f5 client certificate forwarding

The short answer is that you cannot do this. You can't terminate TLS at the BIG-IP and still send the original client cert to the backend server. Basically, during the TLS handshake the client digitally signs a portion of the handshake data with its private key. As the middle box (BIG-IP) does not have access to the client's private key, it could not simply relay the origin client cert to the backend if it's also terminating TLS on the client side. There are generally two options here:

• Don't decrypt -- don't add client and server SSL profiles (or any L7, HTTP profiles) to the VIP, effectively allowing TLS (L6) to pass through.
• Use Client Certificate Constrained Delegation - this function in LTM allows the BIG-IP to terminate client side TLS and "forge" an ephemeral client certificate to the backend. In the simplest mode, it'll copy all of the attributes of the origin cert to the forged client cert. In more flexible scenarios, you can use an iRule to inject arbitrary attributes into the forged client cert.
  • SSL Orchestrator Advanced Use Cases: Client Certificate Constrained Delegation (C3D) Support | DevCentral