WAF Feature Mapping between BIG-IP and BIG-IP Next

Migration supports WAF policies in declarative JSON format. WAF policies in XML or Binary formats are not currently supported on BIG-IP Next. See How to: Migrate BIG-IP application configurations onto BIG-IP Next Central Manager

When exporting a WAF policy from BIG-IP, ensure you are using the Full Export Mode. See Import, Export, Clone, Revert, or Delete a WAF Policy

For more information about the WAF JSON declaration, see Declarative WAF Policy Schema.

URLs

BIG-IP TMOS Sub Feature BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Allowed URLs Supported, except:

Clickjacking
Access Profile
Base64 Decoding
Clickjacking protection
Supported, except:

GraphQL
Access Profile
Base64 Decoding
Clickjacking protection
Positional parameters
Rendering in iframe
Header-based content profiles
HTML5 Cross-domain Request enforcement
Override character on URL
Methods override
Differentiate between HTTP/HTTPS Supported Not Supported
Flows URL Not Supported Not Supported
Disallowed URL's Supported Not Supported
Web-sockets URL's Not Supported Not Supported
Wildcards Order Supported Not Supported
Character Set Supported Not supported
Dynamic Session ID in URL Supported Not Supported

Headers

BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Supported Not Supported

Headers Character Set

BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Supported Not Supported

Parameters

BIG-IP TMOS Sub Feature BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Navigational Parameters Not Supported Not Supported
Parameter Level Supported, except:

Flow level
No Name parameter
Supported, except:

Flow level
No Name parameter
Mandatory parameter
URL level
Parameter Location Supported Supported except

Path location
Header location
*Cookie location
Parameter value type - User input value Supported Supported, except:

Parameter value type - Array value, Ignore value, Static content, JSON value, XML value
Data type - URI, Phone, Email, Boolean, Integer, Decimal
Name Meta Characters
* Value Meta Characters
Auto Detect - Max Length
*File Upload -Min/Max length
Parameter value type - Dynamic + Parameters extractions Supported, except:

* Extract from: File types, Regex
* Extraction methods configuration
Supported, except:

* Extract from: File types, Regex
* Extraction methods configuration
Sensitive Parameters Supported Not Supported
Wildcards order Supported Not Supported
Character Set Supported Not supported

Response Pages

BIG-IP TMOS Sub Feature BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Web Supported Supported
Ajax Application Response Supported Supported
Erase Cookies Supported No Supported
XML Supported Not Supported
Cookie Hijacking Not Supported Not Supported
CAPTCHA Not Supported Not Supported
CAPTCHA Fail Not Supported Not Supported
Failed Honeypot Login Not Supported Not Supported
Leaked Credentials Not Supported Not Supported
Mobile Application Not Supported Not Supported
GraphQL Supported Not Supported

User Define Signatures

BIG-IP Next Support Status

BIG-IP Next CM UI Support Status

Supported

Not Supported

User Define Signature Sets

BIG-IP Next Support Status

BIG-IP Next CM UI Support Status

Supported

Not Supported

File Types

BIG-IP Next Support Status

BIG-IP Next CM UI Support Status

Supported

Supported

Evasion Techniques

BIG-IP Next Support Status

BIG-IP Next CM UI Support Status

Supported

Supported

HTTP RFC Compliance

BIG-IP Next Support Status

BIG-IP Next CM UI Support Status

Supported

Supported

Attack Signatures

BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Supported Supported except:

Auto-Added Signature Accuracy
Updated Signature Enforcement
*Enable/Disable Staging (All Sigs)

Geo Locations

BIG-IP Next Support Status

BIG-IP Next CM UI Support Status

Supported

Supported

IP Exception List

BIG-IP Next Support Status

BIG-IP Next CM UI Support Status

Supported

Supported, except:

*Brute Force Detection
*Description
*IP Intelligence

JSON Content Profile

BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Supported Not Supported

XML Content Profile

BIG-IP Next Support Status

BIG-IP Next CM UI Support Status

Supported

Not Supported

GWT Content Profile

BIG-IP Next Support Status

BIG-IP Next CM UI Support Status

Supported

Not Supported

Plain Text Profiles

BIG-IP Next Support Status

BIG-IP Next CM UI Support Status

Supported

Not Supported

OpenAPI Based Protection

BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Supported Not Supported

CSRF

BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Supported, except:

Protected URLs Type
Enforcement order
*CSRF Token
Supported, except:

Protected URLs Type
Enforcement order
CSRF Token
Setting parameters

DataGuard

BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Supported Supported, except:

Mask Credit Card Numbers in the Request Log
Exception Pattern

HTTP/2

BIG-IP Next Support Status

BIG-IP Next CM UI Support Status

Supported

Supported

iRules Support

BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Supported with exceptions. See iRules Supported with exceptions:

*Enable/Disable iRule

GraphQL Content Profile

BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Supported, except:

*Maximum Query Cost
Not Supported

Analytics & Reporting (by central manager)

BIG-IP TMOS Sub Feature BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Analytics NA Supported
Application Traffic NA Supported
Application Action Items NA Not Supported
OWASP Dashboard NA Not Supported
PCI Compliance Report NA Not Supported

Signature Updates

BIG-IP Next Support Status

BIG-IP Next CM UI Support Status

Supported

Supported, except:

*Schedule updates

Threat Campaigns

BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Supported Supported, except:

TC Signature view/enforcement level
No TC staging
*No override per entity

SSRF

BIG-IP Next Support Status

BIG-IP Next CM UI Support Status

Supported

Supported

Cookies

BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Supported Supported, except:

* Wildcard order
* base64 Decoding
* Insert Same site attribute

IP Intelligence

BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Supported Supported, except:

Category view/enforcement level
Database status

Central Policy Builder

BIG-IP Next Support Status

BIG-IP Next CM UI Support Status

Supported, except:

*Fully Automatic

Supported, except:

*Fully Automatic
*Auto-Apply

Violation Rating Based Enforcement

BIG-IP Next Support Status

BIG-IP Next CM UI Support Status

Supported

Supported

L7 DoS

TPS Based Detection

BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Not Supported Not Supported

Behavioral and Stress Based Detection

BIG-IP TMOS Sub Feature BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Behavioral-based protection Supported Supported
Enforcement Mode Not Supported Not Supported
Thresholds Mode Not Supported Not Supported
Stress-based Detection and Mitigation Not Supported Not Supported
Behavioral Detection and Mitigation Supported Supported
Prevention duration Not Supported Not Supported
Record Traffic Not Supported Not Supported
Aggressive mode Not Supported Not Supported
Approved signatures only Not Supported Not Supported
Dynamic Signatures Not Supported Not Supported

Brute Force

BIG-IP TMOS Sub Feature BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Source-Based Protection: Username Supported, except:

Alarm & CAPTCHA
Alarm & CSI
Supported, except:

Alarm & CAPTCHA
Alarm & CSI
Source-Based Protection: IP Address Supported, except:

Alarm & CAPTCHA
Alarm & Drop
Alarm & CSI
Alarm & Honeypot
Supported, except:

Alarm & CAPTCHA
Alarm & Drop
Alarm & CSI
Alarm & Honeypot
CAPTCHA Bypass Mitigation Not Supported Not Supported
Source-Based Protection: Device ID Not Supported Not Supported
Client Side Integrity Bypass Mitigation Not Supported Not Supported
Distributed Brute Force Protection Not Supported Not Supported
Distributed Brute Force Protection - Detect Credential Stuffing Not Supported Not Supported
Login Page Supported Supported, except:

Logout page
Login enforcement
Request Body
Header name regular expression
*Response status code multiple values

Single Page Application

|BIG-IP TMOS Sub Feature|BIG-IP Next Support Status|BIG-IP Next CM UI Support Status| |:—|:—| |Supported|Supported|

Integrated Services

BIG-IP TMOS Sub Feature BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Antivirus Protection (ICAP) Not Supported Not Supported
Database Security Not Supported Not Supported

Server Technologies

BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Supported Not Supported

Session Tracking

BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Not Supported Not Supported

Webhooks

BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Not Supported Not Supported

DataSafe

BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Not Supported Not Supported

Web Sockets

BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Not Supported Not Supported

gRPC Content Profile

BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Not Supported Not Supported

Leaked Credentials Check

BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Not Supported Not Supported

Vulnerability Assessment Tool (Scanners) Integration

BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Not Supported Not Supported

Microservices

BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Not Supported Not Supported

Layered Policy (Parent-Child)

BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Not Supported Not Supported

Redirection Protection

BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Supported Not Supported

Access Profile

BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Not Supported Not Supported

Handle Path Parameters

BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Supported Not Supported

Bot Defense

General Settings

BIG-IP TMOS Sub Feature BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Enforcement Mode Supported Supported
Signature Staging Not supported Not supported
Response and Blocking Pages Not Supported Not Supported

Bot Mitigation Settings

BIG-IP TMOS Sub Feature BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Mitigation Settings - classes Supported, except:

*Mitigation actions: CAPTCHA, Honeypot, Redirect to Pool, TCP Reset, Rate Limit
Supported, except:

*Mitigation actions: CAPTCHA, Honeypot, Redirect to Pool, TCP Reset, Rate Limit
Strict Mitigation Enforcement Cases Not Supported Not Supported
Mitigation Settings Exceptions Supported, except:

*Category exception (workaround exists: add exceptions for all sub signatures/anomalies)
Supported, except:

Category exception (workaround exists: add exceptions for all sub signatures/anomalies)
Signatures Exceptions

Microservice Protection

BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Not Supported Not Supported

Browsers

BIG-IP TMOS Sub Feature BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Browser Access Supported Not Supported
Browser Verification Supported, except:

*JS validation
Not Supported
Device ID Mode Not Supported Not Supported
Verification and Device-ID Challenges in Transparent Mode Not Supported Not Supported
Single Page Application Not Supported Not Supported
Cross Domain Requests Not Supported Not Supported

Mobile Applications

BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Not Supported Not Supported

Signature Enforcement

BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Supported Supported

Whitelist

BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Not Supported Not Supported

User-Define Signatures

BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Not Supported Not Supported

Environmental Support

BIG-IP TMOS Feature BIG-IP Next Support Status BIG-IP Next CM UI Support Status
Signature Updates Supported Supported, except:

*Schedule updates
HA Support Supported Supported
QKView Support Supported Supported
Backup & Restore Supported Supported
System Logs Supported Supported
Traffic Logs (WAF, Bot, L7 Behavioral DoS) Supported Supported
Import Data Protection Cookie Supported Not Supported
Policy Diff (by central manager) NA Not Supported
Global Settings Supported Not Supported