Free Practice Questions for F5 F5CAB1 Exam

ThePort Lockdownfeature controls which services a Self-IP will respond to.

Setting a Self-IP toAllow Nonemeans:

The Self-IP will not acceptanytraffic except the very limited, hard-coded HA ports such asTCP 4353used for device trust and configuration sync.

All other HA ports, including those needed for network failover and other HA mechanisms,are blocked.

When essential HA services cannot communicate, each device assumes its peer is down.

This results in:

HA failover misbehavior

Both devices thinking the other is offline

Potentialactive-active condition, which is not intended and can cause traffic disruption

Thus,Allow Nonecan break HA functionality unless the Self-IP is not used for HA links.

The HTTPD allow list controls which IP addresses or subnets may access the Configuration Utility (TMUI) on the BIG-IP system. The Administrator already has two subnets allowed and needs to add asingle host IPto the existing list.

The object/sys httpd allowsupports actions such asadd,delete, andreplace-all-with.

Because the goal is toaddone more entry without removing the existing permitted subnets, the correct command is:

modify /sys httpd allow add { 172.28.32.22 }

This appends the new host to the existing list while preserving the previously configured networks.

Why the other options are incorrect:

Option A (replace-all-with)wouldoverwritethe entire allow list, removing existing permitted subnets—unacceptable.

Option B (delete)wouldremovethe existing networks and not add the required host.

Therefore, the correct administrative action is toaddthe jump host’s IP.

To identify which boot volume is currently active on a BIG-IP system, the correct command is:

tmsh show sys software status

This command displays:

All installed boot volumes (HD1.1, HD1.2, HD1.3, etc.)

The BIG-IP software version installed on each volume

TheActivefield, indicating which volume the system is currently booted from

The installation status (“complete”, “in-progress”, “allowed”)

This is thestandard and authoritativeway to determine the active boot location.

Why the other options are incorrect:

A. tmsh show sys version

Displays OS version, build, and date.

Doesnotshow boot locations or which volume is active.

C. tmsh list sys software update

Shows software update configurations, not boot volume status.

Does not display which volume is active.

Port Lockdown controls which ports and protocols aSelf IPwill respond to.

However, certain traffic types bypass Port Lockdown for BIG-IP functionality and routing integrity.

The three types that areNOT affectedby Port Lockdown are:

1. Defined Virtual Server Traffic

Traffic destined to a Self IP that matches aconfigured virtual serveris always accepted by the BIG-IP, regardless of Port Lockdown settings.

This ensures that traffic processing does not break when administrators restrict Self-IP ports.

2. ICMP (Internet Control Message Protocol)

ICMP (such as ping, traceroute responses, etc.) always passes through a Self IP even when Port Lockdown is set to:

Allow Default

Allow None

Allow Custom

F5 allows ICMP for reachability and diagnostic purposes independent of Port Lockdown rules.

3. Centralized Management Infrastructure (CMI)

CMI includes the internal HA services used for:

Device Trust

ConfigSync

Failover

Mirroring

These essential HA communications bypass Port Lockdown to prevent accidental cluster failure.

The well-known port for this traffic isTCP 4353, which is always permitted.

Why the other options are incorrect:

Option A:SSHisrestricted by Port Lockdown unless explicitly allowed.

Option B:Same issue — SSH does not bypass Port Lockdown.

OnlyDefined VS Traffic,ICMP, andCMIbypass Port Lockdown.

For BIG-IP high-availability (HA) pairs, F5’s recommended upgrade workflow prioritizesservice continuity,predictable failover, andminimal downtime. The established best-practice sequence is:

Upgrade the standby unit first

Because the standby device is not passing traffic, upgrading and rebooting it does not impact production.

Boot the standby unit into the newly installed version

Once online, the administrator verifies basic health, device sync status, cluster communication, and module functionality.

Perform a controlled failover to the upgraded unit

Traffic shifts to the newly upgraded device, allowing validation of the configuration and operational behavior under real traffic loads.

Upgrade the second device (now standby)

The previously active device becomes standby after failover, allowing it to be safely upgraded and rebooted without interruption.

This phased approach ensures only one device is unavailable at a time, allowing continuous traffic flow throughout the upgrade process.

Why the Correct Answer is C

OptionCexactly matches F5’s documented production-safe upgrade method:

Upgrade thestandbynode first

Reboot into new image

Failover to upgraded device

Validate

Upgrade the remaining (now-standby) device

This procedure minimizes risk and traffic disruption.

Why the other options are incorrect:

A. Upgrade the active node first

Upgrading the active device requires removing it from service and failing over abruptly. This is not recommended and increases service disruption risk.

B. Resetting device trust

Resetting trust is unnecessary and can disrupt configuration sync, peer communication, and cluster operation. It is not part of any standard upgrade workflow.

D. Upgrading and rebooting both nodes simultaneously

This would causetotal outage, because both HA members would be unavailable at the same time.

Access to the BIG-IP Configuration Utility (TMUI) is controlled through the/sys httpd allowlist.

This list defines which IP addresses or subnets are allowed to connect to the management web interface.

To allow two new subnets—172.28.31.0/24and172.28.65.0/24—the administrator mustaddboth subnets to the existing list without removing current entries.

In tmsh, subnet entries must be specified innetwork/netmask format, for example:

172.28.31.0/255.255.255.0

The correct tmsh command to append these networks is:

modify /sys httpd allow add { 172.28.31.0/255.255.255.0 172.28.65.0/255.255.255.0 }

Why the other options are incorrect:

Option B:

IPs are listed without masks, which is invalid for subnet-based access control.

The system requiresnetwork/netmaskformat.

Option C:

The command uses permit instead of allow, which is not a valid attribute of /sys httpd.

The correct keyword must beallow.

Thus, onlyOption Acorrectly adds both permitted subnets in the proper tmsh format.

The exhibit shows theCurrent Resource Allocationfor:

CPU

Disk

Memory

In particular, theMemory Allocationbar displays the modules that are currently provisioned.

Memory is the most reliable indicator because BIG-IP allocates memoryonlyto modules that are actively provisioned.

From the exhibit:

MGMT(Management) – always present

TMM(Traffic Management Microkernel) – indicatesLTM is provisioned

GTM– this label indicates that theDNS moduleis provisioned (GTM = Global Traffic Manager, now called DNS)

APM– explicitly shown, indicatingAccess Policy Manageris provisioned

Therefore, the provisioned modules are:

LTM(implied by TMM allocation)

DNS/GTM

APM

This matchesOption C: LTM, DNS, APM.

Provisioning settings define which modules are enabled and how system resources are allocated to them.

These provisioning declarations are stored in:

/config/bigip.conf

This file contains:

Full module provisioning statements

TMSH-equivalent provisioning configurations such as:

sys provision ltm { level nominal }

sys provision asm { level nominal }

It is theprimary system configuration filethat stores all active provisioning details.

Why the other answers are incorrect

A. /config/bigip.license

Showslicensedmodules, not provisioned modules.

B. /config/bigip_base.conf

Stores base networking (VLANs, Self-IPs, routes), not provisioning.

D. config.ucs

A backup archive, not a live configuration file.

Thus, the correct file to review active module provisioning is/config/bigip.conf.

Securing the BIG-IP management interface is a fundamental administrative responsibility. F5 best practices emphasize restricting who can reach the management port and ensuring that only authorized systems are allowed access.

A. Limiting management access to trusted network segments

F5 recommends placing the management interface on adedicated, isolated, and secured management network or VLAN, rather than exposing it to production or untrusted networks.

This reduces the attack surface by ensuring only trusted segments have visibility to administrative interfaces.

D. Restricting management access by IP or subnet

F5 BIG-IP uses the/sys httpd allowlist (for HTTPS) and configuration options insshd(for SSH) to control which IP addresses or subnets can access the device.

By specifying only known administrative IPs or ranges, unauthorized users cannot reach the login services.

Why the other options are incorrect

B. Blocking all management HTTPS/SSH ports

This would prevent any administrative access and is not a viable security practice.

C. Using Self-IP addresses for administrative access

F5 explicitly warns against using Self-IPs for management access unless strictly necessary.

Self-IPs are exposed to the data plane and should not be used as the primary administrative interface.