Hi,
your approach is correct regarding your architecture.
My question is the following, your web app that you will expose to internet is public? if not you can use APM to implement a security policy (authentication, endpoint inspection, ...).
Second point, if you site is public and you dont set APM (authentificaiton), you can increase security by implementing an ASM security policy to avoid attack, ...
Regarding ssl Offload I advise you to set this settings. It will allow you to secure ssl/tls part (HSTS, Disable Renegotiation, use secure cypher, ...).
let me know if I can help you on some points.
Regards