F5 F5CAB1 BIG-IP Administration Install, Initial Configuration, and Upgrade Exam Practice Test

The screenshot shown is from theUser Administrationsection of the BIG-IP GUI.

This section controls:

Root and Admin passwords

SSH Access

SSH IP Allow settings

However,it does not contain any controls for restricting access to the WebUI (TMUI).

BIG-IP does not provide TMUI access restrictions from this part of the GUI.

Access to the web-based Configuration Utility is controlled by thehttpd allow list, configured through TMSH:

tmsh modify /sys httpd allow { }

This setting is not displayed in the User Administration panel, and in many BIG-IP versions, the httpd allow list isonly configurable from the CLI, not the GUI.

Therefore, the administrator cannot find the setting in the screen shown because:

TMUI access restriction isnotlocated in this GUI section

It must be configured usingtmshunder/sys httpd allow

This is whyOption Ais correct.

Self-IPs implement a security feature known asPort Lockdown, which limits which services are reachable on a Self-IP.

However, certain services required for BIG-IP device-to-device communication bypass Port Lockdown to ensure cluster and HA functionality.

TCP 4353

TCP port4353is used byDevice Service Clustering (DSC)for:

Device trust establishment

Configuration synchronization

Failover communication

Because BIG-IP devices must always be able to communicate for HA functions to remain operational, port 4353 isexempt from Port Lockdown rules.

Why the other options are incorrect

A. TCP 443

Not required for device trust or synchronization.

HTTPS access is fully controlled by Port Lockdown.

C. UDP 53

DNS traffic is not required for synchronization and has no exemption under Port Lockdown.

Provisioning determines:

Which BIG-IP modules are enabled (LTM, ASM, APM, AFM, DNS, etc.)

Their provisioning levels (None, Minimal, Nominal, Dedicated)

Two accurate ways to view provisioning settings are:

A. GUI — System → Resource Provisioning → Module Allocation

This is the primary GUI screen showing:

All modules

Their provisioning level

System resource distribution impact

Administrators commonly use this page to confirm or change module provisioning.

D. TMSH — list /sys provision

This tmsh command displays each module and its provisioning level:

sys provision ltm { level nominal }

sys provision asm { level none }

This is the authoritative CLI method for checking module provisioning configurations.

Why the other options are incorrect:

B. show /sys provision

Showsruntimeinformation butnot the actual configuration levels.

list is the correct command for configuration details.

C. Statistics → Module Statistics

Shows performance statistics, NOT provisioning status.

Therefore, the correct responses areAandD.

When logged into thebash shellof a BIG-IP system, there are two valid ways to view themanagement-ipaddress:

A. tmsh list /sys management-ip

Even from the bash shell, the administrator can enter a tmsh command by typing:

tmsh list /sys management-ip

This displays:

Management IP address

Netmask

Any configured management routes

This is theofficial tmsh methodfor viewing the management-ip configuration.

C. ifconfig mgmt

In the underlying Linux OS, the management interface maps to themgmtinterface.

Running:

ifconfig mgmt

displays:

Assigned management IP

Netmask

Link-level status

This is a valid Linux-level method used frequently for troubleshooting.

Why the other options are incorrect:

B. show mgmt ip

Not a valid bash or tmsh command on BIG-IP.

D. list / sys management-ip

Missing thetmshprefix.

In bash, this will generate a syntax error.

The correct form requires:

tmsh list /sys management-ip

BIG-IP controls access to the web-based Configuration Utility (TMUI) through the/sys httpd allowlist. This parameter specifies which client IPs or subnets may initiate HTTP/HTTPS connections to the management interface.

To restrict TMUI access toonlythe 10.0.0.0/24 subnet:

The correct method is tomodify the HTTPD allow listso that it contains only this subnet.

This requires replacing the entire current list with the new subnet using:

modify /sys httpd allow replace-all-with {10.0.0.0/24}

This ensures thatonlyclients within 10.0.0.0/24 can reach the Configuration Utility.

Why the other options are incorrect:

Options A and Ccreate network ACL objects under /net acl, which apply to data-plane traffic, not management-plane TMUI access. TMUI access is not controlled by LTM ACLs but by the HTTPD allow directive.

Option Bis incorrect syntax and references /ltm httpd, which is not the proper object; the correct hierarchy is /sys httpd.

Thus, only modifying the/sys httpd allowlist achieves the required restriction.

To change the boot volume on a BIG-IP system from one installed TMOS version to another, the correct CLI tool is:

switchboot

The correct syntax uses the-bflag:

switchboot -b

This command marks the specified boot location as the one to be used on the next reboot.

Thus, to boot intoHD1.2which contains13.1.0.6, the sequence is:

Mark HD1.2 as the next boot location:

switchboot -b HD1.2

Reboot the system:

reboot

This is the standard and officially supported method for selecting a different installed volume.

Why the other options are incorrect:

A. "tmsh reboot HD1.2"

There is no such tmsh syntax.

Boot volume cannot be selected by adding a parameter to reboot.

C. switchboot -I HD1.2

The -I flag is invalid. Only -b is used.

D. "tmsh switchboot HD1.2"

switchboot isnota tmsh command; it is a system-level shell utility.

Therefore,Option Bis the correct and valid command sequence.

Securing the BIG-IP management interface is a fundamental administrative responsibility. F5 best practices emphasize restricting who can reach the management port and ensuring that only authorized systems are allowed access.

A. Limiting management access to trusted network segments

F5 recommends placing the management interface on adedicated, isolated, and secured management network or VLAN, rather than exposing it to production or untrusted networks.

This reduces the attack surface by ensuring only trusted segments have visibility to administrative interfaces.

D. Restricting management access by IP or subnet

F5 BIG-IP uses the/sys httpd allowlist (for HTTPS) and configuration options insshd(for SSH) to control which IP addresses or subnets can access the device.

By specifying only known administrative IPs or ranges, unauthorized users cannot reach the login services.

Why the other options are incorrect

B. Blocking all management HTTPS/SSH ports

This would prevent any administrative access and is not a viable security practice.

C. Using Self-IP addresses for administrative access

F5 explicitly warns against using Self-IPs for management access unless strictly necessary.

Self-IPs are exposed to the data plane and should not be used as the primary administrative interface.

The HTTPD allow list controls which IP addresses or subnets may access the Configuration Utility (TMUI) on the BIG-IP system. The Administrator already has two subnets allowed and needs to add asingle host IPto the existing list.

The object/sys httpd allowsupports actions such asadd,delete, andreplace-all-with.

Because the goal is toaddone more entry without removing the existing permitted subnets, the correct command is:

modify /sys httpd allow add { 172.28.32.22 }

This appends the new host to the existing list while preserving the previously configured networks.

Why the other options are incorrect:

Option A (replace-all-with)wouldoverwritethe entire allow list, removing existing permitted subnets—unacceptable.

Option B (delete)wouldremovethe existing networks and not add the required host.

Therefore, the correct administrative action is toaddthe jump host’s IP.

By default,management-plane trafficuses themanagement routing table, whiledata-plane trafficuses theTMM routing table.

Remote Syslog traffic ismanagement-planetrafficunlessa management route exists.

If noManagement Routematches the Syslog server’s destination IP, the BIG-IP will instead:

UseTMM routes, and

Source the packets from aSelf IP

This is exactly what the administrator is observing.

To force Syslog traffic out the management port:

You must create aManagement Route, which is configured using:

tmsh create /sys management-route gateway network

This sends syslog traffic:

Out of themanagement interface

Using theManagement IPas the source

Thus,Option Bis correct.

Why the other options are incorrect:

A. Set the Management IP as the source address

Source address selection is overridden by routing.

Without a management route, traffic still goes out the data plane.

C. Create a new Self IP using a route domain

Unnecessary and not related to management-plane routing.

Syslog traffic should not rely on data-plane Self IPs.

D. Modify port lockdown on Self IP to allow UDP/514

This would allow Syslog trafficintothe BIG-IP over a Self IP, not forceoutboundtraffic via management.

Access to the BIG-IP Configuration Utility (TMUI) is controlled through the/sys httpd allowlist.

This list defines which IP addresses or subnets are allowed to connect to the management web interface.

To allow two new subnets—172.28.31.0/24and172.28.65.0/24—the administrator mustaddboth subnets to the existing list without removing current entries.

In tmsh, subnet entries must be specified innetwork/netmask format, for example:

172.28.31.0/255.255.255.0

The correct tmsh command to append these networks is:

modify /sys httpd allow add { 172.28.31.0/255.255.255.0 172.28.65.0/255.255.255.0 }

Why the other options are incorrect:

Option B:

IPs are listed without masks, which is invalid for subnet-based access control.

The system requiresnetwork/netmaskformat.

Option C:

The command uses permit instead of allow, which is not a valid attribute of /sys httpd.

The correct keyword must beallow.

Thus, onlyOption Acorrectly adds both permitted subnets in the proper tmsh format.

When a TMOS image (.iso file) is uploaded into the/shared/images/directory, the BIG-IP performs an internal validation step before the ISO appears in the GUI.

1. The system verifies the internal checksum

BIG-IP automatically reads the embedded checksum inside the ISO file

Verifies integrity of the uploaded image

Confirms the file is not corrupted or incomplete

Ensures the image is a valid F5 TMOS software image

Only after this checksum verification succeeds does the image appear under:

System → Software Management → Image List

Why the other options are incorrect:

A. The system performs a reboot into a new partition

Uploading an ISO file never triggers a reboot.

C. The system copies the image to /var/local/images/

All valid TMOS images remain in/shared/images/.

No copying occurs.

When upgrading to a newer TMOS software version, BIG-IP validates whether the current license is permitted to run that version.

This is controlled by theService Check Datein the device’s license file.

If the Service Check Date is older than the minimum required for the target version:

The systemboots into the new volume,

Butfails to load the configuration,

And will instead present messages indicating that the configuration cannot be applied due to aninvalid or outdated license.

This is a well-known behavior:

An outdated license, not reactivated before upgrade, causes configuration load failure after reboot into the new software.

Why the other options are incorrect:

A. Performed on the standby unit

Upgrading a standby unit does not cause configuration load failure.

Standby-only upgrades are standard best practice.

C. Two reboots required

BIG-IP does not require two reboots during an upgrade.

One reboot into the new volume is sufficient.

D. DNS connectivity failure

DNS connectivity does not affect configuration loading.

DNS is only needed for automatic license activation, not for applying config at boot.

Thus, the configuration failed to load because thelicense was not reactivated before the upgrade, makingOption Bcorrect.

License reactivation updates the BIG-IP device’s license file to ensure:

TheService Check Dateis current

The device is eligible to install the intended TMOS version

Any module entitlement updates are received

Reactivationdoes not interrupt trafficand does not require a reboot, making it safe to performbeforethe maintenance window.

F5 best practices state:

Performall non-impact tasks priorto the scheduled maintenance window

Leave the window available for activities that require rebooting, such as the software installation itself

Since license reactivation isnon-disruptive, it should be donebeforethe upgrade window starts.