Forgive me but I'm pretty green when it comes to these F5's. We have an F5 LTM that is load balancing our internal and external email. We just had a pen test done and they saw TLS1 and 1.1 open from ...
HI, Not sure it makes much difference but is this HTTPS or SMTP traffic? (only interested for possible context later) now, what you want to look at is your client ssl profile.
Inside there is selection's for "no tls" or "no tls1.1" etc etc. So by selecting the ones you don't want it will turn them off.
The way i did it, was to use a cypher profile, and link that to your ssl profile. This meant i could have granual control not just of the encyrption used (TLS) but also the hashes which also came up on a pen test for me! Have a look if that answers your question, if not let me know and i can send you some links or screen shots.
Ok lets start from a test. If you can find a device that runs nmap that can get to the external interface try running this, nmap --script ssl-enum-ciphers -p 443 <Your domain name here.com>
This should show you what you are dealing with and a method to prove that its worked!
Then under your ssl profile you need to chnage the config from "Basic" to "Advanced" Then you'll see the Options List
Here is mine, it appears its flow down so NO DTLSv1.2 turns off everything below that and leaves TLSv1.3. I don't know a location to see where a profile is used in a virtual server, but if you get a ucs file or the internal conf files out using the cli you could do a quick word search in the config maybe?
But you can go into the certificates and see which profiles they are used in which might get you "close" to the same place.