For the network VS's? Basically to route across the BigIP you need a VS to do the forwarding, In order to make all inter-dmz traffic pass through the firewall, you have 2 VS's to manage the two interfaces used to route to/from a DMZ.
The VS that routes traffic TO the DMZ should only be enabled on the vlan facing the firewall. Then the default VS is enabled only on the DMZ's themselves. And it should be of type STANDARD instead of forwarding. The default pool should have 1 pool member. The firewall itself.
So when traffic comes from a DMZ, it hits the default VS (The only network VS enabled on the DMZ). It forwards traffic to the default pool. WHich is the firewall. The firewall processes the traffic. If allowed, it sends the traffic BACK to the BigIP. That hits the VS for the DMZ (Enabled on the firewall facing VLAN) and is forwarded using the routing table.
H