Vulnerability | https://support.f5.com/csp/article/K19026212

For any security related issue, you should really open a support case and receive official advice from the security team. I post here with an F5 badge, but I am not a member of the SRT team and this should not be considered an official F5 security response.

1) only in front of APACE is fine

2) nothing is life is free, especially security! it takes time and CPU to execute irules and memory to store variables. the amount is likely trivial for most people, but what is trivial or not will differ depending on your needs

3) it scans the contents of the HTTP request for known attack signature patterns and drops the request if a match is found