WAF (Web Application Firewall) is a security appliance with high compliance sensitivity: HS classification, cyber information security import licensing, encryption-related functions and licence/subscription separation must be reviewed before ETA. This guide provides an E2E map for importers to control HS code, tax, specialized policy, documents, customs process and pre-ETA risks.

QUICK FACT

Item	Review direction
Applicable product	WAF (Web Application Firewall) physical appliance used to protect web applications/APIs against attacks and intrusion.
Related product group	Email Security, WAF, web app security appliance; not automatically applicable to Email Security or other gateways if the technical file shows a different nature.
Reference HS codes	8471.30.90 / 8471.41.90 / 8471.49.90; certain network-oriented configurations may require cross-checking 8517.62.43.
Proposed taxes	Ordinary import duty 5%; MFN 0%; VAT 10%; special preferential duty under C/O to be checked by FTA and C/O form.
Key policy	Import licence for cyber information security products if the model is listed; civil cryptography review if dedicated encryption is involved; ICT conformity/quality inspection if listed as group-2 ICT goods.
Required technical file	Catalogue, datasheet, user manual, security functions, license/subscription terms, model–serial list, test report if any, original label and actual import purpose.

Legal note: This is an operational reference for physical WAF appliances. Final treatment must be reviewed against catalogue, datasheet, model and actual import purpose.

SCOPE OF APPLICATION

This article applies only to WAF in the Email Security, WAF, web app security appliance group. It does not automatically apply to Email Security, DLP, network firewall, endpoint gateway or pure cloud service if the technical file shows another nature.

Product separation

Hardware, licence, subscription and support should be separated if shown separately on commercial documents.

Goods condition

New, used, refurbished, sample, warranty and project goods may trigger different requirements.

Accessory review

Network modules, transceivers, adapters and security feature licences must be checked separately.

Core principle

Do not generalize related variants. Review by catalogue, datasheet, model and actual import purpose.

CLASSIFICATION & TECHNICAL IDENTIFICATION

WAF should be identified by its main function: protecting web applications/APIs, filtering web traffic, reverse proxy and preventing application-layer attacks.

Technical criterion	Document to check	Risk if misdescribed	Recommended goods description
Product nature	Catalogue, datasheet, user manual, BOM if any	Wrong HS/policy if declared merely as network device or server	Web Application Firewall appliance; model…; for web/API protection.
Deployment form	Hardware appliance, virtual appliance, cloud licence/subscription documents	Incorrect treatment of hardware and software/licence value	Separate hardware, licence, subscription and support/maintenance lines where applicable.
Security functions	WAF, reverse proxy, API protection, layer-7 attack prevention documents	Missing import licence for cyber information security products	State the main WAF function according to datasheet.
Encryption functions	TLS inspection, VPN, IPSec, SSL offload, key management documents	Civil cryptography review may arise	Clarify whether encryption is supporting or dedicated cryptographic function.
Hardware configuration	CPU, RAM, storage, ports, throughput, sessions/users	Classification may shift between Chapter 84 and Chapter 85	Declare model, configuration, ports, processing capacity and accessories.

HS CODE – TAX – C/O

Reference HS code	Applicable condition	Risk if wrongly applied	Documents to check
8471.30.90	Consider only where the WAF falls under portable/compact ADP equipment according to the technical file.	May be unsuitable for rack appliance, system or network transmission equipment.	Catalogue, datasheet, dimensions and operation mode.
8471.41.90	Consider where the appliance contains CPU and input/output units in the same housing.	Wrong code may affect import licence, tax and customs explanation.	Hardware datasheet, operation diagram and port photos.
8471.49.90	Consider where the WAF is imported as an ADP system comprising several functional units.	May be questioned if the goods are a single network/security appliance.	Packing list, model list and installation file.
8517.62.43	Cross-check only if the product is mainly a network data transmission/reception device or gateway.	Using Chapter 85 by default may misrepresent an application-layer WAF.	Network function datasheet, ports, gateway/routing/bridging function.

PROPOSED TAX AND C/O REVIEW TABLE

Classification scenario	Condition	Ordinary duty	MFN	VAT	Special C/O preference	Control note
8471.30.90	Compact/portable ADP-type WAF according to technical file	5% reference	0%	10%	Usually checkable to 0% if C/O and FTA conditions are met	Check tariff at customs declaration date.
8471.41.90	WAF appliance with CPU, memory and input/output units in the same housing	5% reference	0%	10%	Usually checkable to 0% if C/O and FTA conditions are met	Often relevant where the file shows ADP equipment nature.
8471.49.90	WAF imported as ADP system	5% reference	0%	10%	Usually checkable to 0% if C/O and FTA conditions are met	Separate hardware, accessories and licence lines.
8517.62.43	Network/gateway data transmission equipment scenario	5% reference	0%	10%	Usually checkable to 0% if C/O and FTA conditions are met	Do not use as default if the catalogue shows WAF nature.
Licence/subscription/support	Separately invoiced software licence, update package or service	Not fixed with appliance	Separate review	Separate review	Separate review	Distinguish physical imported goods from electronic services/software.

Note: Tax rates are operational references. The final payable duty depends on HS code, tariff in force, origin and valid C/O at declaration date.

SPECIALIZED POLICIES

Goods situation	Possible policy	Documents to review	Authority/portal if identifiable	Recommended timing	Risk note
WAF appliance for web/API protection	May be subject to import licence for cyber information security products.	Catalogue, datasheet, WAF functions, model list, PO and import purpose.	Vietnam Ministry of Public Security public service portal or the currently assigned competent authority/portal; cross-check on the National Public Service Portal before filing.	Before ETA, preferably before shipment.	Do not wait until cargo arrival to decide licensing.
WAF with TLS inspection/VPN/encryption/key management	Civil cryptography review may arise if the function is listed.	Encryption datasheet, algorithms, key length, license features.	Government Cipher Committee where applicable.	Before ETA.	No absolute conclusion without datasheet and feature licence.
Wireless or special ICT module included	ICT conformity/quality inspection may apply if listed.	Module, standards, test report, technical file.	Relevant ICT authority/NSW if applicable.	Before ETA.	Only applies when actual model has such function.
Used/refurbished/warranty goods	Used ICT equipment or warranty regime may require additional review.	Manufacturing year, serials, condition statement.	Customs/specialized authority depending on case.	Before shipment.	High risk if invoice and labels conflict.
EPE/FDI/project import	Policy may vary by import type and purpose.	Contract, project list, investment file if any.	Customs office and specialized authority if any.	Before ETA.	Still control HS, licence, labels and C/O.

LEGAL DOCUMENTS TO REVIEW

Document group	Document	Issuing authority	Effective timing	Role	Key point to review	Review note
Law	Law on Cyberinformation Security No. 86/2015/QH13	National Assembly	Effective 01/07/2016	Legal foundation for cyber information security and civil cryptography.	Products/services subject to management.	Use with implementing decrees/circulars.
Decree	Decree 108/2016/ND-CP	Government	Effective 01/07/2016	Conditions and procedures for cyber information security products/services and licensed imports.	Licensing framework.	Read with Circular 13/2018 and Circular 10/2022.
Circular	Circular 13/2018/TT-BTTTT	MIC	Effective 01/12/2018	List and procedures for import licensing of cyber information security products.	Appendix includes Web Application Firewall.	Amended by Circular 10/2022.
Amending circular	Circular 10/2022/TT-BTTTT	MIC	Effective 15/09/2022	Amends authority, dossiers and list-related procedures.	Authority of Information Security.	Use current/consolidated text.
Decree	Decree 211/2025/ND-CP	Government	Effective 09/09/2025	Civil cryptography activities and import/export of civil cryptographic products.	Appendices if the model is covered.	Apply only if actual features are in scope.
ICT circular	Circular 29/2025/TT-BKHCN	Ministry of Science and Technology	Effective 31/12/2025	Group-2 ICT goods and conformity/quality management.	Appendix I/II if the goods are listed.	Apply based on actual model and function.
Labelling	Decree 43/2017/ND-CP and Decree 111/2021/ND-CP	Government	Check current validity	Import labelling and Vietnamese supplementary labels.	Mandatory label contents.	Ensure model, origin, manufacturer and specs match documents.

VIEW / DOWNLOAD ORIGINAL LEGAL DOCUMENTS

Enterprises should cross-check the documents on the Government legal portal or the issuing authority’s website before application.

Circular 13/2018/TT-BTTTT Circular 10/2022/TT-BTTTT Decree 108/2016/ND-CP Decree 211/2025/ND-CP Circular 29/2025/TT-BKHCN

CUSTOMS DOCUMENT SET

File group	Required document	Used for	Usually prepared by	Common error	Pre-ETA check
Commercial	Invoice, Packing List, Contract/PO	Customs declaration and valuation	Importer/supplier	Generic goods name	Check names, model, quantity, origin and Incoterms.
Transport	B/L or AWB, Arrival Notice, Pre-alert	ETA monitoring and customs	Forwarder/carrier	Late or inconsistent pre-alert	Lock ETA and compare with packing list.
Origin	C/O if duty preference is claimed	Preferential duty	Exporter/importer	Wrong form, HS or goods description	Check draft C/O before issuance.
Technical	Catalogue, datasheet, user manual, model–serial list	HS, licensing and explanation	Supplier/technical team	Datasheet missing WAF/encryption details	Request official manufacturer PDF.
Specialized	ATTT import licence, civil cryptography file, conformity file if applicable	Specialized control	Compliance/importer	Applying after ETA	Conclude policy before shipment.
Labelling	Original label photos, Vietnamese sub-label if circulated	Market circulation and post-clearance	Importer/supplier	Model/origin mismatch	Check label photos before loading.

Consistency rule: goods name, quantity, model, serial, origin and technical specifications must match across commercial documents, catalogue, labels, specialized dossiers and customs declaration.

DECISION POINTS THAT MAY HOLD THE SHIPMENT

Decision point	Question	Evidence	Consequence if unclear	Recommended handling
HS code	Is the WAF ADP equipment, ADP system or data transmission device?	Catalogue and datasheet	Customs query or correction	Prepare HS classification memo.
ATTT licence	Is it listed as Web Application Firewall?	Circular list and datasheet	Missing licence	Review before ETA.
Civil cryptography	Does it contain listed dedicated encryption?	Encryption feature file	Possible licence gap	Separate encryption function evidence.
Licence/subscription	Is software/service separated?	Invoice, PO, licence certificate	Valuation and treatment issues	Separate invoice lines.
C/O	Is preferential origin valid?	C/O, invoice, B/L	Preference rejection	Check form, HS and description.
Model consistency	Do invoice, catalogue and label match?	Label photos, serial list	Inspection/explanation	Lock model list before declaration.

E2E OPERATIONAL PROCESS

Pre-ETA review

Confirm HS, tax, C/O, labels and whether ATTT/civil cryptography/ICT conformity applies.

Lock documents and technical file

Finalize Invoice, Packing List, B/L/AWB, catalogue, datasheet and model–serial list.

Apply for specialized licence if applicable

Prepare ATTT/civil cryptography/conformity dossier before cargo arrival.

Customs declaration

Green channel: system-based release under conditions; Yellow: document check; Red: document and physical inspection.

Clearance, delivery and post-clearance file

Control labels, specialized results and retain shipment file for post-clearance explanation.

PRE-ETA RISK CHECKLIST

Risk	Consequence	Pre-ETA prevention	Document to check
Generic product name	Wrong HS and policy	Use clear WAF description	Invoice, catalogue
Missing ATTT import licence	Clearance delay	Review Circular 13/10 early	Datasheet, licence file
Hardware and licence not separated	Valuation/treatment issue	Separate invoice and PO lines	Invoice, licence certificate
Incorrect C/O	Loss of preference	Check draft C/O	C/O draft, invoice, B/L
Model mismatch	Customs query/inspection	Lock model–serial list	Labels, catalogue
Used/refurbished not identified	Used goods policy risk	Obtain condition statement	Invoice, warranty file

FAQ

Does WAF require an import licence?

It may, if the model falls within the list of cyber information security products imported under licence. Review catalogue, datasheet, model and actual import purpose.

Does WAF require a civil cryptography licence?

Not always. Review only when the model has dedicated encryption, VPN, TLS inspection, key management or listed cryptographic functions.

Which HS code should be used?

Common review directions include 8471.30.90, 8471.41.90, 8471.49.90 and, for network-oriented devices, 8517.62.43. Final HS depends on actual documents.

Is Vietnamese labelling required?

If the imported goods are circulated in Viet Nam, labelling and supplementary Vietnamese label requirements should be reviewed.

How to handle licence/subscription?

Separate hardware, software licence, subscription and support lines when the commercial documents show different transaction natures.

Can C/O reduce duty?

Possibly, if C/O form, origin criteria, goods description and HS are valid under the relevant FTA.

IMPLEMENTATION SUPPORT FROM TGIMEX

This guide outlines HS code, tax, documents and specialized policies for WAF. For actual shipments, enterprises still need to review catalogue, datasheet, model, documents, origin and import purpose.

TGIMEX supports an E2E import approach: pre-ETA policy review, document check, international freight coordination, customs declaration, clearance handling, domestic delivery and post-clearance file retention.

Pre-ETA review

HS, policy, C/O, tax, labels and technical file.

Compliance control

Invoice, Packing List, B/L/AWB, C/O, licence and datasheet cross-check.

International logistics

Agent/carrier coordination, ETA tracking and pre-alert management.

Customs & post-clearance

Declaration, channel handling, delivery and file retention.

Enterprises should not wait until cargo arrival to review licences, C/O or labels. Even a small inconsistency between Invoice, Packing List, catalogue, datasheet, C/O or label may lead to document supplementation, clearance delay and unexpected storage cost.

Có liên quan

QUICK CONSULTATION

NEED TO REVIEW IMPORT PROCEDURES OR A SHIPPING PLAN?

Send us the product name, shipping route, current dossier, or implementation request in advance so we can suggest a suitable approach that is practical, focused, and aligned with your shipment.

CALL NOW

HOTLINE 0963 856 664 / 0982 135 393

EMAIL info@tgimex.com

SUITABLE FOR International shipping · Customs procedures · Import licenses · B2B logistics

ELECTRICAL – ELECTRONICS – IT EQUIPMENT

F&B

MACHINERY

HOUSEHOLD GOODS

COSMETICS – PERSONAL CARE