F5CAB1 Sample Questions Answers

The BIG-IPmanagement interface (MGMT port)is controlled throughSystem settings, not through the Network menu.

SSH access on the management interface is configured here:

System → Configuration → Device → General → SSH Access / SSH IP Allow

This section allows the administrator to:

Enable or disable SSH service

Restrict SSH access to specific IP addresses or subnets

Apply security policies to the management interface

Why the other options are incorrect:

A. Network > Interfaces

Used for data-plane physical interface settings, not management plane SSH restrictions.

B. Network > Self IPs

Controls in-band management or data-plane access, not the dedicated management port.

D. System > Platform

Used for hostname, time zone, LCD contrast, hardware settings — not SSH security on the management port.

Therefore, restricting SSH access to themanagement interfacemust be done under:

✔System → Configuration → Device → General

Which corresponds toOption C.

To change the boot volume on a BIG-IP system from one installed TMOS version to another, the correct CLI tool is:

switchboot

The correct syntax uses the-bflag:

switchboot -b

This command marks the specified boot location as the one to be used on the next reboot.

Thus, to boot intoHD1.2which contains13.1.0.6, the sequence is:

Mark HD1.2 as the next boot location:

switchboot -b HD1.2

Reboot the system:

reboot

This is the standard and officially supported method for selecting a different installed volume.

Why the other options are incorrect:

A. "tmsh reboot HD1.2"

There is no such tmsh syntax.

Boot volume cannot be selected by adding a parameter to reboot.

C. switchboot -I HD1.2

The -I flag is invalid. Only -b is used.

D. "tmsh switchboot HD1.2"

switchboot isnota tmsh command; it is a system-level shell utility.

Therefore,Option Bis the correct and valid command sequence.

When installing a software upgrade with a HotFix on BIG-IP, the correct workflow requires:

Install the base TMOS imageon an unused boot volume

Install the corresponding HotFixonto that same boot volume

Activate the updated boot volumeto boot into the new software

This method ensures:

The existing active system (HD1.1) is untouched

The upgrade occurs in a new, clean volume (HD1.2)

The HotFix applies properly to the same base image

The administrator can revert to HD1.1 if issues occur

OptionCmatches the correct F5 upgrade sequence:

1. Install base image on HD1.2

2. Install HotFix on HD1.2

3. Activate HD1.2

Why the other options are incorrect:

A. Install HotFix before base image

HotFixes must be appliedafterthe base image; not valid.

B. Installing a HotFix on the active boot location (HD1.1)

Not recommended and does not use a clean new volume.

Also does not involve installing the base image.

D. Activating HD1.2 before installing anything

Cannot activate an empty or invalid boot volume.

Thus,Option Cis the correct sequence.

The exhibit shows aSelf IPwith:

VLAN:Data

Port Lockdown:Allow None

Impact of “Allow None” on SNMP

When a Self IP is configured with:

Port Lockdown: Allow None

the BIG-IP blocksallservices and ports except a few hardcoded HA communication ports.

This means:

UDP/161 (SNMP)is blocked

UDP/162 (SNMP traps)is blocked

The SNMP server cannot poll or receive data from the BIG-IP through this Self IP

SNMP relies on access through the Self IP if out-of-band (mgmt interface) is not used.

Thus, the issue is directly caused byPort Lockdown = Allow None, which prevents SNMP communication.

Why the other options are incorrect:

B. Traffic Group must use a floating Traffic Group

SNMP polling doesnotrequire floating Self IPs.

Floating groups apply to HA failover IPs, not SNMP functionality.

C. VLAN/Tunnel must allow All VLANs

Self IPs are always bound to a VLAN; SNMP doesnotrequire All VLANs.

As long as the Self IP belongs to a reachable VLAN, SNMP can work.

D. Configuration is correct

It is not correct:Allow Noneblocks SNMP and is the problem.

Provisioning settings define which modules are enabled and how system resources are allocated to them.

These provisioning declarations are stored in:

/config/bigip.conf

This file contains:

Full module provisioning statements

TMSH-equivalent provisioning configurations such as:

sys provision ltm { level nominal }

sys provision asm { level nominal }

It is theprimary system configuration filethat stores all active provisioning details.

Why the other answers are incorrect

A. /config/bigip.license

Showslicensedmodules, not provisioned modules.

B. /config/bigip_base.conf

Stores base networking (VLANs, Self-IPs, routes), not provisioning.

D. config.ucs

A backup archive, not a live configuration file.

Thus, the correct file to review active module provisioning is/config/bigip.conf.

The exhibit shows theCurrent Resource Allocationfor:

CPU

Disk

Memory

In particular, theMemory Allocationbar displays the modules that are currently provisioned.

Memory is the most reliable indicator because BIG-IP allocates memoryonlyto modules that are actively provisioned.

From the exhibit:

MGMT(Management) – always present

TMM(Traffic Management Microkernel) – indicatesLTM is provisioned

GTM– this label indicates that theDNS moduleis provisioned (GTM = Global Traffic Manager, now called DNS)

APM– explicitly shown, indicatingAccess Policy Manageris provisioned

Therefore, the provisioned modules are:

LTM(implied by TMM allocation)

DNS/GTM

APM

This matchesOption C: LTM, DNS, APM.

To understand:

Which modules arelicensed

Which modules areprovisioned

Theresource requirements(CPU / RAM) of each module

The administrator uses:

System » Resource Provisioning

This page displays:

All modules present in the license

Whether they are enabled or disabled

Required memory to activate each module

CPU and disk allocation information

Provisioning level options (None / Minimal / Nominal / Dedicated)

This is the exact location where BIG-IP administrators evaluate module capacity before enabling or purchasing licensing upgrades.

Why the other options are incorrect:

A. Configuration » OVSDB

Used for network virtualization integrations, not licenses or modules.

B. Software Management

Used for software image installation, not licensing.

C. Configuration » Device

Displays hostname, failover settings, device properties — not module resource requirements.

Thus, module licensing and memory requirement data are found underResource Provisioning.

When installing a HotFix on a BIG-IP device, F5 best practices require:

Installing the base TMOS image on a new, unused boot volume (HD1.2)

This ensures the upgrade happens on a clean volume.

The existing active boot location remains untouched for rollback.

Installing the HotFix onto the SAME new boot volume (HD1.2)

HotFixes must be applied on top of a base version.

They cannot be installed on an empty volume.

They must match the base image version.

Activating the new boot volume (HD1.2)

The system reboots into the updated software stack.

Activation happensafterbase + HotFix installation is complete.

This sequence is exactly shown inOption C:

Install base Image in HD1.2

Install HotFix in HD1.2

Activate HD1.2

Why the other options are incorrect:

A. Install HotFix before base image

Impossible.

HotFix requires an installed base version first.

B. Installing HotFix on HD1.1 (active boot volume)

Not recommended.

Upgrading in-place removes rollback safety.

HotFix cannot be applied cleanly without applying base image first.

D. Activate HD1.2 before installing anything

You cannot activate an empty boot volume.

Activation only occurs after the base + HotFix software is installed.

In BIG-IP, software images are installed onboot volumes(for example, HD1.1, HD1.2, HD1.3, etc.).

To install software on anew volume, the administrator must instruct the system to create a new boot location before installation.

There are two correct ways to create a new volume:

A. tmsh command (with correct syntax)

tmsh install software image /shared/images/BIGIP-.iso volume HD1.5 create-volume

This syntax correctly includes:

install software image

full path to ISO (/shared/images/...)

volume name (HD1.5)

create-volumekeyword

This instructs BIG-IP to create the new boot volume as part of the installation.

C. Using the GUI → System > Disk Management

From the Disk Management menu, the administrator can:

Select “New Volume”

Enter the volume identifier (e.g., HD1.5)

Apply changes

This GUI method is officially supported and explicitly creates a new boot volume before installing the software.

Why the other options are incorrect:

B. Incorrect tmsh syntax

Missing /shared/images/ path

Incorrect command structure

D. Incorrect command structure

Missing required keywords and correct command hierarchy

E. Software Management → Install does NOT create volumes

This installs to anexistingvolume only

The GUI install dialog does not create new boot volumes

Thus, onlyOption AandOption Cproperly create a new software volume.

When upgrading to a newer TMOS software version, BIG-IP validates whether the current license is permitted to run that version.

This is controlled by theService Check Datein the device’s license file.

If the Service Check Date is older than the minimum required for the target version:

The systemboots into the new volume,

Butfails to load the configuration,

And will instead present messages indicating that the configuration cannot be applied due to aninvalid or outdated license.

This is a well-known behavior:

An outdated license, not reactivated before upgrade, causes configuration load failure after reboot into the new software.

Why the other options are incorrect:

A. Performed on the standby unit

Upgrading a standby unit does not cause configuration load failure.

Standby-only upgrades are standard best practice.

C. Two reboots required

BIG-IP does not require two reboots during an upgrade.

One reboot into the new volume is sufficient.

D. DNS connectivity failure

DNS connectivity does not affect configuration loading.

DNS is only needed for automatic license activation, not for applying config at boot.

Thus, the configuration failed to load because thelicense was not reactivated before the upgrade, makingOption Bcorrect.