WAF Feature Mapping between BIG-IP and BIG-IP Next¶
Migration supports WAF policies in declarative JSON format. WAF policies in XML or Binary formats are not currently supported on BIG-IP Next. See How to: Migrate BIG-IP application configurations onto BIG-IP Next Central Manager
When exporting a WAF policy from BIG-IP, ensure you are using the Full Export Mode. See Import, Export, Clone, Revert, or Delete a WAF Policy
For more information about the WAF JSON declaration, see Declarative WAF Policy Schema.
URLs¶
BIG-IP TMOS Sub Feature | BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|---|
Allowed URLs | Supported, except: Clickjacking Access Profile Base64 Decoding Clickjacking protection |
Supported, except: GraphQL Access Profile Base64 Decoding Clickjacking protection Positional parameters Rendering in iframe Header-based content profiles HTML5 Cross-domain Request enforcement Override character on URL Methods override |
Differentiate between HTTP/HTTPS | Supported | Not Supported |
Flows URL | Not Supported | Not Supported |
Disallowed URL's | Supported | Not Supported |
Web-sockets URL's | Not Supported | Not Supported |
Wildcards Order | Supported | Not Supported |
Character Set | Supported | Not supported |
Dynamic Session ID in URL | Supported | Not Supported |
Headers¶
BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|
Supported | Not Supported |
Headers Character Set¶
BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|
Supported | Not Supported |
Parameters¶
BIG-IP TMOS Sub Feature | BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|---|
Navigational Parameters | Not Supported | Not Supported |
Parameter Level | Supported, except: Flow level No Name parameter |
Supported, except: Flow level No Name parameter Mandatory parameter URL level |
Parameter Location | Supported | Supported except Path location Header location *Cookie location |
Parameter value type - User input value | Supported | Supported, except: Parameter value type - Array value, Ignore value, Static content, JSON value, XML value Data type - URI, Phone, Email, Boolean, Integer, Decimal Name Meta Characters * Value Meta Characters Auto Detect - Max Length *File Upload -Min/Max length |
Parameter value type - Dynamic + Parameters extractions | Supported, except: * Extract from: File types, Regex * Extraction methods configuration |
Supported, except: * Extract from: File types, Regex * Extraction methods configuration |
Sensitive Parameters | Supported | Not Supported |
Wildcards order | Supported | Not Supported |
Character Set | Supported | Not supported |
Response Pages¶
BIG-IP TMOS Sub Feature | BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|---|
Web | Supported | Supported |
Ajax Application Response | Supported | Supported |
Erase Cookies | Supported | No Supported |
XML | Supported | Not Supported |
Cookie Hijacking | Not Supported | Not Supported |
CAPTCHA | Not Supported | Not Supported |
CAPTCHA Fail | Not Supported | Not Supported |
Failed Honeypot Login | Not Supported | Not Supported |
Leaked Credentials | Not Supported | Not Supported |
Mobile Application | Not Supported | Not Supported |
GraphQL | Supported | Not Supported |
User Define Signatures¶
BIG-IP Next Support Status |
BIG-IP Next CM UI Support Status |
---|---|
Supported |
Not Supported |
User Define Signature Sets¶
BIG-IP Next Support Status |
BIG-IP Next CM UI Support Status |
---|---|
Supported |
Not Supported |
File Types¶
BIG-IP Next Support Status |
BIG-IP Next CM UI Support Status |
---|---|
Supported |
Supported |
Evasion Techniques¶
BIG-IP Next Support Status |
BIG-IP Next CM UI Support Status |
---|---|
Supported |
Supported |
HTTP RFC Compliance¶
BIG-IP Next Support Status |
BIG-IP Next CM UI Support Status |
---|---|
Supported |
Supported |
Attack Signatures¶
BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|
Supported | Supported except: Auto-Added Signature Accuracy Updated Signature Enforcement *Enable/Disable Staging (All Sigs) |
Geo Locations¶
BIG-IP Next Support Status |
BIG-IP Next CM UI Support Status |
---|---|
Supported |
Supported |
IP Exception List¶
BIG-IP Next Support Status |
BIG-IP Next CM UI Support Status |
---|---|
Supported |
Supported, except: |
JSON Content Profile¶
BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|
Supported | Not Supported |
XML Content Profile¶
BIG-IP Next Support Status |
BIG-IP Next CM UI Support Status |
---|---|
Supported |
Not Supported |
GWT Content Profile¶
BIG-IP Next Support Status |
BIG-IP Next CM UI Support Status |
---|---|
Supported |
Not Supported |
Plain Text Profiles¶
BIG-IP Next Support Status |
BIG-IP Next CM UI Support Status |
---|---|
Supported |
Not Supported |
OpenAPI Based Protection¶
BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|
Supported | Not Supported |
CSRF¶
BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|
Supported, except: Protected URLs Type Enforcement order *CSRF Token |
Supported, except: Protected URLs Type Enforcement order CSRF Token Setting parameters |
DataGuard¶
BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|
Supported | Supported, except: Mask Credit Card Numbers in the Request Log Exception Pattern |
HTTP/2¶
BIG-IP Next Support Status |
BIG-IP Next CM UI Support Status |
---|---|
Supported |
Supported |
API to import Data Protection Cookie¶
BIG-IP Next Support Status |
BIG-IP Next CM UI Support Status |
---|---|
Supported |
Not Supported |
iRules Support¶
BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|
Supported with exceptions. See iRules | Supported with exceptions: *Enable/Disable iRule |
GraphQL Content Profile¶
BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|
Supported, except: *Maximum Query Cost |
Not Supported |
Analytics & Reporting (by central manager)¶
BIG-IP TMOS Sub Feature | BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|---|
Analytics | NA | Supported |
Application Traffic | NA | Supported |
Application Action Items | NA | Not Supported |
OWASP Dashboard | NA | Not Supported |
PCI Compliance Report | NA | Not Supported |
Signature Updates¶
BIG-IP Next Support Status |
BIG-IP Next CM UI Support Status |
---|---|
Supported |
Supported, except: |
Threat Campaigns¶
BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|
Supported | Supported, except: TC Signature view/enforcement level No TC staging *No override per entity |
SSRF¶
BIG-IP Next Support Status |
BIG-IP Next CM UI Support Status |
---|---|
Supported |
Supported |
Cookies¶
BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|
Supported | Supported, except: * Wildcard order * base64 Decoding * Insert Same site attribute |
IP Intelligence¶
BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|
Supported | Supported, except: Category view/enforcement level Database status |
Central Policy Builder¶
BIG-IP Next Support Status |
BIG-IP Next CM UI Support Status |
---|---|
Supported, except: |
Supported, except: |
Violation Rating Based Enforcement¶
BIG-IP Next Support Status |
BIG-IP Next CM UI Support Status |
---|---|
Supported |
Supported |
L7 DoS¶
TPS Based Detection¶
BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|
Not Supported | Not Supported |
Behavioral and Stress Based Detection¶
BIG-IP TMOS Sub Feature | BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|---|
Behavioral-based protection | Supported | Supported |
Enforcement Mode | Not Supported | Not Supported |
Thresholds Mode | Not Supported | Not Supported |
Stress-based Detection and Mitigation | Not Supported | Not Supported |
Behavioral Detection and Mitigation | Supported | Supported |
Prevention duration | Not Supported | Not Supported |
Record Traffic | Not Supported | Not Supported |
Aggressive mode | Not Supported | Not Supported |
Approved signatures only | Not Supported | Not Supported |
Dynamic Signatures | Not Supported | Not Supported |
Brute Force¶
BIG-IP TMOS Sub Feature | BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|---|
Source-Based Protection: Username | Supported, except: Alarm & CAPTCHA Alarm & CSI |
Supported, except: Alarm & CAPTCHA Alarm & CSI |
Source-Based Protection: IP Address | Supported, except: Alarm & CAPTCHA Alarm & Drop Alarm & CSI Alarm & Honeypot |
Supported, except: Alarm & CAPTCHA Alarm & Drop Alarm & CSI Alarm & Honeypot |
CAPTCHA Bypass Mitigation | Not Supported | Not Supported |
Source-Based Protection: Device ID | Not Supported | Not Supported |
Client Side Integrity Bypass Mitigation | Not Supported | Not Supported |
Distributed Brute Force Protection | Not Supported | Not Supported |
Distributed Brute Force Protection - Detect Credential Stuffing | Not Supported | Not Supported |
Login Page | Supported | Supported, except: Logout page Login enforcement Request Body Header name regular expression *Response status code multiple values |
Single Page Application¶
|BIG-IP TMOS Sub Feature|BIG-IP Next Support Status|BIG-IP Next CM UI Support Status| |:—|:—| |Supported|Supported|
Integrated Services¶
BIG-IP TMOS Sub Feature | BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|---|
Antivirus Protection (ICAP) | Not Supported | Not Supported |
Database Security | Not Supported | Not Supported |
Server Technologies¶
BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|
Supported | Not Supported |
Session Tracking¶
BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|
Not Supported | Not Supported |
Webhooks¶
BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|
Not Supported | Not Supported |
DataSafe¶
BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|
Not Supported | Not Supported |
Web Sockets¶
BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|
Not Supported | Not Supported |
gRPC Content Profile¶
BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|
Not Supported | Not Supported |
Leaked Credentials Check¶
BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|
Not Supported | Not Supported |
Vulnerability Assessment Tool (Scanners) Integration¶
BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|
Not Supported | Not Supported |
Microservices¶
BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|
Not Supported | Not Supported |
Layered Policy (Parent-Child)¶
BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|
Not Supported | Not Supported |
Redirection Protection¶
BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|
Supported | Not Supported |
Access Profile¶
BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|
Not Supported | Not Supported |
Handle Path Parameters¶
BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|
Supported | Not Supported |
Bot Defense¶
General Settings¶
BIG-IP TMOS Sub Feature | BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|---|
Enforcement Mode | Supported | Supported |
Signature Staging | Not supported | Not supported |
Response and Blocking Pages | Not Supported | Not Supported |
Bot Mitigation Settings¶
BIG-IP TMOS Sub Feature | BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|---|
Mitigation Settings - classes | Supported, except: *Mitigation actions: CAPTCHA, Honeypot, Redirect to Pool, TCP Reset, Rate Limit |
Supported, except: *Mitigation actions: CAPTCHA, Honeypot, Redirect to Pool, TCP Reset, Rate Limit |
Strict Mitigation Enforcement Cases | Not Supported | Not Supported |
Mitigation Settings Exceptions | Supported, except: *Category exception (workaround exists: add exceptions for all sub signatures/anomalies) |
Supported, except: Category exception (workaround exists: add exceptions for all sub signatures/anomalies) Signatures Exceptions |
Microservice Protection¶
BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|
Not Supported | Not Supported |
Browsers¶
BIG-IP TMOS Sub Feature | BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|---|
Browser Access | Supported | Not Supported |
Browser Verification | Supported, except: *JS validation |
Not Supported |
Device ID Mode | Not Supported | Not Supported |
Verification and Device-ID Challenges in Transparent Mode | Not Supported | Not Supported |
Single Page Application | Not Supported | Not Supported |
Cross Domain Requests | Not Supported | Not Supported |
Mobile Applications¶
BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|
Not Supported | Not Supported |
Signature Enforcement¶
BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|
Supported | Supported |
Whitelist¶
BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|
Not Supported | Not Supported |
User-Define Signatures¶
BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|
Not Supported | Not Supported |
Environmental Support¶
BIG-IP TMOS Feature | BIG-IP Next Support Status | BIG-IP Next CM UI Support Status |
---|---|---|
Signature Updates | Supported | Supported, except: *Schedule updates |
HA Support | Supported | Supported |
QKView Support | Supported | Supported |
Backup & Restore | Supported | Supported |
System Logs | Supported | Supported |
Traffic Logs (WAF, Bot, L7 Behavioral DoS) | Supported | Supported |
Import Data Protection Cookie | Supported | Not Supported |
Policy Diff (by central manager) | NA | Not Supported |
Global Settings | Supported | Not Supported |