I need to review the configuration of an F5 ASM. I didn't find any security best practice nor checklist to review the key aspects of the ASM module.
Does a document describing the best practice exists ?
There is no single document describing best practices for ASM implementations due to the wide variances in web applications and architectures. The best approach is to identify recommended practices for your needs. It is a tremendously powerful web application firewall which can be phased into production from a relatively simple start to a very sophisticated protection system. A few key questions you should be able to answer before you attempt to configure anything: How many applications do you have to protect? How complex are the applications--specifically the building blocks of the apps such as file types, URLs, parameters, and route domains. How often do the applications change? Do you have access to the application developers to help you review the ASM security policies after system is in place? How much time overall do you have to devote to the daily operation of ASM? Do you have known vulnerabilities that you would like to secure first? Starting with the Rapid Deployment template, or by using the automatic policy builder, you can achieve different levels of comprehensive security.
One thing I should have added is that an operations guide for ASM is in the works. Stay tuned.