Using F5 as a reverse proxy hosting internet accessible to hosts on inside.

Really this comes down to your/ your company's appetite for risk. I personally would say you should use the ASM to filter the traffic (ideally regardless these days even if the server is in the DMZ). If an attacker was able to exploit the backend server via a HTTP request and then get a shell on the server (via the inbound HTTP) then obviously they have access to everything the backend server has. Without restricting what the server has access to (i.e. by putting a firewall in between it and the internal network) there is an obvious risk, which you could use the ASM/WAF along with AV on the server as a compensating control to reduce said risk. Personally I would always try to insist on the backend server in the DMZ not only does the firewall restrict access but gives you a log so you can actually see what connections it is making (ideally with ASM/WAF and AV applied too).