F5CAB1 F5 BIG-IP Administration Install, Initial Configuration, and Upgrade Free Practice Exam Questions (2026 Updated)

BIG-IP allocates CPU and memory resources based on module provisioning levels.

To view how much CPU a module is assigned, administrators must check provisioning information from:

C. GUI — System » Resource Provisioning

This page visually displays CPU allocation via color-coded bars.

Hovering over the CPU bar shows:

CPU usage percent per module

Which modules share CPU cycles

The system’s total resource allocation

This is the primary GUI method.

D. tmsh show /sys provision

This command displays detailed module provisioning information including:

Provisioned modules

Their provisioning level

CPU and memory allocation data

It is the authoritative CLI method for resource provisioning status.

Why the other options are incorrect:

A. top

Shows real-time process usage, not provisioned CPU allocation.

B. tmsh show /sys cpu

Displays CPU runtime utilization, not per-module provisioning.

E. Statistics Dashboard

Only shows traffic / system runtime metrics, not provisioning resource allocations.

Therefore, C and D are correct.

The BIG-IP system has built-in licensing enforcement.

If an administrator provisions a module that the device is not licensed to run, the system will still allow the provisioning action to occur initially , but the system detects the mismatch and displays an alert.

What actually happens:

The GUI places a warning banner in the upper-left corner labeled something similar to: “Provisioning Warning”

This appears immediately after provisioning a module that is not included in the active license.

The system remains in an “inconsistent state” until the module is disabled again or the license is updated.

This is the visual cue BIG-IP uses to indicate that a module was provisioned without valid licensing.

Why the other options are incorrect:

A. “A BIG-IP does not allow unlicensed modules to be provisioned.”

Not true. BIG-IP does allow provisioning, but warns afterward.

B. “A warning will appear when provisioning an unlicensed module.”

The warning does not appear during the provisioning step itself.

It appears after provisioning , in the main GUI, as a system banner.

BIG-IP systems require all ISO images (base TMOS images and HotFix images) to be stored in a specific directory used for software installation:

/shared/images/

This directory:

Is the only supported location from which the BIG-IP software installation system validates and installs ISO files

Is accessible by both the GUI and TMSH installers

Has adequate storage space allocated specifically for images

Is part of the shared partition that persists across reboots

When transferring images via SCP, the administrator must copy them directly into /shared/images/ so that:

The GUI (System → Software Management → Available Images) can detect the image

TMSH install software image commands can reference it

Other directories such as /local/images/ or /var/images/ are not valid storage paths for software images.

BIG-IP controls access to the web-based Configuration Utility (TMUI) through the /sys httpd allow list. This parameter specifies which client IPs or subnets may initiate HTTP/HTTPS connections to the management interface.

To restrict TMUI access to only the 10.0.0.0/24 subnet:

The correct method is to modify the HTTPD allow list so that it contains only this subnet.

This requires replacing the entire current list with the new subnet using:

modify /sys httpd allow replace-all-with {10.0.0.0/24}

This ensures that only clients within 10.0.0.0/24 can reach the Configuration Utility.

Why the other options are incorrect:

Options A and C create network ACL objects under /net acl, which apply to data-plane traffic, not management-plane TMUI access. TMUI access is not controlled by LTM ACLs but by the HTTPD allow directive.

Option B is incorrect syntax and references /ltm httpd, which is not the proper object; the correct hierarchy is /sys httpd.

Thus, only modifying the /sys httpd allow list achieves the required restriction.

When you choose Automatic as the activation method in the License › Re-activate screen, the BIG-IP device itself contacts F5’s license activation service over the Internet.

For successful automatic activation:

The BIG-IP must have outbound network connectivity (typically via the management interface).

DNS resolution and routing must allow it to reach the F5 license activation host (the one shown in option D).

The device sends its dossier and registration key to that service and receives an updated license file in return, which is then installed automatically.

The other hostnames in the options are not used by BIG-IP for license activation, so they cannot be correct in the context of Automatic Activation .

To identify which boot volume is currently active on a BIG-IP system, the correct command is:

tmsh show sys software status

This command displays:

All installed boot volumes (HD1.1, HD1.2, HD1.3, etc.)

The BIG-IP software version installed on each volume

The Active field, indicating which volume the system is currently booted from

The installation status (“complete”, “in-progress”, “allowed”)

This is the standard and authoritative way to determine the active boot location.

Why the other options are incorrect:

A. tmsh show sys version

Displays OS version, build, and date.

Does not show boot locations or which volume is active.

C. tmsh list sys software update

Shows software update configurations, not boot volume status.

Does not display which volume is active.

When upgrading to a newer TMOS software version, BIG-IP validates whether the current license is permitted to run that version.

This is controlled by the Service Check Date in the device’s license file.

If the Service Check Date is older than the minimum required for the target version:

The system boots into the new volume ,

But fails to load the configuration ,

And will instead present messages indicating that the configuration cannot be applied due to an invalid or outdated license .

This is a well-known behavior:

An outdated license, not reactivated before upgrade, causes configuration load failure after reboot into the new software.

Why the other options are incorrect:

A. Performed on the standby unit

Upgrading a standby unit does not cause configuration load failure.

Standby-only upgrades are standard best practice.

C. Two reboots required

BIG-IP does not require two reboots during an upgrade.

One reboot into the new volume is sufficient.

D. DNS connectivity failure

DNS connectivity does not affect configuration loading.

DNS is only needed for automatic license activation, not for applying config at boot.

Thus, the configuration failed to load because the license was not reactivated before the upgrade , making Option B correct.

When logged into the bash shell of a BIG-IP system, there are two valid ways to view the management-ip address:

A. tmsh list /sys management-ip

Even from the bash shell, the administrator can enter a tmsh command by typing:

tmsh list /sys management-ip

This displays:

Management IP address

Netmask

Any configured management routes

This is the official tmsh method for viewing the management-ip configuration.

C. ifconfig mgmt

In the underlying Linux OS, the management interface maps to the mgmt interface.

Running:

ifconfig mgmt

displays:

Assigned management IP

Netmask

Link-level status

This is a valid Linux-level method used frequently for troubleshooting.

Why the other options are incorrect:

B. show mgmt ip

Not a valid bash or tmsh command on BIG-IP.

D. list / sys management-ip

Missing the tmsh prefix.

In bash, this will generate a syntax error.

The correct form requires:

tmsh list /sys management-ip

When a TMOS ISO file is transferred to /shared/images/ , the BIG-IP automatically performs a validation step:

Checksum Verification

Before the image becomes visible in the GUI, the system verifies the internal checksum embedded inside the ISO.

This ensures:

The file was fully transferred

The image is not corrupted

It matches the official F5 release signature

Only after passing this verification does the GUI display the ISO under “Available Images.”

Why the other options are incorrect:

A. Reboot into a new partition

No reboot occurs simply from uploading an image.

C. Copying into /var/local/images/

This directory is not used for ISO storage.

All valid images remain in /shared/images/ .

Thus, the correct system action is checksum verification .

The HTTPD allow list controls which IP addresses or subnets may access the Configuration Utility (TMUI) on the BIG-IP system. The Administrator already has two subnets allowed and needs to add a single host IP to the existing list.

The object /sys httpd allow supports actions such as add , delete , and replace-all-with .

Because the goal is to add one more entry without removing the existing permitted subnets, the correct command is:

modify /sys httpd allow add { 172.28.32.22 }

This appends the new host to the existing list while preserving the previously configured networks.

Why the other options are incorrect:

Option A (replace-all-with) would overwrite the entire allow list, removing existing permitted subnets—unacceptable.

Option B (delete) would remove the existing networks and not add the required host.

Therefore, the correct administrative action is to add the jump host’s IP.

Comprehensive and Detailed Explanation From BIG-IP Administration — Install, Initial Configuration, and Upgrade:

BIG-IP Self IP addresses have an associated Port Lockdown feature that governs which protocols and services are permitted to communicate directly with that Self IP. By default, Self IPs may allow broader access than desired, making Port Lockdown a critical hardening control.

The Allow Custom option under Port Lockdown is the precise mechanism for administrators who need granular, port-specific filtering. When selected, only the explicitly listed TCP/UDP ports are permitted — all others, including port 443 (HTTPS), are implicitly denied. This satisfies the requirement of blocking 443 specifically while preserving access on other required ports.

The remaining options are incorrect for this scenario:

Option A references SSH access control under System » Platform, which governs management-plane SSH — not Self IP service filtering.

Option B disables the entire Self IP, removing all traffic handling, which is operationally disruptive.

Option D — Allow None — blocks all traffic to the Self IP, not selectively port 443.

The Allow Custom approach provides the surgical precision required: administrators enumerate permitted ports, and everything outside that list — including 443 — is dropped.

Reference Topics: Self IP Port Lockdown, Network Security Hardening, Self IP Configuration — BIG-IP Administration Study Guide.

From the exhibit, the administrator performs the following actions:

Displays the current SSH allow configuration:

tmsh list sys sshd allow

allow { ALL }

Replaces the existing SSH allow list with a specific subnet:

tmsh modify sys sshd allow replace-all-with { 10.0.0.0/24 }

Confirms the updated configuration:

tmsh list sys sshd allow

allow { 10.0.0.0/24 }

This configuration restricts SSH access to only hosts that fall within the 10.0.0.0/24 network.

Evaluation of the options

A. 10.0.0.100

This address is within the 10.0.0.0/24 subnet and is a valid host address, so SSH access is permitted.

B. 10.0.0.254

This address is also within the 10.0.0.0/24 subnet and is a valid host address, so SSH access is permitted.

C. 10.0.0.256

This is not a valid IP address because an IPv4 octet cannot exceed 255.

D. 100.0.1.10

This address is outside the configured 10.0.0.0/24 subnet and will not be allowed.

E. 100.0.0.10

This address is also outside the configured subnet and will not be allowed.

BIG-IP module provisioning determines how CPU, memory, and disk resources are allocated to each licensed module. F5 defines a specific set of supported provisioning levels.

Valid provisioning (resource allocation) settings

Nominal

Allocates a standard, balanced amount of system resources to a module.

Intended for typical production deployments where multiple modules may be provisioned at the same time.

Dedicated

Allocates all available system resources to a single module.

Used when the BIG-IP device is dedicated to running only one module (for example, ASM-only or APM-only deployments).

No other modules can be provisioned when one is set to Dedicated.

These two options are valid and supported provisioning levels.

Why the other options are incorrect

Maximum

This is not a valid BIG-IP provisioning level.

BIG-IP does not use “Maximum” as a resource allocation setting.

Limited

This is also not a supported provisioning level.

BIG-IP uses levels such as None, Minimal, Nominal, and Dedicated (module-dependent), not Limited.