Normally, I would say just trust the F5 self IPs out to Internet with a dedicated firewall rule. Don't do any URL whitelisting. BUT, if you don't use SNAT pools and use auto SNAT, that type of firewall policy would not be restrictive enough for potentially VIP related traffic -- for example, load balancing proxy servers.
The issue is really how to differentiate F5 generated traffic from other traffic also hiding behind the SNAT IP address. If you can't, then perhaps a) whitelist multiple destinations, b) consider a more capable firewall, c) utilize automation like Ansible Tower to automate the update tasks.
While there may be a solution for what you are trying to accomplish, I can't think of an "elegant one". I have seen in the past, companies use a dedicated network for management traffic where you could use static management routes for traffic to egreee MGMT interface, and then having a dedicated switch/firewall for controlling traffic.