I thinking about it, but don´t get any idea:
1.) When I use CloudFlare for sites, the Wordpress and any plugin get the real IP, don´t need this.
2.) When attacker attack the servers IP address, then attack without CloudFlare, this not need for Fail2ban.
I have no clue for what is this setting 
Help me.
Fail2ban also needs to identify which IPs belong to the CDN. If the CDN IP is blocked, the website will not be accessible.
The Fail2ban manager requires the cloudflare global token, that is deprecated.
https://developers.cloudflare.com/fundamentals/api/get-started/keys/
Cloudflare replaced it by segmented tokens.
What is the Cloudflare token to be used with the Fail2ban according to the new Cloudflare segmented token system?
New scheme of tokens:
Hello, it is recommended that you set the whitelist directly, it is known that CDN cannot be set normally
Nanno You can see the global API token in your profile settings. https://dash.cloudflare.com/profile/api-tokens
Until developers update the plugin to work with Cloudflare tokens, you can use the global API.
aaPanel_Kern
Yes, whitelist them is a possibility. even if there is a need to manually update them.
For those interested in this path, the Cloudflare IPs are available here:
https://www.cloudflare.com/ips-v6/
https://www.cloudflare.com/ips-v4/
