Anyone have experience in virtually patching an application vulnerable to SSRF (server-side request forgery) protected by ASM? If so, how did you configure ASM policy? Whitelist all allowed URLs?
F5 ASM can provide SSRF protection in many ways including response signatures, parameter type enforcement and whitelisting.
First of all you should find out:
I assume you can get this from the pen-test report. Once you have this information it will become clearer what ASM policy changes you need to protect the application