F5 F5CAB1 Dumps

BIG-IP hardware platforms use chassis LEDs to indicate system health states.

A solid yellow status LED typically indicates a warning condition , such as:

A non-critical hardware alert

A temperature threshold nearing limit

A minor fan or sensor irregularity

Other non-fatal environmental or system conditions

This state reflects a warning-level alarm , meaning the unit is operational but requires investigation.

Why the other options are incorrect

A. Halted or EUD mode

This is associated with different LED patterns (usually flashing conditions or specific color codes), not a solid yellow status LED.

B. Standby in device group

HA state is not indicated by the chassis status LED.

Standby status is a logical device state, not a hardware LED state.

D. Power supply failure

Power supply indicators use separate LEDs located on each power module (usually flashing amber/red), not the system status LED.

Thus, a solid yellow status indicator signifies a warning-level alarm .

Self-IPs implement a security feature known as Port Lockdown , which limits which services are reachable on a Self-IP.

However, certain services required for BIG-IP device-to-device communication bypass Port Lockdown to ensure cluster and HA functionality.

TCP 4353

TCP port 4353 is used by Device Service Clustering (DSC) for:

Device trust establishment

Configuration synchronization

Failover communication

Because BIG-IP devices must always be able to communicate for HA functions to remain operational, port 4353 is exempt from Port Lockdown rules .

Why the other options are incorrect

A. TCP 443

Not required for device trust or synchronization.

HTTPS access is fully controlled by Port Lockdown.

C. UDP 53

DNS traffic is not required for synchronization and has no exemption under Port Lockdown.

When you choose Automatic as the activation method in the License › Re-activate screen, the BIG-IP device itself contacts F5’s license activation service over the Internet.

For successful automatic activation:

The BIG-IP must have outbound network connectivity (typically via the management interface).

DNS resolution and routing must allow it to reach the F5 license activation host (the one shown in option D).

The device sends its dossier and registration key to that service and receives an updated license file in return, which is then installed automatically.

The other hostnames in the options are not used by BIG-IP for license activation, so they cannot be correct in the context of Automatic Activation .

Comprehensive and Detailed Explanation From BIG-IP Administration — Install, Initial Configuration, and Upgrade:

BIG-IP Self IP addresses have an associated Port Lockdown feature that governs which protocols and services are permitted to communicate directly with that Self IP. By default, Self IPs may allow broader access than desired, making Port Lockdown a critical hardening control.

The Allow Custom option under Port Lockdown is the precise mechanism for administrators who need granular, port-specific filtering. When selected, only the explicitly listed TCP/UDP ports are permitted — all others, including port 443 (HTTPS), are implicitly denied. This satisfies the requirement of blocking 443 specifically while preserving access on other required ports.

The remaining options are incorrect for this scenario:

Option A references SSH access control under System » Platform, which governs management-plane SSH — not Self IP service filtering.

Option B disables the entire Self IP, removing all traffic handling, which is operationally disruptive.

Option D — Allow None — blocks all traffic to the Self IP, not selectively port 443.

The Allow Custom approach provides the surgical precision required: administrators enumerate permitted ports, and everything outside that list — including 443 — is dropped.

Reference Topics: Self IP Port Lockdown, Network Security Hardening, Self IP Configuration — BIG-IP Administration Study Guide.

For BIG-IP high-availability (HA) pairs, F5’s recommended upgrade workflow prioritizes service continuity , predictable failover , and minimal downtime . The established best-practice sequence is:

Upgrade the standby unit first

Because the standby device is not passing traffic, upgrading and rebooting it does not impact production.

Boot the standby unit into the newly installed version

Once online, the administrator verifies basic health, device sync status, cluster communication, and module functionality.

Perform a controlled failover to the upgraded unit

Traffic shifts to the newly upgraded device, allowing validation of the configuration and operational behavior under real traffic loads.

Upgrade the second device (now standby)

The previously active device becomes standby after failover, allowing it to be safely upgraded and rebooted without interruption.

This phased approach ensures only one device is unavailable at a time, allowing continuous traffic flow throughout the upgrade process.

Why the Correct Answer is C

Option C exactly matches F5’s documented production-safe upgrade method:

Upgrade the standby node first

Reboot into new image

Failover to upgraded device

Validate

Upgrade the remaining (now-standby) device

This procedure minimizes risk and traffic disruption.

Why the other options are incorrect:

A. Upgrade the active node first

Upgrading the active device requires removing it from service and failing over abruptly. This is not recommended and increases service disruption risk.

B. Resetting device trust

Resetting trust is unnecessary and can disrupt configuration sync, peer communication, and cluster operation. It is not part of any standard upgrade workflow.

D. Upgrading and rebooting both nodes simultaneously

This would cause total outage , because both HA members would be unavailable at the same time.

In BIG-IP, software images are installed on boot volumes (for example, HD1.1, HD1.2, HD1.3, etc.).

To install software on a new volume , the administrator must instruct the system to create a new boot location before installation.

There are two correct ways to create a new volume:

A. tmsh command (with correct syntax)

tmsh install software image /shared/images/BIGIP- < version > .iso volume HD1.5 create-volume

This syntax correctly includes:

install software image

full path to ISO (/shared/images/...)

volume name (HD1.5)

create-volume keyword

This instructs BIG-IP to create the new boot volume as part of the installation.

C. Using the GUI → System > Disk Management

From the Disk Management menu, the administrator can:

Select “New Volume”

Enter the volume identifier (e.g., HD1.5)

Apply changes

This GUI method is officially supported and explicitly creates a new boot volume before installing the software.

Why the other options are incorrect:

B. Incorrect tmsh syntax

Missing /shared/images/ path

Incorrect command structure

D. Incorrect command structure

Missing required keywords and correct command hierarchy

E. Software Management → Install does NOT create volumes

This installs to an existing volume only

The GUI install dialog does not create new boot volumes

Thus, only Option A and Option C properly create a new software volume.

When installing a HotFix on a BIG-IP device, F5 best practices require:

Installing the base TMOS image on a new, unused boot volume (HD1.2)

This ensures the upgrade happens on a clean volume.

The existing active boot location remains untouched for rollback.

Installing the HotFix onto the SAME new boot volume (HD1.2)

HotFixes must be applied on top of a base version.

They cannot be installed on an empty volume.

They must match the base image version.

Activating the new boot volume (HD1.2)

The system reboots into the updated software stack.

Activation happens after base + HotFix installation is complete.

This sequence is exactly shown in Option C :

Install base Image in HD1.2

Install HotFix in HD1.2

Activate HD1.2

Why the other options are incorrect:

A. Install HotFix before base image

Impossible.

HotFix requires an installed base version first.

B. Installing HotFix on HD1.1 (active boot volume)

Not recommended.

Upgrading in-place removes rollback safety.

HotFix cannot be applied cleanly without applying base image first.

D. Activate HD1.2 before installing anything

You cannot activate an empty boot volume.

Activation only occurs after the base + HotFix software is installed.

Provisioning defines how BIG-IP allocates system resources to modules. The provisioning levels include:

Dedicated – allocates all CPU, memory, and disk resources to a single module

Nominal – standard resource allocation balanced with other modules

Minimal – lowest level, used for basic utility needs

None – module disabled

Comprehensive / Maximal – not valid TMOS provisioning levels

Why “Dedicated” is correct

When a BIG-IP device is intended to run only ASM (Web Application Firewall), the recommended way to maximize performance is to provision the module at Dedicated level.

With ASM: Dedicated :

ASM receives the entire hardware capacity

No other modules can or should be provisioned

This is explicitly recommended when a device is used solely as a WAF platform

Why other options are incorrect

B. Comprehensive / C. Maximal

These are not valid provisioning modes in BIG-IP.

TMOS supports: Nominal, Minimal, Large (module-specific), and Dedicated.

D. Nominal

Shares resources with other modules

Does not provide full system performance

Not suitable when exclusive resource allocation is required

Thus, Dedicated is the correct provisioning choice.

When a TMOS ISO file is transferred to /shared/images/ , the BIG-IP automatically performs a validation step:

Checksum Verification

Before the image becomes visible in the GUI, the system verifies the internal checksum embedded inside the ISO.

This ensures:

The file was fully transferred

The image is not corrupted

It matches the official F5 release signature

Only after passing this verification does the GUI display the ISO under “Available Images.”

Why the other options are incorrect:

A. Reboot into a new partition

No reboot occurs simply from uploading an image.

C. Copying into /var/local/images/

This directory is not used for ISO storage.

All valid images remain in /shared/images/ .

Thus, the correct system action is checksum verification .

The screenshot shown is from the User Administration section of the BIG-IP GUI.

This section controls:

Root and Admin passwords

SSH Access

SSH IP Allow settings

However, it does not contain any controls for restricting access to the WebUI (TMUI) .

BIG-IP does not provide TMUI access restrictions from this part of the GUI.

Access to the web-based Configuration Utility is controlled by the httpd allow list , configured through TMSH:

tmsh modify /sys httpd allow { < IP/subnet > }

This setting is not displayed in the User Administration panel, and in many BIG-IP versions, the httpd allow list is only configurable from the CLI , not the GUI.

Therefore, the administrator cannot find the setting in the screen shown because:

TMUI access restriction is not located in this GUI section

It must be configured using tmsh under /sys httpd allow

This is why Option A is correct.

Self-IPs include a security feature called Port Lockdown , which restricts which services respond on that Self-IP.

By default, Self-IPs block management access (SSH and HTTPS/TMUI), meaning an administrator cannot manage the device through in-band Self-IPs unless explicitly allowed.

Allow Mgmt / Allow Management

These settings enable only the management services required for administrative access, specifically:

SSH (22)

HTTPS/TMUI (443)

These options allow secure administration without opening unnecessary ports.

Why these are correct:

They provide only the essential access for management.

They follow F5 security best practices when using in-band admin access.

They do not expose all services, reducing the attack surface.

Why the other options are incorrect:

A. Allow Default

This allows only a minimal set of system-required ports (e.g., failover, config sync), not SSH or HTTPS.

Administrator access would still fail.

B. Allow All

Opens all ports on the Self-IP, which is not secure .

Exposes services that should remain restricted.

Therefore, Allow Mgmt / Allow Management are the correct choices.

Access to the BIG-IP Configuration Utility (TMUI) is controlled through the /sys httpd allow list.

This list defines which IP addresses or subnets are allowed to connect to the management web interface.

To allow two new subnets— 172.28.31.0/24 and 172.28.65.0/24 —the administrator must add both subnets to the existing list without removing current entries.

In tmsh, subnet entries must be specified in network/netmask format , for example:

172.28.31.0/255.255.255.0

The correct tmsh command to append these networks is:

modify /sys httpd allow add { 172.28.31.0/255.255.255.0 172.28.65.0/255.255.255.0 }

Why the other options are incorrect:

Option B:

IPs are listed without masks, which is invalid for subnet-based access control.

The system requires network/netmask format.

Option C:

The command uses permit instead of allow, which is not a valid attribute of /sys httpd.

The correct keyword must be allow .

Thus, only Option A correctly adds both permitted subnets in the proper tmsh format.

When logged into the bash shell of a BIG-IP system, there are two valid ways to view the management-ip address:

A. tmsh list /sys management-ip

Even from the bash shell, the administrator can enter a tmsh command by typing:

tmsh list /sys management-ip

This displays:

Management IP address

Netmask

Any configured management routes

This is the official tmsh method for viewing the management-ip configuration.

C. ifconfig mgmt

In the underlying Linux OS, the management interface maps to the mgmt interface.

Running:

ifconfig mgmt

displays:

Assigned management IP

Netmask

Link-level status

This is a valid Linux-level method used frequently for troubleshooting.

Why the other options are incorrect:

B. show mgmt ip

Not a valid bash or tmsh command on BIG-IP.

D. list / sys management-ip

Missing the tmsh prefix.

In bash, this will generate a syntax error.

The correct form requires:

tmsh list /sys management-ip

When a TMOS image (.iso file) is uploaded into the /shared/images/ directory, the BIG-IP performs an internal validation step before the ISO appears in the GUI.

1. The system verifies the internal checksum

BIG-IP automatically reads the embedded checksum inside the ISO file

Verifies integrity of the uploaded image

Confirms the file is not corrupted or incomplete

Ensures the image is a valid F5 TMOS software image

Only after this checksum verification succeeds does the image appear under:

System → Software Management → Image List

Why the other options are incorrect:

A. The system performs a reboot into a new partition

Uploading an ISO file never triggers a reboot.

C. The system copies the image to /var/local/images/

All valid TMOS images remain in /shared/images/ .

No copying occurs.