i would like to ask about, if it possible to put the APM behind third party external WAF (L3 WAF)? how will the traffic flow from external users to internal network? is there any guide to explain the needed configuration?
I don't word directly for F5 bt everyone from F5 will tell you to use ASM on the same F5 device if there is enough CPU and memory. There can't be a guide for how F5 APM will work with concurrent vendor, as there as many waf vendors nowadays as there are stars in the sky 🙂
As I understand you want to use Sophos in L3 mode, right?
You can search (google) for F5 reference architectures. You will find a couple of diagrams that actually recommend to have a L3/4 network firewall, like F5 AFM, in a separate tier in front of APM or ASM/AWAF, in order to protect from flooding attacks for example.
This link is a bit dated, but is close to your scenario: The F5 DDoS Reference Architecture - Enterprise Edition.