For those who may stumble upon this thread, there are ASM features in addition to what Mike is referring to regarding file types.
The gory details are in Configuration Guide for Big-IP Application Security Manager, spread out over chapter 6 Manual Configuring Security Policy, and chapter 10 Working with parameters.
ASM has a very configurable and fine grained model to interrogate traffic before it gets to the application server.
The issue I ran into is my application created a relative URI that was longer than the default allowed and it was blocked.
To customize a rule that will allow a longer URI is a 2 step process:
Define a explicit URL.
Define a parameter linked to your URL with the length allowed.
Of course there a couple more details but that's what manuals are for ;-)