L7 DoS Profile

With respect to your first question, yes - all mitigation methods are tried sequentially - if the attack cannot be mitigated using the first method, ASM will move down the list of enabled mitigations.

For question 2, ASM tracks latency for all the URLs that traverse the policy. It uses a proprietary algorithm to compare latencies of individual URls across site-wide average latency and thus classify certain URLs as heavy based upon the URLs that frequently exhibit higher latency than others.

For question 3, I have always been a fan of latency-based approach as long as once knows what acceptable application latency is. TPS-only is great if you want to more proactively limit access to site/URLs above certain volume - but, typically, latency is the most accurate indicator of the backend application health and performance abilities.