Only the static content (images/stylesheets/fonts/js/PDF files) should be placed behind CDN. The best practice is to put all static content onto a separate subdomain such a static.example.com or media.example.com
F5 ASM is a security device to protect the Dynamic contact (login pages, portals, applications,etc).
In case if the static contact is the part of the same application (e.g. /static subfolder) you can use the local traffic policy to disable ASM on that static content path. You can also disable the caching of dynamic pages by injecting 'Cache-Control: no-cache' HTTP header if the application you are trying to protect with F5 ASM is not doing it for some reason