F5 F5CAB1 BIG-IP Administration Install, Initial Configuration, and Upgrade Exam Practice Test

When performing a TMOS upgrade, F5 recommends validating the target software version to ensure that the release does not contain defects that may impact system behavior. The upgrade preparation process includes checking for known issues, validating compatibility, and reviewing advisory information for the intended version. Two primary F5 tools serve this purpose:

B. F5 iHealth

iHealth is a cloud-based diagnostic and analysis platform used to evaluate the operational state of a BIG-IP system.

Administrators upload a QKView file to iHealth to receive an automated assessment of the system. As part of upgrade planning, iHealth provides:

Version-specific issue analysis , comparing the system’s configuration and hardware against F5’s internal catalog of published issues.

Upgrade advisories , identifying potential risks such as deprecated features, module compatibility concerns, or changes in behavior between TMOS versions.

Checks against known defects , allowing administrators to determine whether the target TMOS version contains issues relevant to their deployment.

This aligns with F5’s recommended upgrade workflow, where iHealth is used before upgrading to confirm system readiness and detect software-level concerns.

D. F5 Bug Tracker

The Bug Tracker is F5’s dedicated interface for reviewing software defects across TMOS releases.

It enables administrators to:

Search for known bugs by TMOS version , module, severity, or defect ID.

Review the status of defects (open, resolved, fixed in later releases).

Identify whether high-impact or security-related issues are associated with the target upgrade version.

F5 documentation emphasizes reviewing known defects prior to installation of new software images, making the Bug Tracker a critical resource for upgrade validation.

Why the other options are not correct

A. F5 End User Diagnostics (EUD)

EUD is used exclusively for hardware diagnostics (ports, memory, fans). It does not provide software-related issue verification and is not used for upgrade planning.

C. F5 University

This is a training platform , not an operational tool. It does not provide defect listings or upgrade-specific warnings.

E. F5 Downloads

Although it provides access to software images and release notes, it is not a tool for identifying known bugs . Release notes summarize general fixes and features, but systematic bug verification requires iHealth or the Bug Tracker.

Within the BIG-IP Traffic Management Shell (tmsh), system configuration objects—including the management IP—are organized under the /sys hierarchy. The management IP address is a configurable property stored in the system configuration and can be viewed using the tmsh list command, which displays configuration objects and their currently assigned values.

Why “list /sys management-ip” is correct

The list command in tmsh is used to display configured system values , not runtime statistics.

The object that holds the management IP settings on BIG-IP systems is located at: /sys management-ip

Running the command: list /sys management-ip will reveal the settings for the management IP interface, including the address, netmask, and any associated attributes.

This is the standard method used during system setup and verification to confirm the management IP configuration.

This behavior aligns with BIG-IP administration procedures, where configuration information is retrieved using list , while operational data is retrieved using show .

Why the other options are incorrect

A. run /util bash ifconfig mgmt

This command enters the Bash shell, then runs ifconfig to display the management interface.

While this can show the management interface address, it is not a tmsh-native command , and the question specifically asks for a tmsh command.

Administrators use tmsh directly for configuration display rather than leaving the shell.

C. show /sys management-ip

The show command displays statistics or operational data , not configuration values.

The management-ip object does not maintain statistics; therefore show does not return the configuration details required.

Only the list command reveals stored configuration data such as IP address and netmask.

From the exhibit, the administrator performs the following actions:

Displays the current SSH allow configuration:

tmsh list sys sshd allow

allow { ALL }

Replaces the existing SSH allow list with a specific subnet:

tmsh modify sys sshd allow replace-all-with { 10.0.0.0/24 }

Confirms the updated configuration:

tmsh list sys sshd allow

allow { 10.0.0.0/24 }

This configuration restricts SSH access to only hosts that fall within the 10.0.0.0/24 network.

Evaluation of the options

A. 10.0.0.100

This address is within the 10.0.0.0/24 subnet and is a valid host address, so SSH access is permitted.

B. 10.0.0.254

This address is also within the 10.0.0.0/24 subnet and is a valid host address, so SSH access is permitted.

C. 10.0.0.256

This is not a valid IP address because an IPv4 octet cannot exceed 255.

D. 100.0.1.10

This address is outside the configured 10.0.0.0/24 subnet and will not be allowed.

E. 100.0.0.10

This address is also outside the configured subnet and will not be allowed.

The exhibit shows a Self IP with:

VLAN: Data

Port Lockdown: Allow None

Impact of “Allow None” on SNMP

When a Self IP is configured with:

Port Lockdown: Allow None

the BIG-IP blocks all services and ports except a few hardcoded HA communication ports.

This means:

UDP/161 (SNMP) is blocked

UDP/162 (SNMP traps) is blocked

The SNMP server cannot poll or receive data from the BIG-IP through this Self IP

SNMP relies on access through the Self IP if out-of-band (mgmt interface) is not used.

Thus, the issue is directly caused by Port Lockdown = Allow None , which prevents SNMP communication.

Why the other options are incorrect:

B. Traffic Group must use a floating Traffic Group

SNMP polling does not require floating Self IPs.

Floating groups apply to HA failover IPs, not SNMP functionality.

C. VLAN/Tunnel must allow All VLANs

Self IPs are always bound to a VLAN; SNMP does not require All VLANs.

As long as the Self IP belongs to a reachable VLAN, SNMP can work.

D. Configuration is correct

It is not correct: Allow None blocks SNMP and is the problem.

Access to the BIG-IP Configuration Utility (TMUI) is controlled through the /sys httpd allow list.

This list defines which IP addresses or subnets are allowed to connect to the management web interface.

To allow two new subnets— 172.28.31.0/24 and 172.28.65.0/24 —the administrator must add both subnets to the existing list without removing current entries.

In tmsh, subnet entries must be specified in network/netmask format , for example:

172.28.31.0/255.255.255.0

The correct tmsh command to append these networks is:

modify /sys httpd allow add { 172.28.31.0/255.255.255.0 172.28.65.0/255.255.255.0 }

Why the other options are incorrect:

Option B:

IPs are listed without masks, which is invalid for subnet-based access control.

The system requires network/netmask format.

Option C:

The command uses permit instead of allow, which is not a valid attribute of /sys httpd.

The correct keyword must be allow .

Thus, only Option A correctly adds both permitted subnets in the proper tmsh format.

When a TMOS ISO file is transferred to /shared/images/ , the BIG-IP automatically performs a validation step:

Checksum Verification

Before the image becomes visible in the GUI, the system verifies the internal checksum embedded inside the ISO.

This ensures:

The file was fully transferred

The image is not corrupted

It matches the official F5 release signature

Only after passing this verification does the GUI display the ISO under “Available Images.”

Why the other options are incorrect:

A. Reboot into a new partition

No reboot occurs simply from uploading an image.

C. Copying into /var/local/images/

This directory is not used for ISO storage.

All valid images remain in /shared/images/ .

Thus, the correct system action is checksum verification .

By default, management-plane traffic uses the management routing table , while data-plane traffic uses the TMM routing table .

Remote Syslog traffic is management-plane traffic unless a management route exists.

If no Management Route matches the Syslog server’s destination IP, the BIG-IP will instead:

Use TMM routes , and

Source the packets from a Self IP

This is exactly what the administrator is observing.

To force Syslog traffic out the management port:

You must create a Management Route , which is configured using:

tmsh create /sys management-route < name > gateway < ip > network < syslog subnet >

This sends syslog traffic:

Out of the management interface

Using the Management IP as the source

Thus, Option B is correct.

Why the other options are incorrect:

A. Set the Management IP as the source address

Source address selection is overridden by routing.

Without a management route, traffic still goes out the data plane.

C. Create a new Self IP using a route domain

Unnecessary and not related to management-plane routing.

Syslog traffic should not rely on data-plane Self IPs.

D. Modify port lockdown on Self IP to allow UDP/514

This would allow Syslog traffic into the BIG-IP over a Self IP, not force outbound traffic via management.

The screenshot shown is from the User Administration section of the BIG-IP GUI.

This section controls:

Root and Admin passwords

SSH Access

SSH IP Allow settings

However, it does not contain any controls for restricting access to the WebUI (TMUI) .

BIG-IP does not provide TMUI access restrictions from this part of the GUI.

Access to the web-based Configuration Utility is controlled by the httpd allow list , configured through TMSH:

tmsh modify /sys httpd allow { < IP/subnet > }

This setting is not displayed in the User Administration panel, and in many BIG-IP versions, the httpd allow list is only configurable from the CLI , not the GUI.

Therefore, the administrator cannot find the setting in the screen shown because:

TMUI access restriction is not located in this GUI section

It must be configured using tmsh under /sys httpd allow

This is why Option A is correct.

The HTTPD allow list controls which IP addresses or subnets may access the Configuration Utility (TMUI) on the BIG-IP system. The Administrator already has two subnets allowed and needs to add a single host IP to the existing list.

The object /sys httpd allow supports actions such as add , delete , and replace-all-with .

Because the goal is to add one more entry without removing the existing permitted subnets, the correct command is:

modify /sys httpd allow add { 172.28.32.22 }

This appends the new host to the existing list while preserving the previously configured networks.

Why the other options are incorrect:

Option A (replace-all-with) would overwrite the entire allow list, removing existing permitted subnets—unacceptable.

Option B (delete) would remove the existing networks and not add the required host.

Therefore, the correct administrative action is to add the jump host’s IP.

Securing the BIG-IP management interface is a fundamental administrative responsibility. F5 best practices emphasize restricting who can reach the management port and ensuring that only authorized systems are allowed access.

A. Limiting management access to trusted network segments

F5 recommends placing the management interface on a dedicated, isolated, and secured management network or VLAN , rather than exposing it to production or untrusted networks.

This reduces the attack surface by ensuring only trusted segments have visibility to administrative interfaces.

D. Restricting management access by IP or subnet

F5 BIG-IP uses the /sys httpd allow list (for HTTPS) and configuration options in sshd (for SSH) to control which IP addresses or subnets can access the device.

By specifying only known administrative IPs or ranges, unauthorized users cannot reach the login services.

Why the other options are incorrect

B. Blocking all management HTTPS/SSH ports

This would prevent any administrative access and is not a viable security practice.

C. Using Self-IP addresses for administrative access

F5 explicitly warns against using Self-IPs for management access unless strictly necessary.

Self-IPs are exposed to the data plane and should not be used as the primary administrative interface.

Provisioning determines:

Which BIG-IP modules are enabled (LTM, ASM, APM, AFM, DNS, etc.)

Their provisioning levels (None, Minimal, Nominal, Dedicated)

Two accurate ways to view provisioning settings are:

A. GUI — System → Resource Provisioning → Module Allocation

This is the primary GUI screen showing:

All modules

Their provisioning level

System resource distribution impact

Administrators commonly use this page to confirm or change module provisioning.

D. TMSH — list /sys provision

This tmsh command displays each module and its provisioning level:

sys provision ltm { level nominal }

sys provision asm { level none }

This is the authoritative CLI method for checking module provisioning configurations.

Why the other options are incorrect:

B. show /sys provision

Shows runtime information but not the actual configuration levels .

list is the correct command for configuration details.

C. Statistics → Module Statistics

Shows performance statistics, NOT provisioning status.

Therefore, the correct responses are A and D .

BIG-IP hardware platforms use chassis LEDs to indicate system health states.

A solid yellow status LED typically indicates a warning condition , such as:

A non-critical hardware alert

A temperature threshold nearing limit

A minor fan or sensor irregularity

Other non-fatal environmental or system conditions

This state reflects a warning-level alarm , meaning the unit is operational but requires investigation.

Why the other options are incorrect

A. Halted or EUD mode

This is associated with different LED patterns (usually flashing conditions or specific color codes), not a solid yellow status LED.

B. Standby in device group

HA state is not indicated by the chassis status LED.

Standby status is a logical device state, not a hardware LED state.

D. Power supply failure

Power supply indicators use separate LEDs located on each power module (usually flashing amber/red), not the system status LED.

Thus, a solid yellow status indicator signifies a warning-level alarm .

A newly deployed BIG-IP Virtual Edition (VE) in VMware requires initial configuration of its management-ip address so it can be accessed over the network. F5 provides several valid mechanisms during initial console access:

A. Running the config utility

The config script is available on new BIG-IP installations and VE deployments.

It launches a guided text-based wizard allowing configuration of:

Management IP

Netmask

Default route

This is a standard and recommended method during first-time setup.

B. Using TMSH with create sys management-ip

Administrators can enter TMSH directly from the console and run:

create sys management-ip < ip > / < mask >

The management-ip object resides under sys , not under ltm or any other module.

This is the correct tmsh method for defining the management interface address.

Why the other options are incorrect:

C. create ltm management-ip

There is no such object under /ltm.

LTM handles traffic objects (virtual servers, pools), not system management interfaces.

D. Running the setup command

The setup command is used for general system configuration but does not configure the management-ip .

It is not the supported method for initial management IP assignment on VE deployments.

Therefore, the valid methods are running the config utility and using the sys management-ip command within TMSH.