A new policy (baseline version 201809110525) for Pulse vWAF is now available. In this baseline update, we have updated and extended an existing rule for PHP remote file inclusion. This rule was originally intended to validate both headers and parameters of HTTP traffic, but in some circumstances, it might trap permitted HTTP headers.
Modified: Change original rule to apply only to validate HTTP traffic
Added: Create a new rule to check HTTP headers for PHP remote file inclusion attacks. This rule protects against PHP remote file inclusion and allows well-formed URLs.
You can download this baseline update direct to Pulse vWAF in the usual way via the portal, or else install this update manually if your Pulse vWAF is isolated from external network connection.