F5CAB1 F5 BIG-IP Administration Install, Initial Configuration, and Upgrade Free Practice Exam Questions (2025 Updated)

The screenshot shown is from theUser Administrationsection of the BIG-IP GUI.

This section controls:

Root and Admin passwords

SSH Access

SSH IP Allow settings

However,it does not contain any controls for restricting access to the WebUI (TMUI).

BIG-IP does not provide TMUI access restrictions from this part of the GUI.

Access to the web-based Configuration Utility is controlled by thehttpd allow list, configured through TMSH:

tmsh modify /sys httpd allow { }

This setting is not displayed in the User Administration panel, and in many BIG-IP versions, the httpd allow list isonly configurable from the CLI, not the GUI.

Therefore, the administrator cannot find the setting in the screen shown because:

TMUI access restriction isnotlocated in this GUI section

It must be configured usingtmshunder/sys httpd allow

This is whyOption Ais correct.

The BIG-IP has two distinct planes:

Management-plane→ handled entirely by the management interface (MGMT)

Data-plane (TMM)→ handles Self IPs, VLAN interfaces, and traffic processing

To capture traffic on the management interface, only the management-side NICs may be used:

mgmt→ Logical name for the management interface

eth0→ Physical Linux interface mapped to the management port on most BIG-IP platforms

Both of these correctly capture inbound/outbound WebUI (HTTPS/443) traffic on the management port.

Why the correct answers are A and B

A. tcpdump -i eth0 -n port 443

On BIG-IP appliances and VMs, the management port maps toeth0at the Linux OS level.

Capturing on eth0 correctly shows HTTPS traffic to the WebUI.

B. tcpdump -i mgmt -n port 443

mgmtis the BIG-IP alias for the management interface.

This is thepreferredand most explicit capture interface for management-plane packet captures.

Why the other options are incorrect:

C. tcpdump -i 0.0

Interface0.0is the TMM switch interface used for data-plane packet captures.

Itdoes NOTcapture management-plane traffic.

D. tcpdump -i tun0

Used for tunnel interfaces (IPsec, VXLAN, etc.)

Not related to management access.

E. tcpdump -i management

There isnointerface named management on BIG-IP.

The correct names are mgmt or eth0.

Provisioning determines:

Which BIG-IP modules are enabled (LTM, ASM, APM, AFM, DNS, etc.)

Their provisioning levels (None, Minimal, Nominal, Dedicated)

Two accurate ways to view provisioning settings are:

A. GUI — System → Resource Provisioning → Module Allocation

This is the primary GUI screen showing:

All modules

Their provisioning level

System resource distribution impact

Administrators commonly use this page to confirm or change module provisioning.

D. TMSH — list /sys provision

This tmsh command displays each module and its provisioning level:

sys provision ltm { level nominal }

sys provision asm { level none }

This is the authoritative CLI method for checking module provisioning configurations.

Why the other options are incorrect:

B. show /sys provision

Showsruntimeinformation butnot the actual configuration levels.

list is the correct command for configuration details.

C. Statistics → Module Statistics

Shows performance statistics, NOT provisioning status.

Therefore, the correct responses areAandD.

Self-IPs implement a security feature known asPort Lockdown, which limits which services are reachable on a Self-IP.

However, certain services required for BIG-IP device-to-device communication bypass Port Lockdown to ensure cluster and HA functionality.

TCP 4353

TCP port4353is used byDevice Service Clustering (DSC)for:

Device trust establishment

Configuration synchronization

Failover communication

Because BIG-IP devices must always be able to communicate for HA functions to remain operational, port 4353 isexempt from Port Lockdown rules.

Why the other options are incorrect

A. TCP 443

Not required for device trust or synchronization.

HTTPS access is fully controlled by Port Lockdown.

C. UDP 53

DNS traffic is not required for synchronization and has no exemption under Port Lockdown.

The BIG-IPmanagement interface (MGMT port)is controlled throughSystem settings, not through the Network menu.

SSH access on the management interface is configured here:

System → Configuration → Device → General → SSH Access / SSH IP Allow

This section allows the administrator to:

Enable or disable SSH service

Restrict SSH access to specific IP addresses or subnets

Apply security policies to the management interface

Why the other options are incorrect:

A. Network > Interfaces

Used for data-plane physical interface settings, not management plane SSH restrictions.

B. Network > Self IPs

Controls in-band management or data-plane access, not the dedicated management port.

D. System > Platform

Used for hostname, time zone, LCD contrast, hardware settings — not SSH security on the management port.

Therefore, restricting SSH access to themanagement interfacemust be done under:

✔System → Configuration → Device → General

Which corresponds toOption C.

BIG-IP provisioning determines how CPU, memory, and disk resources are allocated to each module. The goal is to provision only the modules required and at levels appropriate to their performance needs.

Requirements in the question

The device will be used for:

LTM(Local Traffic Manager) → load balancing

ASM(Application Security Manager) → WAF

No functions require:

APM (Access Policy Manager)

AFM (Advanced Firewall Manager)

Why Option C is correct

Provisioning bothLTMandASMatNominallevel provides:

Adequate performance for production load

Plentiful system resources while avoiding dedicating the entire system to a single module

Balanced allocation without starving memory or CPU

SettingAPM: NoneandAFM: Noneensures unused modules consume zero resources.

Why the other options are incorrect

A. Dedicated provisioning for both LTM and ASM

Two modules cannot both run in “Dedicated” mode.

Dedicated mode allocatesallresources to a single module — the second module cannot be dedicated simultaneously.

B. LTM and ASM both Dedicated

Same issue: only one module can be Dedicated at a time.

Also unnecessary for load balancing + WAF.

D. Setting APM and AFM to Minimal

Minimal still consumes memory and CPU.

Unused modules should be set toNone.

Therefore,Option Cis the best provisioning strategy.

To identify which boot volume is currently active on a BIG-IP system, the correct command is:

tmsh show sys software status

This command displays:

All installed boot volumes (HD1.1, HD1.2, HD1.3, etc.)

The BIG-IP software version installed on each volume

TheActivefield, indicating which volume the system is currently booted from

The installation status (“complete”, “in-progress”, “allowed”)

This is thestandard and authoritativeway to determine the active boot location.

Why the other options are incorrect:

A. tmsh show sys version

Displays OS version, build, and date.

Doesnotshow boot locations or which volume is active.

C. tmsh list sys software update

Shows software update configurations, not boot volume status.

Does not display which volume is active.

Self-IPs include a security feature calledPort Lockdown, which restricts which services respond on that Self-IP.

By default, Self-IPs block management access (SSH and HTTPS/TMUI), meaning an administrator cannot manage the device through in-band Self-IPs unless explicitly allowed.

Allow Mgmt / Allow Management

These settings enable only the management services required for administrative access, specifically:

SSH (22)

HTTPS/TMUI (443)

These options allow secure administration without opening unnecessary ports.

Why these are correct:

They provide only the essential access for management.

They follow F5 security best practices when using in-band admin access.

They donotexpose all services, reducing the attack surface.

Why the other options are incorrect:

A. Allow Default

This allows only a minimal set of system-required ports (e.g., failover, config sync), not SSH or HTTPS.

Administrator access would still fail.

B. Allow All

Opens all ports on the Self-IP, which isnot secure.

Exposes services that should remain restricted.

Therefore,Allow Mgmt / Allow Managementare the correct choices.

Port Lockdown controls which ports and protocols aSelf IPwill respond to.

TheAllow Defaultsetting permits only a predefined set of BIG-IP internal and required service ports.

The Allow Default listincludes:

TCP 443→ HTTPS (Management/TMUI access via Self-IP)

TCP 4353 → CMI (device sync)

TCP/UDP ports related to HA communication

Other essential internal F5 ports

Why TCP 443 is correct:

It is one of the officially allowed ports underAllow Default.

It enables HTTPS/TMUI access through a Self IP.

Why the other options are incorrect:

A. TCP 80 (HTTP)

Not allowed under Allow Default

HTTP via Self-IP is blocked unless placed under Allow Custom

B. UDP 8443

Not an F5 default service

Not part of the Allow Default ports

To understand:

Which modules arelicensed

Which modules areprovisioned

Theresource requirements(CPU / RAM) of each module

The administrator uses:

System » Resource Provisioning

This page displays:

All modules present in the license

Whether they are enabled or disabled

Required memory to activate each module

CPU and disk allocation information

Provisioning level options (None / Minimal / Nominal / Dedicated)

This is the exact location where BIG-IP administrators evaluate module capacity before enabling or purchasing licensing upgrades.

Why the other options are incorrect:

A. Configuration » OVSDB

Used for network virtualization integrations, not licenses or modules.

B. Software Management

Used for software image installation, not licensing.

C. Configuration » Device

Displays hostname, failover settings, device properties — not module resource requirements.

Thus, module licensing and memory requirement data are found underResource Provisioning.

Access to the BIG-IP Configuration Utility (TMUI) is controlled through the/sys httpd allowlist.

This list defines which IP addresses or subnets are allowed to connect to the management web interface.

To allow two new subnets—172.28.31.0/24and172.28.65.0/24—the administrator mustaddboth subnets to the existing list without removing current entries.

In tmsh, subnet entries must be specified innetwork/netmask format, for example:

172.28.31.0/255.255.255.0

The correct tmsh command to append these networks is:

modify /sys httpd allow add { 172.28.31.0/255.255.255.0 172.28.65.0/255.255.255.0 }

Why the other options are incorrect:

Option B:

IPs are listed without masks, which is invalid for subnet-based access control.

The system requiresnetwork/netmaskformat.

Option C:

The command uses permit instead of allow, which is not a valid attribute of /sys httpd.

The correct keyword must beallow.

Thus, onlyOption Acorrectly adds both permitted subnets in the proper tmsh format.