I have a requirement to exclude WAF for all URI's that include api/mobile. WAF should function normally for other URL/URI's
Any guidelines on how to achieve this via HTTP policy or irules.
I think you could achieve your goal with Local Traffic Policy for ASM. This KB article will provide guidance:
I can imagine a simple policy like this:
Match all of the following conditions:
HTTP URI path contains "api/mobile" at request time
Do the following when the traffic is matched:
Disable ASM at request time