BIG-IP LTM - do i need to purchase AFM to make the LTM VE into a decent corporate firewall?

It's mainly about management (although I believe that AFM moves some of the ACL functions into TMM core which is more efficient than doing it in an iRule, however unless you are running a very low-end device this may not be a consideration).

If you had a very simple setup with no forwarding virtual servers you could get away with a simple iRule attached to each virtual to which you wanted to control access;

when CLIENT_ACCEPTED {
 Naming standard for virtuals is vs_myvirtual.com_http - for matching address datagroup 
 listing allowed IPs;- dg_myvirtual.com_http
set dg_allowed_ip_list "dg_[substr [virtual] 3]"
if {[class exists $dg_allowed_ip_list]} {       
    if {![class match [IP::remote_addr] equals $dg_allowed_ip_list]} { 
         Datgroup exists and source IP not in allowed list - drop
        discard
        return
    } 
}
}

If however you need forwarding virtual servers to have iRules mimicking your checkpoint (with 5-tuple policies), have a read of this http://www.f5.com/pdf/deployment-guides/data-center-firewall-dg.pdf. It contains a datacentre firewall iRule which is designed to be deployed via iApp but can easily be manually deployed. Read it and decide if you would be happy converting your Checkpoint policy into the datagroups described.

Just a personal note - if you were converting an internet-facing datacentre firewall policy onto an F5 I would have no hesitation in using the iRule in the doc above. However with an enterprise firewall - I would be thinking seriously about using AFM. It all depends on the complexity of your rules, your budget, and your appetite for supporting firewall polices in text-based datagroups (as opposed to the GUI interface the AFM will give you).