so you have 2 rules
one with bypass for:
whateverisyourdomain.com/ frontend_latest/authorize.html
one with allow for the main url?
whateverisyourdomain.com/
Not sure Im following this.
Protecting your domain won’t stop about 99% of the activity you are seeing. They are likely just using your IP as their bot traverses a subnet or is going through a list from a previous scan that returned a sign of life at your IP.
If you want to only allow access from cloudflare through your domain see if you can narrow down the IP range cloudflare uses, then setup your port forward in the USG to only allow from that IP range. That should kill the majority of the noise.
1 Like
Thanks for the advice guys.
@elRadix
In Cloudflare I made a modification, everything goes thru Cloudflare Access now. I create an access policy so Google IPs can bypass it so it doesn’t break Google Assistant. I used the CIDR from here:
https://md5calc.com/google/ip
@silvrr
I found Cloudflare IPs here:
So I am just allowing connections from Cloudflare on my USG.
EDIT: Had some issues with the Firewall settings but I managed to correct it. Directly accessing my IP will drop the connection but from Cloudflare proxy servers it will work correctly. 
Thanks for the advice and suggestions!
Finally, I got Google Assistant working, thanks to this thread! Thanks very much @gurbina93!
I was additionally whether you’re checking the JWT that is included in the requests that go through Cloudflare Access and if so, what method are you using?
I’ve felt pretty relaxed about it up to now, considering that Access, with OAuth, is covering all my registered subdomains and I’ve had bigger issues to sort out (such as the one mentioned above), but I feel it’s probably good practice to make things as watertight as possible, given your experience noted above.
P.S I hope no-one minds me resurrecting this post!