A WAF that does not support standards like websockets is not worth the money you (or your company) are paying for it (personal opinion: most WAFs are not worth the money).
FWIW, the main goal of most WAFs is to give bad programmers an excuse for not caring as much about XSS, SQL Injection and similar vulnerabilities as they should. This often includes incredibly stupid rules such as “if a POST request contains ‘SELECT’ or ‘UNION’, reject it”. I guess you can already imagine how utterly bad this is for a chat system where legitimate conversation might contain such keywords.