Free Practice Questions for F5 F5CAB1 Exam

When a TMOS image (.iso file) is uploaded into the /shared/images/ directory, the BIG-IP performs an internal validation step before the ISO appears in the GUI.

1. The system verifies the internal checksum

BIG-IP automatically reads the embedded checksum inside the ISO file

Verifies integrity of the uploaded image

Confirms the file is not corrupted or incomplete

Ensures the image is a valid F5 TMOS software image

Only after this checksum verification succeeds does the image appear under:

System → Software Management → Image List

Why the other options are incorrect:

A. The system performs a reboot into a new partition

Uploading an ISO file never triggers a reboot.

C. The system copies the image to /var/local/images/

All valid TMOS images remain in /shared/images/ .

No copying occurs.

When performing a TMOS upgrade, F5 recommends validating the target software version to ensure that the release does not contain defects that may impact system behavior. The upgrade preparation process includes checking for known issues, validating compatibility, and reviewing advisory information for the intended version. Two primary F5 tools serve this purpose:

B. F5 iHealth

iHealth is a cloud-based diagnostic and analysis platform used to evaluate the operational state of a BIG-IP system.

Administrators upload a QKView file to iHealth to receive an automated assessment of the system. As part of upgrade planning, iHealth provides:

Version-specific issue analysis , comparing the system’s configuration and hardware against F5’s internal catalog of published issues.

Upgrade advisories , identifying potential risks such as deprecated features, module compatibility concerns, or changes in behavior between TMOS versions.

Checks against known defects , allowing administrators to determine whether the target TMOS version contains issues relevant to their deployment.

This aligns with F5’s recommended upgrade workflow, where iHealth is used before upgrading to confirm system readiness and detect software-level concerns.

D. F5 Bug Tracker

The Bug Tracker is F5’s dedicated interface for reviewing software defects across TMOS releases.

It enables administrators to:

Search for known bugs by TMOS version , module, severity, or defect ID.

Review the status of defects (open, resolved, fixed in later releases).

Identify whether high-impact or security-related issues are associated with the target upgrade version.

F5 documentation emphasizes reviewing known defects prior to installation of new software images, making the Bug Tracker a critical resource for upgrade validation.

Why the other options are not correct

A. F5 End User Diagnostics (EUD)

EUD is used exclusively for hardware diagnostics (ports, memory, fans). It does not provide software-related issue verification and is not used for upgrade planning.

C. F5 University

This is a training platform , not an operational tool. It does not provide defect listings or upgrade-specific warnings.

E. F5 Downloads

Although it provides access to software images and release notes, it is not a tool for identifying known bugs . Release notes summarize general fixes and features, but systematic bug verification requires iHealth or the Bug Tracker.

Access to the BIG-IP Configuration Utility (TMUI) is controlled through the /sys httpd allow list.

This list defines which IP addresses or subnets are allowed to connect to the management web interface.

To allow two new subnets— 172.28.31.0/24 and 172.28.65.0/24 —the administrator must add both subnets to the existing list without removing current entries.

In tmsh, subnet entries must be specified in network/netmask format , for example:

172.28.31.0/255.255.255.0

The correct tmsh command to append these networks is:

modify /sys httpd allow add { 172.28.31.0/255.255.255.0 172.28.65.0/255.255.255.0 }

Why the other options are incorrect:

Option B:

IPs are listed without masks, which is invalid for subnet-based access control.

The system requires network/netmask format.

Option C:

The command uses permit instead of allow, which is not a valid attribute of /sys httpd.

The correct keyword must be allow .

Thus, only Option A correctly adds both permitted subnets in the proper tmsh format.

For BIG-IP high-availability (HA) pairs, F5’s recommended upgrade workflow prioritizes service continuity , predictable failover , and minimal downtime . The established best-practice sequence is:

Upgrade the standby unit first

Because the standby device is not passing traffic, upgrading and rebooting it does not impact production.

Boot the standby unit into the newly installed version

Once online, the administrator verifies basic health, device sync status, cluster communication, and module functionality.

Perform a controlled failover to the upgraded unit

Traffic shifts to the newly upgraded device, allowing validation of the configuration and operational behavior under real traffic loads.

Upgrade the second device (now standby)

The previously active device becomes standby after failover, allowing it to be safely upgraded and rebooted without interruption.

This phased approach ensures only one device is unavailable at a time, allowing continuous traffic flow throughout the upgrade process.

Why the Correct Answer is C

Option C exactly matches F5’s documented production-safe upgrade method:

Upgrade the standby node first

Reboot into new image

Failover to upgraded device

Validate

Upgrade the remaining (now-standby) device

This procedure minimizes risk and traffic disruption.

Why the other options are incorrect:

A. Upgrade the active node first

Upgrading the active device requires removing it from service and failing over abruptly. This is not recommended and increases service disruption risk.

B. Resetting device trust

Resetting trust is unnecessary and can disrupt configuration sync, peer communication, and cluster operation. It is not part of any standard upgrade workflow.

D. Upgrading and rebooting both nodes simultaneously

This would cause total outage , because both HA members would be unavailable at the same time.

When installing a BIG-IP software version with a HotFix on a new boot volume , F5 requires that both the base TMOS image and the HotFix image be installed together as part of the same installation workflow.

The correct process is:

Specify the base TMOS ISO

Specify the HotFix ISO that corresponds to that base version

Instruct the system to create a new boot volume

Install both images into that new volume

This is achieved with the following tmsh syntax:

tmsh install /sys software BIGIP- < version > .iso hotfix Hotfix-BIGIP- < version > -ENG.iso create-volume HD1.2

This command:

Installs the base image first

Applies the HotFix on top of the base image

Creates and installs everything on HD1.2

Leaves the currently active volume untouched for rollback

Why the other options are incorrect

A. Installing only the hotfix

A HotFix cannot be installed by itself on a new volume. A base image must already be present.

C. Using create instead of install

The create keyword is not valid for software installation operations.

D. Using copy

The copy command does not install software images or hotfixes.

Comprehensive and Detailed Explanation (Paraphrased)

The BIG-IP stores the configured management IP address as a system configuration object under the /sys hierarchy.

To display configured (persistent) values, BIG-IP uses the tmsh list command , not show.

Why tmsh list sys management-ip is correct

The management IP configuration is defined under:

/sys management-ip

Running:

tmsh list sys management-ip

displays:

The configured management IP address

Netmask

Associated attributes

This command shows the actual configured management IP , which is what the question asks for.

Why the other options are incorrect

A. tmsh show sys management-ip

The show command is used for runtime statistics and status.

management-ip is a configuration object, not a statistics object.

C. tmsh list sys management-route

Displays management routing information, not the management IP address itself.

D. tmsh list net self

Displays Self IPs used on the data plane.

Does not show the management interface IP.

When logged into the bash shell of a BIG-IP system, there are two valid ways to view the management-ip address:

A. tmsh list /sys management-ip

Even from the bash shell, the administrator can enter a tmsh command by typing:

tmsh list /sys management-ip

This displays:

Management IP address

Netmask

Any configured management routes

This is the official tmsh method for viewing the management-ip configuration.

C. ifconfig mgmt

In the underlying Linux OS, the management interface maps to the mgmt interface.

Running:

ifconfig mgmt

displays:

Assigned management IP

Netmask

Link-level status

This is a valid Linux-level method used frequently for troubleshooting.

Why the other options are incorrect:

B. show mgmt ip

Not a valid bash or tmsh command on BIG-IP.

D. list / sys management-ip

Missing the tmsh prefix.

In bash, this will generate a syntax error.

The correct form requires:

tmsh list /sys management-ip

Self-IPs include a security feature called Port Lockdown , which restricts which services respond on that Self-IP.

By default, Self-IPs block management access (SSH and HTTPS/TMUI), meaning an administrator cannot manage the device through in-band Self-IPs unless explicitly allowed.

Allow Mgmt / Allow Management

These settings enable only the management services required for administrative access, specifically:

SSH (22)

HTTPS/TMUI (443)

These options allow secure administration without opening unnecessary ports.

Why these are correct:

They provide only the essential access for management.

They follow F5 security best practices when using in-band admin access.

They do not expose all services, reducing the attack surface.

Why the other options are incorrect:

A. Allow Default

This allows only a minimal set of system-required ports (e.g., failover, config sync), not SSH or HTTPS.

Administrator access would still fail.

B. Allow All

Opens all ports on the Self-IP, which is not secure .

Exposes services that should remain restricted.

Therefore, Allow Mgmt / Allow Management are the correct choices.

The exhibit shows a Self IP with:

VLAN: Data

Port Lockdown: Allow None

Impact of “Allow None” on SNMP

When a Self IP is configured with:

Port Lockdown: Allow None

the BIG-IP blocks all services and ports except a few hardcoded HA communication ports.

This means:

UDP/161 (SNMP) is blocked

UDP/162 (SNMP traps) is blocked

The SNMP server cannot poll or receive data from the BIG-IP through this Self IP

SNMP relies on access through the Self IP if out-of-band (mgmt interface) is not used.

Thus, the issue is directly caused by Port Lockdown = Allow None , which prevents SNMP communication.

Why the other options are incorrect:

B. Traffic Group must use a floating Traffic Group

SNMP polling does not require floating Self IPs.

Floating groups apply to HA failover IPs, not SNMP functionality.

C. VLAN/Tunnel must allow All VLANs

Self IPs are always bound to a VLAN; SNMP does not require All VLANs.

As long as the Self IP belongs to a reachable VLAN, SNMP can work.

D. Configuration is correct

It is not correct: Allow None blocks SNMP and is the problem.