Looks like a mashup of my custom violation iRule. Tehcnically, it should work - maybe you have cache of previous results (webacceleration profile)?
This should do the trick in v11.x
when HTTP_REQUEST {
set reqBlock 0
if { not ( [HTTP::method] eq "GET" ) } {
set reqBlock 1
}
}
when ASM_REQUEST_DONE {
if { $reqBlock == 1} {
ASM::raise VIOLATION_FORBIDDEN_METHOD
}
}
Also note that if you can upgrade to v12.1, you will get a better built-in control over allowed http methods per URL (also works with wildcard URLs):
https://support.f5.com/kb/en-us/products/big-ip_asm/releasenotes/product/relnote-asm-12-1-0.html
Enforcing a method on a URL
You can define a list of allowed and disallowed methods, for each URL, that will override the list defined on the security policy level.