How to utilize ASM module in a better why?

This is a fairly high level question. If you can explain specifically what you are using it for, the community can offer advice on improving your security posture.

Sort of a generic question, but I'll offer 3 recommendations:

1. If your question is related to positive (default deny + learning) vs. negative (attack signatures) security models, then positive is the better choice.

    

2. If you don't really understand the application and it's potential vulnerabilities, then start off with a rapid deployment and let it learn the application over a few weeks. And pay close attention to what learning mode reports. You may learn some really interesting things about the apps in the process.

    

3. While ASM itself is relatively easy to configure, if you don't truly understand how the underlying applications work, and how they may be vulnerable, you may not get the best security policy that you could get otherwise. AppSec isn't rocket science, but it can get pretty close. So I would highly recommend taking a class or two on ASM, if for no other reason than to build a greater appreciation for the power it wields.

    

I have LTM & ASM, two types of VS (http & https).

for point-1, why do you prefer positive

The positive security model is based on learned behavior, which when set into blocking mode produces a deny condition for anything not explicitly allowed. The negative security model is based on signatures of "known" attacks. The signature database is extremely comprehensive, but cannot possibly account for every vulnerability a specific application may suffer. You can and should use both models, but positive security should ultimately be where you get the most bang for your buck.

I have LTM & ASM, two types of VS (http & https).

As long as you are offloading the client side SSL, ASM will work.

So, if SSL-Offload, is not yest implemented, there is no use for ASM ?

If you cannot see the decrypts HTTP payload, the ASM can do nothing to protect it.

Please can you describe in more details

ASM is a WEB application firewall. It operates on web (HTTP) traffic at OSI layer 7. If you do not decrypt the OSI layer 6 SSL, then you cannot see the OSI layer 7 HTTP payload. If you cannot see the decrypted HTTP payload, then there is nothing for ASM to protect.

If I understood well, ASM targeting http traffic, for https traffic it should be ASM should act as terminator for server and client to decrypt and encrypt in order to inspect http traffic

HTTPS is really just HTTP wrapped in SSL. So if you offload the SSL, you're left with (clear text) HTTP. In order to see any layer 7 application payload, you must terminate the SSL first. You can optionally re-encrypt to the server, but that isn't expressly required.