F5CAB1 F5 BIG-IP Administration Install, Initial Configuration, and Upgrade Free Practice Exam Questions (2026 Updated)

The exhibit shows the configuration of aSelf IPwith:

Port Lockdown: Allow Custom

ACustom Listthat includes the following TCP ports:

443

22

Meaning of these ports:

TCP 443→ HTTPS (TMUI — web-based management)

TCP 22→ SSH (command-line remote access)

No other TCP, UDP, or protocol entries are listed; therefore, only these two services are allowed to reach the BIG-IP via this Self IP.

Evaluating the answer choices:

Option

Service

Port

Allowed?

FTP

TCP 21

Not listed

Not allowed

SSH

TCP 22

Listed

Allowed

Telnet

TCP 23

Not listed

Not allowed

Thus,SSHis the only traffic permitted through this Self IP configuration.

Provisioning settings define which modules are enabled and how system resources are allocated to them.

These provisioning declarations are stored in:

/config/bigip.conf

This file contains:

Full module provisioning statements

TMSH-equivalent provisioning configurations such as:

sys provision ltm { level nominal }

sys provision asm { level nominal }

It is theprimary system configuration filethat stores all active provisioning details.

Why the other answers are incorrect

A. /config/bigip.license

Showslicensedmodules, not provisioned modules.

B. /config/bigip_base.conf

Stores base networking (VLANs, Self-IPs, routes), not provisioning.

D. config.ucs

A backup archive, not a live configuration file.

Thus, the correct file to review active module provisioning is/config/bigip.conf.

BIG-IP controls access to the web-based Configuration Utility (TMUI) through the/sys httpd allowlist. This parameter specifies which client IPs or subnets may initiate HTTP/HTTPS connections to the management interface.

To restrict TMUI access toonlythe 10.0.0.0/24 subnet:

The correct method is tomodify the HTTPD allow listso that it contains only this subnet.

This requires replacing the entire current list with the new subnet using:

modify /sys httpd allow replace-all-with {10.0.0.0/24}

This ensures thatonlyclients within 10.0.0.0/24 can reach the Configuration Utility.

Why the other options are incorrect:

Options A and Ccreate network ACL objects under /net acl, which apply to data-plane traffic, not management-plane TMUI access. TMUI access is not controlled by LTM ACLs but by the HTTPD allow directive.

Option Bis incorrect syntax and references /ltm httpd, which is not the proper object; the correct hierarchy is /sys httpd.

Thus, only modifying the/sys httpd allowlist achieves the required restriction.

A newly deployed BIG-IP Virtual Edition (VE) in VMware requires initial configuration of itsmanagement-ipaddress so it can be accessed over the network. F5 provides several valid mechanisms during initial console access:

A. Running the config utility

The config script is available on new BIG-IP installations and VE deployments.

It launches a guided text-based wizard allowing configuration of:

Management IP

Netmask

Default route

This is a standard and recommended method during first-time setup.

B. Using TMSH with create sys management-ip

Administrators can enter TMSH directly from the console and run:

create sys management-ip /

The management-ip object resides undersys, not under ltm or any other module.

This is the correct tmsh method for defining the management interface address.

Why the other options are incorrect:

C. create ltm management-ip

There isnosuch object under /ltm.

LTM handles traffic objects (virtual servers, pools), not system management interfaces.

D. Running the setup command

The setup command is used for general system configuration butdoes not configure the management-ip.

It is not the supported method for initial management IP assignment on VE deployments.

Therefore, the valid methods are running theconfigutility and using thesys management-ipcommand within TMSH.

The BIG-IP system has built-in licensing enforcement.

If an administrator provisions a module that the device isnot licensedto run, the system will still allow the provisioning action to occurinitially, but the system detects the mismatch and displays an alert.

What actually happens:

The GUI places awarning bannerin theupper-left cornerlabeled something similar to:“Provisioning Warning”

This appears immediately after provisioning a module that is not included in the active license.

The system remains in an “inconsistent state” until the module is disabled again or the license is updated.

This is the visual cue BIG-IP uses to indicate that a module was provisioned without valid licensing.

Why the other options are incorrect:

A. “A BIG-IP does not allow unlicensed modules to be provisioned.”

Not true. BIG-IPdoesallow provisioning, but warns afterward.

B. “A warning will appear when provisioning an unlicensed module.”

The warning doesnotappear during the provisioning step itself.

It appearsafter provisioning, in the main GUI, as a system banner.

License reactivation updates the BIG-IP device’s license file to ensure:

TheService Check Dateis current

The device is eligible to install the intended TMOS version

Any module entitlement updates are received

Reactivationdoes not interrupt trafficand does not require a reboot, making it safe to performbeforethe maintenance window.

F5 best practices state:

Performall non-impact tasks priorto the scheduled maintenance window

Leave the window available for activities that require rebooting, such as the software installation itself

Since license reactivation isnon-disruptive, it should be donebeforethe upgrade window starts.

BIG-IP provisioning determines how CPU, memory, and disk resources are allocated to each module. The goal is to provision only the modules required and at levels appropriate to their performance needs.

Requirements in the question

The device will be used for:

LTM(Local Traffic Manager) → load balancing

ASM(Application Security Manager) → WAF

No functions require:

APM (Access Policy Manager)

AFM (Advanced Firewall Manager)

Why Option C is correct

Provisioning bothLTMandASMatNominallevel provides:

Adequate performance for production load

Plentiful system resources while avoiding dedicating the entire system to a single module

Balanced allocation without starving memory or CPU

SettingAPM: NoneandAFM: Noneensures unused modules consume zero resources.

Why the other options are incorrect

A. Dedicated provisioning for both LTM and ASM

Two modules cannot both run in “Dedicated” mode.

Dedicated mode allocatesallresources to a single module — the second module cannot be dedicated simultaneously.

B. LTM and ASM both Dedicated

Same issue: only one module can be Dedicated at a time.

Also unnecessary for load balancing + WAF.

D. Setting APM and AFM to Minimal

Minimal still consumes memory and CPU.

Unused modules should be set toNone.

Therefore,Option Cis the best provisioning strategy.

In BIG-IP, software images are installed onboot volumes(for example, HD1.1, HD1.2, HD1.3, etc.).

To install software on anew volume, the administrator must instruct the system to create a new boot location before installation.

There are two correct ways to create a new volume:

A. tmsh command (with correct syntax)

tmsh install software image /shared/images/BIGIP-.iso volume HD1.5 create-volume

This syntax correctly includes:

install software image

full path to ISO (/shared/images/...)

volume name (HD1.5)

create-volumekeyword

This instructs BIG-IP to create the new boot volume as part of the installation.

C. Using the GUI → System > Disk Management

From the Disk Management menu, the administrator can:

Select “New Volume”

Enter the volume identifier (e.g., HD1.5)

Apply changes

This GUI method is officially supported and explicitly creates a new boot volume before installing the software.

Why the other options are incorrect:

B. Incorrect tmsh syntax

Missing /shared/images/ path

Incorrect command structure

D. Incorrect command structure

Missing required keywords and correct command hierarchy

E. Software Management → Install does NOT create volumes

This installs to anexistingvolume only

The GUI install dialog does not create new boot volumes

Thus, onlyOption AandOption Cproperly create a new software volume.

Comprehensive and Detailed Explanation (Paraphrased from F5 BIG-IP Administration / Installation / Initial Configuration concepts)

Within the BIG-IP Traffic Management Shell (tmsh), system configuration objects—including the management IP—are organized under the/syshierarchy. The management IP address is a configurable property stored in the system configuration and can be viewed using the tmshlistcommand, which displays configuration objects and their currently assigned values.

Why “list /sys management-ip” is correct

The list command in tmsh is used todisplay configured system values, not runtime statistics.

The object that holds the management IP settings on BIG-IP systems is located at:/sys management-ip

Running the command:list /sys management-ipwill reveal the settings for the management IP interface, including the address, netmask, and any associated attributes.

This is the standard method used during system setup and verification to confirm the management IP configuration.

This behavior aligns with BIG-IP administration procedures, where configuration information is retrieved usinglist, while operational data is retrieved usingshow.

Why the other options are incorrect

A. run /util bash ifconfig mgmt

This command enters the Bash shell, then runs ifconfig to display the management interface.

While this can show the management interface address, it isnot a tmsh-native command, and the question specifically asks for a tmsh command.

Administrators use tmsh directly for configuration display rather than leaving the shell.

C. show /sys management-ip

The show command displaysstatistics or operational data, not configuration values.

The management-ip object does not maintain statistics; therefore show does not return the configuration details required.

Only thelistcommand reveals stored configuration data such as IP address and netmask.

The HTTPD allow list controls which IP addresses or subnets may access the Configuration Utility (TMUI) on the BIG-IP system. The Administrator already has two subnets allowed and needs to add asingle host IPto the existing list.

The object/sys httpd allowsupports actions such asadd,delete, andreplace-all-with.

Because the goal is toaddone more entry without removing the existing permitted subnets, the correct command is:

modify /sys httpd allow add { 172.28.32.22 }

This appends the new host to the existing list while preserving the previously configured networks.

Why the other options are incorrect:

Option A (replace-all-with)wouldoverwritethe entire allow list, removing existing permitted subnets—unacceptable.

Option B (delete)wouldremovethe existing networks and not add the required host.

Therefore, the correct administrative action is toaddthe jump host’s IP.

TheService Check Datedetermines whether a particular software version is allowed to run under the device’s license.

When installing or upgrading TMOS, the installer checks theService Check Datestored in the BIG-IP license file.

If the license date isolderthan the minimum required for the target version, the software installation isblocked.

This check happensspecifically during a software install, not during routine device operations.

Editing virtual servers or system startup do not trigger this validation.

Thus, the enforcement happensduring software installation.

When installing a software upgrade with a HotFix on BIG-IP, the correct workflow requires:

Install the base TMOS imageon an unused boot volume

Install the corresponding HotFixonto that same boot volume

Activate the updated boot volumeto boot into the new software

This method ensures:

The existing active system (HD1.1) is untouched

The upgrade occurs in a new, clean volume (HD1.2)

The HotFix applies properly to the same base image

The administrator can revert to HD1.1 if issues occur

OptionCmatches the correct F5 upgrade sequence:

1. Install base image on HD1.2

2. Install HotFix on HD1.2

3. Activate HD1.2

Why the other options are incorrect:

A. Install HotFix before base image

HotFixes must be appliedafterthe base image; not valid.

B. Installing a HotFix on the active boot location (HD1.1)

Not recommended and does not use a clean new volume.

Also does not involve installing the base image.

D. Activating HD1.2 before installing anything

Cannot activate an empty or invalid boot volume.

Thus,Option Cis the correct sequence.