It would be best to harden the application. A quick search for "hardening SAP" yield numerous resources (including from SAP).
You may end up having to do both (i.e. harden SAP and augment security on the BIG-IP) - depending on the version of SAP you're running and the options it offers for security/hardening.
There's a presentation on OWASP's web site that seems to indicate that there are quite a few more problems than the URL commands. It's several years old, so perhaps SAP has fixed those security issues. On the other hand, I found more recent articles that also detail security problems with SAP.