F5 Networks BIG-IP Administration Install, Initial Configuration, and Upgrade F5CAB1 Exam Practice Test

Page: 1 / 14
Total 42 questions

Want more questions? Get Premium Access.
()

Question 1

What are the two options for securing a BIG-IP's management interface?

(Choose two.)

ALimiting network access through the management interface to a trusted/secured network VLAN.

BBlock all management-interface administrative HTTPS and SSH service ports to prevent access.

CUse the BIG-IP's Self-IP addresses for administrative access rather than the management interface.

DRestrict administrative HTTPS and SSH access to specific IP addresses or IP ranges.

Answer : A, D

Securing the BIG-IP management interface is a fundamental administrative responsibility. F5 best practices emphasize restricting who can reach the management port and ensuring that only authorized systems are allowed access.

A . Limiting management access to trusted network segments

F5 recommends placing the management interface on a dedicated, isolated, and secured management network or VLAN, rather than exposing it to production or untrusted networks.

This reduces the attack surface by ensuring only trusted segments have visibility to administrative interfaces.

D . Restricting management access by IP or subnet

F5 BIG-IP uses the /sys httpd allow list (for HTTPS) and configuration options in sshd (for SSH) to control which IP addresses or subnets can access the device.

By specifying only known administrative IPs or ranges, unauthorized users cannot reach the login services.

Why the other options are incorrect

B . Blocking all management HTTPS/SSH ports

This would prevent any administrative access and is not a viable security practice.

C . Using Self-IP addresses for administrative access

F5 explicitly warns against using Self-IPs for management access unless strictly necessary.

Self-IPs are exposed to the data plane and should not be used as the primary administrative interface.

Question 2

A BIG-IP Administrator needs to install a HotFix on a standalone BIG-IP device.

The device currently has HD1.1 as the Active Boot Location.

The administrator has already reactivated the license and created a UCS archive.

In which sequence should the administrator perform the remaining steps?

AInstall HotFix in HD1.2, Install base Image in HD1.2, Activate HD1.2

BInstall HotFix in HD1.1, Reboot the BIG-IP device, Install UCS Archive

CInstall base Image in HD1.2, Install HotFix in HD1.2, Activate HD1.2

DActivate HD1.2, Install base Image in HD1.2, Install HotFix in HD1.2

Answer : C

When installing a software upgrade with a HotFix on BIG-IP, the correct workflow requires:

Install the base TMOS image on an unused boot volume

Install the corresponding HotFix onto that same boot volume

Activate the updated boot volume to boot into the new software

This method ensures:

The existing active system (HD1.1) is untouched

The upgrade occurs in a new, clean volume (HD1.2)

The HotFix applies properly to the same base image

The administrator can revert to HD1.1 if issues occur

Option C matches the correct F5 upgrade sequence:

1. Install base image on HD1.2

2. Install HotFix on HD1.2

3. Activate HD1.2

Why the other options are incorrect:

A . Install HotFix before base image

HotFixes must be applied after the base image; not valid.

B . Installing a HotFix on the active boot location (HD1.1)

Not recommended and does not use a clean new volume.

Also does not involve installing the base image.

D . Activating HD1.2 before installing anything

Cannot activate an empty or invalid boot volume.

Thus, Option C is the correct sequence.

Question 3

A BIG-IP Administrator needs to verify the state of equipment in the data center.

A BIG-IP appliance has a solid yellow indicator on the status LED.

How should the administrator interpret this LED indicator?

AAppliance is halted or in End-User Diagnostic (EUD) mode

BAppliance is a standby member in a device group

CA warning-level alarm condition is present

DA power supply is NOT operating properly

Answer : C

BIG-IP hardware platforms use chassis LEDs to indicate system health states.

A solid yellow status LED typically indicates a warning condition, such as:

A non-critical hardware alert

A temperature threshold nearing limit

A minor fan or sensor irregularity

Other non-fatal environmental or system conditions

This state reflects a warning-level alarm, meaning the unit is operational but requires investigation.

Why the other options are incorrect

A . Halted or EUD mode

This is associated with different LED patterns (usually flashing conditions or specific color codes), not a solid yellow status LED.

B . Standby in device group

HA state is not indicated by the chassis status LED.

Standby status is a logical device state, not a hardware LED state.

D . Power supply failure

Power supply indicators use separate LEDs located on each power module (usually flashing amber/red), not the system status LED.

Thus, a solid yellow status indicator signifies a warning-level alarm.

Question 4

The BIG-IP Administrator received a ticket that an authorized user is attempting to connect to the Configuration Utility from a jump host and is being denied.

The HTTPD allow list is configured as:

sys httpd {

allow { 172.28.31.0/255.255.255.0 172.28.65.0/255.255.255.0 }

}

The jump host IP is 172.28.32.22.

What command should the BIG-IP Administrator use to allow HTTPD access for this jump host?

Amodify /sys httpd allow replace-all-with { 172.28.32.22 }

Bmodify /sys httpd allow delete { 172.28.31.0/255.255.255.0 172.28.65.0/255.255.255.0 }

Cmodify /sys httpd allow add { 172.28.32.22 }

Answer : C

The HTTPD allow list controls which IP addresses or subnets may access the Configuration Utility (TMUI) on the BIG-IP system. The Administrator already has two subnets allowed and needs to add a single host IP to the existing list.

The object /sys httpd allow supports actions such as add, delete, and replace-all-with.

Because the goal is to add one more entry without removing the existing permitted subnets, the correct command is:

modify /sys httpd allow add { 172.28.32.22 }

This appends the new host to the existing list while preserving the previously configured networks.

Why the other options are incorrect:

Option A (replace-all-with) would overwrite the entire allow list, removing existing permitted subnets---unacceptable.

Option B (delete) would remove the existing networks and not add the required host.

Therefore, the correct administrative action is to add the jump host's IP.

Question 5

Which two items demonstrate the creation of a new volume for software images?

(Choose two.)

Atmsh install software image /shared/images/BIGIP-<version>.iso volume HD1.5 create-volume

Btmsh install /sys software image BIGIP-<version>.iso volume HD1.5 create-volume

CUsing the GUI, go to System > Disk Management, select New Volume. In the pop-up window, type the name or number of the new volume and click Apply.

Dtmsh install sys software image /shared/images/BIGIP-<version>.iso volume HD1.5 create-volume

EUsing the GUI, go to System > Software Management > Available Images > Install, and in the Install Software Image pop-up window, type the new volume name or number and click Install.

ESoftware Management Install does NOT create volumes
This installs to an existing volume only
The GUI install dialog does not create new boot volumes
Thus, only Option A and Option C properly create a new software volume.

Answer : A, C

In BIG-IP, software images are installed on boot volumes (for example, HD1.1, HD1.2, HD1.3, etc.).

To install software on a new volume, the administrator must instruct the system to create a new boot location before installation.

There are two correct ways to create a new volume:

A . tmsh command (with correct syntax)

tmsh install software image /shared/images/BIGIP-<version>.iso volume HD1.5 create-volume

This syntax correctly includes:

install software image

full path to ISO (/shared/images/...)

volume name (HD1.5)

create-volume keyword

This instructs BIG-IP to create the new boot volume as part of the installation.

C . Using the GUI System > Disk Management

From the Disk Management menu, the administrator can:

Select ''New Volume''

Enter the volume identifier (e.g., HD1.5)

Apply changes

This GUI method is officially supported and explicitly creates a new boot volume before installing the software.

Why the other options are incorrect:

B . Incorrect tmsh syntax

Missing /shared/images/ path

Incorrect command structure

D . Incorrect command structure

Missing required keywords and correct command hierarchy

Question 6

A BIG-IP device will be dedicated to functioning as a WAF, requiring only the ASM module to be provisioned.

What provisioning level will ensure that the system allocates all CPU, memory, and disk resources to this module exclusively?

ADedicated

BComprehensive

CMaximal

DNominal

Answer : A

Provisioning defines how BIG-IP allocates system resources to modules. The provisioning levels include:

Dedicated -- allocates all CPU, memory, and disk resources to a single module

Nominal -- standard resource allocation balanced with other modules

Minimal -- lowest level, used for basic utility needs

None -- module disabled

Comprehensive / Maximal -- not valid TMOS provisioning levels

Why ''Dedicated'' is correct

When a BIG-IP device is intended to run only ASM (Web Application Firewall), the recommended way to maximize performance is to provision the module at Dedicated level.

With ASM: Dedicated:

ASM receives the entire hardware capacity

No other modules can or should be provisioned

This is explicitly recommended when a device is used solely as a WAF platform

Why other options are incorrect

B . Comprehensive / C. Maximal

These are not valid provisioning modes in BIG-IP.

TMOS supports: Nominal, Minimal, Large (module-specific), and Dedicated.

D . Nominal

Shares resources with other modules

Does not provide full system performance

Not suitable when exclusive resource allocation is required

Thus, Dedicated is the correct provisioning choice.

Question 7

A BIG-IP Administrator discovers malicious brute-force attempts to access the BIG-IP device on the management interface via SSH.

The administrator needs to restrict SSH access to the management interface.

Where should this be accomplished?

ANetwork > Interfaces

BNetwork > Self IPs

CSystem > Configuration

DSystem > Platform

Answer : C

The BIG-IP management interface (MGMT port) is controlled through System settings, not through the Network menu.

SSH access on the management interface is configured here:

System Configuration Device General SSH Access / SSH IP Allow

This section allows the administrator to:

Enable or disable SSH service

Restrict SSH access to specific IP addresses or subnets

Apply security policies to the management interface

Why the other options are incorrect:

A . Network > Interfaces

Used for data-plane physical interface settings, not management plane SSH restrictions.

B . Network > Self IPs

Controls in-band management or data-plane access, not the dedicated management port.

D . System > Platform

Used for hostname, time zone, LCD contrast, hardware settings --- not SSH security on the management port.

Therefore, restricting SSH access to the management interface must be done under:

System Configuration Device General

Which corresponds to Option C.