Sorry for the delay, have been on a vacation without internet (how that now is possibly)
1) If you using snat and server pointing to the routers svi (can also be x couple of svi in vrf:s) and that "zone" is firewalled, either between every vlan or if you using fw rules between vrf:s, it´s depending of your zoning model. So with snat only loadbalanced traffic is hitting the f5 and becasue of that the f5 can sit with L2 to the loadbalanced servers. You will not breaking any rules and why would you dual firewall traffic that hits first the VS and then loadbalanced to the server. Should be enough with vs firewalling and server to servers is of coursed firewalled because that traffic will not go to the f5, it´s goes to the router/fw. SNAT has a limitations but also without SNAT and using F5 as a router have "downsides".
2) I checked this out for maybe 1-2 years ago and then you couldn´t use routing domains and some nasty bugs was there, like scratching the bgp/ospf configuration. Don´t remember the SOL number but hitting new bugs was more expected with Zebos than maybe juniper or Cisco. More I don´t now.
3) What i meant with "leak traffic" is that sometimes you want to have some sort of traffic just pass trough without a FW and a F5, it can be backups traffic.
Depending of the size of your backups traffic it can be a nice thing just to "leak" between vrf:s just that specific flow (dest ip to the backup ip:s).
In your example "server -> firewall -> backupserver" it´s quite understandable that you also use the FW as a router.... Clients can of course be another servers also so yes, they will need to do backups. But above I guess is some misunderstanding from your/my side... what we talk about.
I like firewalling so having all zones protected is of course mandatory.
4) AS I said, ASM is nice.
One thing that I don´t really like is that every forwarding vs needs to be in the common partition. I guess also that if we don´t want to bridge vlan traffics a lot of vs need to be made, for example 2500 vlans we need 5000 vs:s. But that is of course depending if you use the FW or F5 as the DefGW for the systems.
But some upsides is that it can maybe be easier to have that in a gui instead of a routers cli. Haven´t thought so much about that
Regarding DDoS IMHO the only thing to solve that (big one) is to have your own AS and distribute the attackers subnets to the ISP becasue if not, we will fill our internet pipe pretty fast so ISP should take care about that. Smaller one, the FW or dedicated equipment is OK.
So what I mean is that if using the F5 as a router, future migration, flexibility in some ways and to avoid asymmetric routing can be tough so I repeat that what I think:
# a router should do routing
# a Fw should do firewalling
# a ADC should do loadbalancing (and WAF for ADC services
Maybe i´m getting old, not seeing the + with having so much in 1 box.
What is the performance numbers for routing on the big f5 boxes.
A ASR1006 has 40 gbit sales specification to compare against, not so much but that is a pretty enterprise router.