F5CAB1 Sample Questions Answers

The exhibit shows aSelf IPwith:

VLAN:Data

Port Lockdown:Allow None

Impact of “Allow None” on SNMP

When a Self IP is configured with:

Port Lockdown: Allow None

the BIG-IP blocksallservices and ports except a few hardcoded HA communication ports.

This means:

UDP/161 (SNMP)is blocked

UDP/162 (SNMP traps)is blocked

The SNMP server cannot poll or receive data from the BIG-IP through this Self IP

SNMP relies on access through the Self IP if out-of-band (mgmt interface) is not used.

Thus, the issue is directly caused byPort Lockdown = Allow None, which prevents SNMP communication.

Why the other options are incorrect:

B. Traffic Group must use a floating Traffic Group

SNMP polling doesnotrequire floating Self IPs.

Floating groups apply to HA failover IPs, not SNMP functionality.

C. VLAN/Tunnel must allow All VLANs

Self IPs are always bound to a VLAN; SNMP doesnotrequire All VLANs.

As long as the Self IP belongs to a reachable VLAN, SNMP can work.

D. Configuration is correct

It is not correct:Allow Noneblocks SNMP and is the problem.

BIG-IP provisioning determines how CPU, memory, and disk resources are allocated to each module. The goal is to provision only the modules required and at levels appropriate to their performance needs.

Requirements in the question

The device will be used for:

LTM(Local Traffic Manager) → load balancing

ASM(Application Security Manager) → WAF

No functions require:

APM (Access Policy Manager)

AFM (Advanced Firewall Manager)

Why Option C is correct

Provisioning bothLTMandASMatNominallevel provides:

Adequate performance for production load

Plentiful system resources while avoiding dedicating the entire system to a single module

Balanced allocation without starving memory or CPU

SettingAPM: NoneandAFM: Noneensures unused modules consume zero resources.

Why the other options are incorrect

A. Dedicated provisioning for both LTM and ASM

Two modules cannot both run in “Dedicated” mode.

Dedicated mode allocatesallresources to a single module — the second module cannot be dedicated simultaneously.

B. LTM and ASM both Dedicated

Same issue: only one module can be Dedicated at a time.

Also unnecessary for load balancing + WAF.

D. Setting APM and AFM to Minimal

Minimal still consumes memory and CPU.

Unused modules should be set toNone.

Therefore,Option Cis the best provisioning strategy.

TheService Check Datedetermines whether a particular software version is allowed to run under the device’s license.

When installing or upgrading TMOS, the installer checks theService Check Datestored in the BIG-IP license file.

If the license date isolderthan the minimum required for the target version, the software installation isblocked.

This check happensspecifically during a software install, not during routine device operations.

Editing virtual servers or system startup do not trigger this validation.

Thus, the enforcement happensduring software installation.

The BIG-IP system has built-in licensing enforcement.

If an administrator provisions a module that the device isnot licensedto run, the system will still allow the provisioning action to occurinitially, but the system detects the mismatch and displays an alert.

What actually happens:

The GUI places awarning bannerin theupper-left cornerlabeled something similar to:“Provisioning Warning”

This appears immediately after provisioning a module that is not included in the active license.

The system remains in an “inconsistent state” until the module is disabled again or the license is updated.

This is the visual cue BIG-IP uses to indicate that a module was provisioned without valid licensing.

Why the other options are incorrect:

A. “A BIG-IP does not allow unlicensed modules to be provisioned.”

Not true. BIG-IPdoesallow provisioning, but warns afterward.

B. “A warning will appear when provisioning an unlicensed module.”

The warning doesnotappear during the provisioning step itself.

It appearsafter provisioning, in the main GUI, as a system banner.

To change the boot volume on a BIG-IP system from one installed TMOS version to another, the correct CLI tool is:

switchboot

The correct syntax uses the-bflag:

switchboot -b

This command marks the specified boot location as the one to be used on the next reboot.

Thus, to boot intoHD1.2which contains13.1.0.6, the sequence is:

Mark HD1.2 as the next boot location:

switchboot -b HD1.2

Reboot the system:

reboot

This is the standard and officially supported method for selecting a different installed volume.

Why the other options are incorrect:

A. "tmsh reboot HD1.2"

There is no such tmsh syntax.

Boot volume cannot be selected by adding a parameter to reboot.

C. switchboot -I HD1.2

The -I flag is invalid. Only -b is used.

D. "tmsh switchboot HD1.2"

switchboot isnota tmsh command; it is a system-level shell utility.

Therefore,Option Bis the correct and valid command sequence.

The exhibit shows the configuration of aSelf IPwith:

Port Lockdown: Allow Custom

ACustom Listthat includes the following TCP ports:

443

22

Meaning of these ports:

TCP 443→ HTTPS (TMUI — web-based management)

TCP 22→ SSH (command-line remote access)

No other TCP, UDP, or protocol entries are listed; therefore, only these two services are allowed to reach the BIG-IP via this Self IP.

Evaluating the answer choices:

Option

Service

Port

Allowed?

FTP

TCP 21

Not listed

❌Not allowed

SSH

TCP 22

Listed

✅Allowed

Telnet

TCP 23

Not listed

❌Not allowed

Thus,SSHis the only traffic permitted through this Self IP configuration.

The HTTPD allow list controls which IP addresses or subnets may access the Configuration Utility (TMUI) on the BIG-IP system. The Administrator already has two subnets allowed and needs to add asingle host IPto the existing list.

The object/sys httpd allowsupports actions such asadd,delete, andreplace-all-with.

Because the goal is toaddone more entry without removing the existing permitted subnets, the correct command is:

modify /sys httpd allow add { 172.28.32.22 }

This appends the new host to the existing list while preserving the previously configured networks.

Why the other options are incorrect:

Option A (replace-all-with)wouldoverwritethe entire allow list, removing existing permitted subnets—unacceptable.

Option B (delete)wouldremovethe existing networks and not add the required host.

Therefore, the correct administrative action is toaddthe jump host’s IP.

Provisioning determines:

Which BIG-IP modules are enabled (LTM, ASM, APM, AFM, DNS, etc.)

Their provisioning levels (None, Minimal, Nominal, Dedicated)

Two accurate ways to view provisioning settings are:

A. GUI — System → Resource Provisioning → Module Allocation

This is the primary GUI screen showing:

All modules

Their provisioning level

System resource distribution impact

Administrators commonly use this page to confirm or change module provisioning.

D. TMSH — list /sys provision

This tmsh command displays each module and its provisioning level:

sys provision ltm { level nominal }

sys provision asm { level none }

This is the authoritative CLI method for checking module provisioning configurations.

Why the other options are incorrect:

B. show /sys provision

Showsruntimeinformation butnot the actual configuration levels.

list is the correct command for configuration details.

C. Statistics → Module Statistics

Shows performance statistics, NOT provisioning status.

Therefore, the correct responses areAandD.

BIG-IP controls access to the web-based Configuration Utility (TMUI) through the/sys httpd allowlist. This parameter specifies which client IPs or subnets may initiate HTTP/HTTPS connections to the management interface.

To restrict TMUI access toonlythe 10.0.0.0/24 subnet:

The correct method is tomodify the HTTPD allow listso that it contains only this subnet.

This requires replacing the entire current list with the new subnet using:

modify /sys httpd allow replace-all-with {10.0.0.0/24}

This ensures thatonlyclients within 10.0.0.0/24 can reach the Configuration Utility.

Why the other options are incorrect:

Options A and Ccreate network ACL objects under /net acl, which apply to data-plane traffic, not management-plane TMUI access. TMUI access is not controlled by LTM ACLs but by the HTTPD allow directive.

Option Bis incorrect syntax and references /ltm httpd, which is not the proper object; the correct hierarchy is /sys httpd.

Thus, only modifying the/sys httpd allowlist achieves the required restriction.