Case of use of AWAF to protect APM

I like this kind of approaches, which maximize the use of BIG-IP modules to have more features with less complexity, here're my two cents on this, 

Note, this is under assumption that we are using layered VS, so a VS for AWAF, another VS for APM.

- Yes, we can utilize AWAF infront of APM for couple of cases, the one you mentioned brute force, there's also bot defense.

- Apply attack sigature based policy to protect against common attacks before it reaches APM.

- Apply specific parameters/URLs restrictions before it gets handled at APM VS.

Note, If no explicit need, I would recommend to get APM at the front before AWAF because AWAF processing cost is higher, so it might be good to get APM to first check the incoming session and then pass it to AWAF, so that AWAF doesn't inspect traffic unnecessarily (for example, failed logins). 

> You can make use of AFM as well, specially that AFM hits before APM, that allows you to protect against DoS, have a resrtrictive policy for APM access and make use of IPS in AFM.