudflare may be blocking the bot.
Compare with Cloudflare Firewall Logs
Steps: Log in to Cloudflare → Go to “Security” → “Events” → Set the time range and search for requests with “User-Agent” containing “Googlebot”.
Pay attention to the status:
- Block: This means the request was outright blocked — it needs to be allowed.
- Challenge: This triggers a CAPTCHA challenge — it may slow down crawling.
- JS Challenge: Requires browser checks — this can cause mobile bots to fail.
Use Google’s Official Testing Tool
- Tool URL: https://search.google.com/search-console/inspect
- Paste the affected URL and click “Test Live URL” to see what happens.
- If it shows “Crawl blocked,” check the HTTP response code (e.g., 403) in the details to confirm.
Understand the difference between CAPTCHA and Full Block
CAPTCHA Challenge: The bot gets a page with a CAPTCHA (200 status code, but the content is a CAPTCHA), which Google can’t process — so indexing fails.
Full Block: The server responds with a 403 or 5xx error, and the bot can’t access the page at all.
Check Cloudflare’s Basic Firewall Settings
While Cloudflare’s default security settings protect your site, they might also block Googlebot by mistake.
Frequent crawls can look like an attack, which may trigger rate-limiting or blocking.
Here are 4 key settings to review. Adjusting them can significantly reduce the chances of false positives.
Adjust Security Level
- Issue: If set to “High” or “Under Attack,” more than 30% of legitimate bots might get blocked.
- Fix: Go to Cloudflare dashboard → “Security” → “Settings” → Set the Security Level to “Medium” or “Low.”
- Note: After lowering the level, monitor for any real threats and use “Custom Rules” to filter them precisely.
Turn off region-based blocking that might be overreaching
- Risk: If you’ve enabled “Geo-blocking” and it includes North America or Europe, you might be blocking Googlebot — which is mostly based in the U.S.
- Steps: Go to “Security” → “WAF” → “Countries” → Check if Geo-blocking is on. Either disable it temporarily or exclude ASN15169 (Google’s dedicated network).
Disable “Under Attack Mode” (red shield icon)
- Impact: This mode forces all visitors to complete a challenge (5-second delay page), but Googlebot can’t pass this — it gets fully blocked.
- Fix: In the Cloudflare dashboard homepage → Look for the “Under Attack Mode” toggle → Make sure it’s off.
Turn off JS Challenge for search engines
Critical error: When “Browser Integrity Check” is on, some crawlers (especially mobile Googlebot) can’t run JavaScript and fail to crawl.
Steps: Go to “Security” → “Settings” → Find “Browser Integrity Check” → Check the box to exempt search engines.
Bonus tip: You can also create a custom rule to disable JS challenges for requests with User-Agent containing Googlebot.
Must-Set Firewall Whitelist Rules
Just lowering your security level can expose your site to risks. A safer approach is to use Cloudflare’s firewall rules to specifically allow Google’s crawler.
Cloudflare lets you whitelist based on User-Agent, IP source, ASN (Autonomous System Number), and more.
User-Agent Whitelist (Top Priority)
What it does: Whitelist all requests that include Googlebot in the User-Agent — skipping firewall filters.
Steps:
Cloudflare dashboard → “Security” → “WAF” → “Rules” → Create a new rule
- Field:
User-Agent→contains→ Enter this regex:.*Googlebot.* - Action: Choose “Bypass” or “Skip”
Note: Be sure to also match variants like Googlebot-Image (image crawler) and Googlebot Smartphone (mobile version).
ASN Whitelist (to prevent spoofed User-Agents)
Why it’s needed: Malicious bots can fake the Googlebot UA string. Verifying IP source adds an extra layer of safety.
Steps: Add a condition in the firewall rule:
- Field:
ASN→equals→ Enter15169(Google’s global server ASN)
