Cookiebot scans are done from a pool of static IP addresses:
- 20.223.9.138
- 34.107.102.47
- 34.141.10.24
- 34.159.86.126
- 34.159.168.195
- 34.159.247.222
- 35.198.78.207
- 35.198.137.6
- 35.198.160.49
- 35.246.143.2
- 35.246.191.14
Please note
It's technically impossible to scan from any other IP address than those listed above.
If you see traffic spikes from IP addresses other than those listed above, the traffic is unlikely to be caused by our scanner.
These IPs in this article are always up to date, but can subject to change in the near future and as such can not be considered "fixed" IPs. You can follow this article in order to get notified of any changes we make to the above IP list.
User agent string
To whitelist the Cookiebot scanners or to help filter out Cookiebot from traffic analysis we recommend that you instead do this based on how our scanners identify through their user agent string.
The Cookiebot scanner user agent will look something like this (where X is a numeric value of one or more digits):
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko; compatible; Cookiebot/1.0; +http://cookiebot.com/) Chrome/X.X.X.X Safari/537.36
As our scanner user agent string will change over time, we suggest simply looking for "Cookiebot/1.0" in the string and make your desired configurations based on this.
See also: I see (unusual) spikes in the traffic on my website - is it caused by your scanner?
Comments
16 comments
Cookiebot support, can you please get in contact with Google and fix this?
We all have to make filters and stuff to bann your monthly scanning from our Google Search Console listings.
This is not ok.
Hi! The thing I'm doing now is creating a User Agent variable in GTM and using this to create a pageview trigger that checks for "Cookiebot" in the user agent variable. If this is the case, do not deploy the GA4 tag. Maybe it will help you along.
We need you to set up your crawler to "do not track" or something when visiting sites. Not only Google Analytics are affected by this, but also the native analytics in Shopfy et al.
Cookiebot support, your IPs do not work for filtering traffic in Direct - GA4, when the scanner is running!!! Following all the filtering instructions, the bot traffic will still appear in GA4. What should I do about it?
It would be nice if a date of update was added to this page.
Also: I didn't get a notice about the update on this page.
Same for me, all above listed ip's are marked as internal_traffic, but google_analytics is still report spikes on the report day.
Beware, the list in this article is not up to date. Last week I noticed the following Cookiebot IP addresses in our server logs.
This list may still be incomplete, but those are the ones I was able to identify as Cookiebot from the User-Agent request header.
@Cookiebot support: If users are not able to keep your bot out of analytics based on the IP address, you are forcing your users to follow @Roel Cuijpers' suggestion to exclude any analytics tags when Cookiebot crawls our websites. The side effect is that such tags will no longer be included in your scan report. If the report and cookie declaration are incomplete, then what is the point of having it?
I have the same problem as George. Please let me know how to counteract this.
This really needs to get fixed. I have one client looking to remove Cookiebot now because of spikes in traffic, even after all these IP's are excluded
It used to work fine, but after you expanded to 18 IP Adresses it does not anymore, maybe u have more IP's that are not listed here?
Got the scan traffic in the GA4 both this month and the last month.
How do you identify this bot traffic being cookiebot? We do see spikes on screen resolution of 1024x786 every start of the month.
Hi. This is irritating to me too. Maybe you need to force cookiebot support using other methods. There is considerable competition on the market. I'm currently looking for something else, because their service in this context is embarrassing. They haven't been able to fix a simple mistake for over a year. The only thing they can do is issue invoices every month!
We are experiencing traffic spikes as well.
I have set up filtering by IP, by user agent on client side and on server side as well.
Our client did manual cookie scan, and we had experienced traffic spike.
Also we checked access logs, none of IP above was listed in access logs, and not even user agent string containing Cookiebot.
Contacted support team on this issue as the boot traffic keep showing up in the GA4. No valid response in the last 3-4 weeks. Can someone confirm that IP list is up to date? I've added IP addresses listed in the comments but Boot still showed up yestarday in my reports.
Anyone can recommend different tool that can be filtered out form GA4?
Thanks,
Cookiebot: please fix this mess!
The rules detailed on this page are not working. I added all IP addresses listed here (including the additional 5 in the comments - thanks for this) to the GA4 internal and data filters and also added a Blocking trigger for GA4 whenever the user_agent contains "cookiebot". For sanity checking, I also started sending user_agent as custom parameter. Now, I started a manual Scan to verify the settings.
And then I see that the use_agent does not even include "cookiebot" (see screenshot). This is a rather low traffic site, so 99% of the hits that came in in the past 15 minutes are from the manually triggered Cookiebot scan.
I have recommended Cookiebot to various of my clients for consent management, and am now dealing for months with them seeing traffic spikes in their analytics every month despite having these rules in place. And I go in every month again after they have another traffic spike to try to lock down GA4 tracking even more.
And now I just figured out that what is written here does not actually apply.
I'm seriously considering moving my clients to a different platform.
Please sign in to leave a comment.