according to F5 support this does not work:
Each Web application should have its own ASM policy, where configuration is made specifically to that web application.
The ASM policies can all be based on a basic ASM policy, and any change to a specific web application should be done in the specific ASM policy for that web application.
The only method of getting a layered ASM policy structure is to have the LTM policy rules referring to different ASM policies in different rules, based on some condition.
For example:
Rule 1 - if URI starts with /site1/, send to ASM policy /site1-ASM-policy Rule 2 - if URI starts with /site2/, send to ASM policy /site2-ASM-policy
Assigning 2 actions of referring to 2 different ASM policies in the same rule and the same condition is not going to work. A single request is going to match that condition, but it won't be clear which ASM policy should process that request.
However I am also looking for some creative solution here as I am sure there must be some way on BIG-IP to achieve such a simple requirement.
Andreas