Transport Government WAF Bot Management DDoS Protection

PCFC standardised application security across UAE ports and customs operations.

How Brixio onboarded PCFC (Ports, Customs and Free Zone Corporation) onto Cloudflare with WAF, Bot Management, DDoS protection, rate limiting, and SIEM integration.

Dubai, UAE Public-facing digital properties 4 min read
PCFC
APPSECFull stackWAF, Bot Management, DDoS and rate limiting across PCFC properties
ROLLOUTStagedLog-first then enforce, no disruption to government operations
TELEMETRYSIEM-readyLogpush exporting WAF, Bot, DDoS and Access events for monitoring
DELIVERYSept. 2025Project completed with documented governance and full traceability

The challenge

PCFC oversees ports, customs, and free zone operations in the UAE, a critical component of the country's trade and logistics infrastructure. The organisation needed to modernise its application delivery architecture with enterprise-grade security, performance, and operational visibility across multiple digital properties.

The pre-existing posture had several gaps:

  • Inconsistent application security across PCFC's public-facing digital properties, with no unified WAF or bot policy.
  • No structured DDoS protection or rate limiting on critical endpoints, leaving the estate exposed to volumetric and credential-stuffing attacks.
  • Public IP origins reachable directly, with no tunnelling or zero-trust path between Cloudflare and the application servers.
  • No SIEM-ready logging on application security events, limiting incident-response and compliance reporting.

What Brixio deployed

Planning and readiness

  • Final scoping and validation of application inventory.
  • Cloudflare account preparation and structured onboarding planning.

Application security implementation

  • WAF with managed rulesets and custom rules, validated through live traffic monitoring.
  • Bot Management baseline policies with exception handling for legitimate automation.
  • Always-on DDoS protection with alerting and notifications.
  • Rate limiting with staged rollout (log-first, then enforce) for global and endpoint-specific rules.

Performance and resilience

  • CDN caching strategy with cache bypass rules for sensitive flows.
  • Argo Smart Routing for performance-optimised traffic paths (where applicable).

Secure connectivity

  • Cloudflare Tunnel deployments for secure origin reachability without public IP exposure.

Logging and governance

  • Logpush configured for WAF, Bot, DDoS, and Access telemetry.
  • Delivery documented with structured project board, repository and issue/risk register.

Architecture

Public users, partners and bot traffic converge on a single Cloudflare edge before reaching PCFC origins, with all events exported to SIEM.

Public users Web + mobile
Partner traffic Customs + logistics
Bot traffic Discovery + abuse
Cloudflare edge
WAFBOT MGMTDDoSRATE LIMIT
PCFC origins via Cloudflare Tunnel
Public services Customs + free zone
SIEM Logpush

Results

After staged rollout, PCFC's digital properties run under a unified application security stack with structured rate limiting, secure origin connectivity and SIEM-ready telemetry.

Unified application securityWAF, Bot Management, DDoS and rate limiting deployed consistently across PCFC's public-facing digital properties.
Bot abuse containedBot Management blocks automated abuse while allowing legitimate automation via documented exceptions.
Rate limiting without disruptionLog-first staged rollout validated thresholds before enforcement, keeping government operations running smoothly.
Audit-ready telemetryWAF, Bot, DDoS and Access logs streamed via Logpush for continuous monitoring and compliance reporting.
Sector perspective

Ports and customs are critical infrastructure: regulators expect provable, layered AppSec.

Ports and logistics infrastructure is classified as critical infrastructure under UAE NESA controls and, for EU-connected operations, NIS2. The combination of WAF, bot management, DDoS protection and structured delivery governance illustrates the kind of deployment that regulatory frameworks expect for government-operated logistics infrastructure, with traceable evidence of policy enforcement and incident telemetry.

NESA UAE NIS2 ISO 27001
Application security case studiesGovernment industry
Other client stories

More Brixio × Cloudflare deployments

Transport Zero Trust Access Gateway / SWG

Identity-based access for 2,000+ airport operations users

Identity-based access replaces legacy VPN for 2,000+ operations users on Cloudflare Zero Trust and Gateway.

Read the case study
Entertainment WAF Bot Management

Zero-downtime WAF migration with KSA data residency

Zero-downtime WAF migration across 80+ hostnames and 5 TLDs, meeting Saudi data sovereignty requirements.

Read the case study
Government Cloudflare Tunnel Zero Trust Access

Zero Trust Access without public IP exposure

Cloudflare Tunnel and Zero Trust Access remove the public IP from a Saudi government valuation platform.

Read the case study
Your Cloudflare environment, audited

Find out where your application security stands today.

Run a free Snapshot to map your current edge exposure, identify gaps in WAF, bot management and rate limiting, and get a prioritised roadmap from a Cloudflare ASDP partner.

Get a free Cloudflare audit Talk to a specialist