High Performance Web Application Security for Virtual and Cloud Environments

Secure your applications with a distributed web application firewall

Defense in Depth with Pulse vWAF

Pulse vWAF delivers scalable application security for off-the-shelf and custom applications, including third-party frameworks. Apply business rules to online traffic, inspect and block attacks such as SQL injection and cross-site scripting (XSS), and filter outgoing traffic and data to mask credit card data.  Pulse vWAF helps achieve compliance with PCI-DSS requirements.

  • Massive Scalability: Scale dynamically to secure global applications, and cluster across hybrid cloud platforms.
  • Cross Platform Portability: Deploy distributed security policies across hybrid cloud, software and virtual environments.
  • Rapid Response: Refine policies with dual-mode “detect and protect” operation, minimizing false positives and disruption.
Securing Cloud

Discover how to secure your applications with Pulse vWAF, a scalable, distributed application security platform for protecting off-the-shelf and custom applications.

Protect Against Critical Web

Learn how Pulse vWAF shields applications from critical security risks by applying business rules to block attacks such as in the OWASP Top Ten project.

Attribute-based Authentication

Build stronger application security with Pulse vADC and vWAF, with active security enforcement to supplement user and device authentication.

vWAF Datasheet

Find out about Pulse's scalable solution for application-level security.

Problem Icon White

Complex Applications Need Dynamic Protection

Today’s complex applications are prime targets for hackers, and your application and security teams can find it difficult to resolve application vulnerabilities in today’s dynamic IT environment.

Evolving AppSec
What’s next? New attack vectors are emerging all the time, and as your application evolves, so too do the potential vulnerabilities which become exposed. It can take longer to fix security vulnerabilities once identified, and in some cases it may prove prohibitively expensive to locate the error, create the patch, and deploy the fix.

Blunt Tools
How can you reduce false positives? Traditional application security tools focus on detection of malicious activity using inflexible rules, which can lead to many false positives. You need more flexibility in the response to each type of activity, and the ability to tune individual policies for each part of the application.

Long Exposure Window
How long does it take to close critical vulnerabilities? Your developers are under pressure to meet deadlines and secure customer data, and software vendors are often unable to provide patches quick enough to meet your campaign deadlines and product release cycles.

Solution Icon White

Scalable Security for Critical Applications

Pulse vWAF is a web application firewall designed to support industry best practices. A modular architecture makes it ideal for next-generation applications and hybrid cloud deployments.

Proactive Security Tools
Apply business rules and security policies to online traffic, inspecting and blocking attacks such as SQL injection and cross-site scripting, while filtering outgoing traffic to mask credit card data.

Hybrid Security Fabric
Define security policies which can follow you on your journey from lab, to data center to hybrid cloud. Protect applications which span technology platforms, with a common set of management tools and a single console.

Virtual Patching
Close application vulnerabilities faster, by importing ruleset recommendations from third-party vulnerability scanners or use automated learning to discover new recommendations. Baseline updates can be applied for common vulnerabilities such as SQL injection and Cross-Site Scripting.

Feature Highlights

Block Icon

Massive Scalability

Scale dynamically to secure global applications, and cluster across hybrid cloud platforms.

Block Icon

Cross Platform Portability

Deploy distributed security policies across hybrid cloud, software, virtual and more.

Block Icon

Rapid Response

Close application vulnerabilities faster, pushing virtual patches out to global applications.

Block Icon

Dual-Mode Detection and Protection

Automated means to refine policies to minimize false positives.

Block Icon

Automated Learning

Adaptive learning makes it easier for security teams to manage policies.

Block Icon

Delegated Management

Secure access for application teams to manage specific domains independently.

Block Icon

PCI DSS Compliance

PCI auditor role to review baselines and application-specific policies to help compliance.

Block Icon

SIEM Integration

Works with your security workflow and SIEM.

  • Overview

  • Key Features

  • Use Cases

  • Deployment

  • Benefits

Pulse vWAF can apply business rules to online traffic, inspecting and blocking attacks such as SQL injection and cross-site scripting, while filtering outgoing traffic to mask credit card data.

Protecting Incoming Requests

Pulse vWAF receives and analyzes each request against the ruleset assigned to the application, and determines which of the following actions to take:

  • Permitted requests are passed to the application
  • Requests which are identified as known attacks are rejected, and logged with information to help trace the attacker
  • Requests which cannot immediately be categorized can be configured for rejection, passed to the application, or captured for future analysis

Protecting Outgoing Data

Pulse vWAF also monitors outgoing responses as they are returned to the client. Sensitive information can be filtered out from responses to prevent data leakage (DLP) even if an initial malformed request is successful. Pulse vWAF monitors the behavior of the application and traffic patterns to help optimize protection and recommend additional policies.

Proactive Application Security Features

Cross Site Scripting (XSS)

  • Validation of user-generated input
  • Exclude suspected XSS payloads
  • Create custom rules to trigger on specific XSS patterns


Injection Flaws

  • Detect attempts to execute malicious code in a database or script
  • Typically via vectors such as SQL, LDAP or Shell
  • Custom rules can be set to look for application-specific pattern


Mask Sensitive Data

  • Enforce encryption for data in transit
  • Filter outgoing traffic for data leakage
  • Mask sensitive data such as SSN, Credit Card information


Secure Application Entry Points

  • Ensure user sessions start at approved entry points
  • Prevent deep linking into applications, enforcing entry points and authentication steps

Secure Session Management

  • Protect user and session data from being exposed through weak links such as session cookies and tokens
  • Enforce controls on user session timeouts and session limits
  • Exchange weak session cookies for a more secure session management


Baseline Protection

  • Baseline Protection Wizard makes it easy to update policies
  • Known vulnerabilities and attacks are defined by black list and/or regular expressions
  • When a rule or policy is triggered, the request is rejected without exposing the application


Redirection and Forwarding Attacks

  • Enforce fully-qualified URLs to protect against unwanted redirection
  • Protect against weak validation of redirection criteria used to trigger malware or phishing attacks
  • Define preferred redirection targets to trap attacks

Agile Security for Critical Applications

Pulse vWAF brings defense-in-depth to applications with real-time policy enforcement, including transparent secure session management and form-field virtualization, in a scalable Web Application Firewall (WAF) solution.

  • PCI DSS Compliance: Pulse Secure vWAF helps compliance with PCI DSS, which is a key standard with for organizations which manage credit card payments. Not only does Pulse vWAF help to meet the requirements of PCI DSS 6.6, but it can be easily be configured with additional security policies to detect and prevent attacks specific to all applications.
  • Data Leakage Protection (DLP): Filter outgoing traffic to hide sensitive data details when sent outside your organization, by identifying certain patterns of data such as social security numbers, names, card numbers, and other sensitive information. Pulse vWAF can also enforces SSL/TLS encryption to protect data in transit.
  • High-Velocity Development: Accelerate application development, by providing proactive security shielding for Agile or DevOps processes. Pulse vWAF provides the extra security layer necessary to balance faster innovation and growth, with the need to maintain security and regulatory compliance.


Pulse vWAF supports a full range of deployment options allowing you to choose the best fit for your architecture and application risk profile. Pulse vWAF can be deployed as a virtual appliance, on a web server, or as a physical appliance in your data center or cloud provider — or even as an integrated package with Pulse Virtual Traffic Manager (vTM) for enhanced security and control of complex applications.

In addition, Pulse Secure vWAF is also available as a stand-alone package, designed to be used with existing load-balancers and ADCs, and is particularly suitable for cloud deployment to add application-level security to a cloud application without changing the application architecture.

  • Integrated with Pulse vADC

The most popular type of deployment, Pulse vWAF is included with the Pulse Access Suite

  • Stand-Alone vWAF For Third-Party Load Balancers

Available as a stand-alone virtual appliance, Pulse vWAF is typically deployed alongside an existing ADC or load balancer device 

  • Fully Distributed vWAF

Pulse vWAF can be implemented as Web server plug-ins providing a fully distributed microservices architecture with complete flexibility

Application-Aware Policy Enforcement

Pulse vWAF enables fine-grained control of policies to minimize false positives, enforce specific workflows, and redirect access to prevent URL manipulation.

  • Unique Scalable Architecture: Scale up to meet the requirements of the largest global applications in the cloud, or scale down to protect management ports on access gateways. Scale out by clustering, or co-host multiple applications on a single instance.
  • Delegated and Distributed Management: Centralized policy management and reporting with support for delegating security configurations of specific applications or domain.
  • Resolve Vulnerabilities 10x Faster: Create virtual patches for third-party applications, import rules and recommendations from external tools, or use automated learning to develop recommendations and insights into application behavior.

What Our Customers Say


"With Pulse Secure, we can lock down sensitive data and satisfy PCI DSS compliance.”

VP Development, Gilt Groupe