We've been having issues with our firewall vendor flagging Moodle traffic as suspicious, specifically as PHP URI Code injection attempts. We've discovered that in these instances the content of forum posts look to be included in the URI for the poster, and that is what is getting flagged.
We are obviously working with the vendor to make sure they do not flag traffic of this nature. That being said we'd also like to look at this from Moodle's end. Is there a way for us to configure how this traffic is transmitted, like a GUI configuration to push it over HTTP Post instead of via the URI.