F5 Networks BIG-IP Administration Install, Initial Configuration, and Upgrade F5CAB1 Exam Questions

Answer : C

Port Lockdown controls which ports and protocols a Self IP will respond to.

The Allow Default setting permits only a predefined set of BIG-IP internal and required service ports.

The Allow Default list includes:

TCP 443 HTTPS (Management/TMUI access via Self-IP)

TCP 4353 CMI (device sync)

TCP/UDP ports related to HA communication

Other essential internal F5 ports

Why TCP 443 is correct:

It is one of the officially allowed ports under Allow Default.

It enables HTTPS/TMUI access through a Self IP.

Why the other options are incorrect:

A . TCP 80 (HTTP)

Not allowed under Allow Default

HTTP via Self-IP is blocked unless placed under Allow Custom

B . UDP 8443

Not an F5 default service

Not part of the Allow Default ports

Answer : C

BIG-IP provisioning determines how CPU, memory, and disk resources are allocated to each module. The goal is to provision only the modules required and at levels appropriate to their performance needs.

Requirements in the question

The device will be used for:

LTM (Local Traffic Manager) load balancing

ASM (Application Security Manager) WAF

No functions require:

APM (Access Policy Manager)

AFM (Advanced Firewall Manager)

Why Option C is correct

Provisioning both LTM and ASM at Nominal level provides:

Adequate performance for production load

Plentiful system resources while avoiding dedicating the entire system to a single module

Balanced allocation without starving memory or CPU

Setting APM: None and AFM: None ensures unused modules consume zero resources.

Why the other options are incorrect

A . Dedicated provisioning for both LTM and ASM

Two modules cannot both run in ''Dedicated'' mode.

Dedicated mode allocates all resources to a single module --- the second module cannot be dedicated simultaneously.

B . LTM and ASM both Dedicated

Same issue: only one module can be Dedicated at a time.

Also unnecessary for load balancing + WAF.

D . Setting APM and AFM to Minimal

Minimal still consumes memory and CPU.

Unused modules should be set to None.

Therefore, Option C is the best provisioning strategy.

Answer : B

The exhibit shows the configuration of a Self IP with:

Port Lockdown: Allow Custom

A Custom List that includes the following TCP ports:

443

22

Meaning of these ports:

TCP 443 HTTPS (TMUI --- web-based management)

TCP 22 SSH (command-line remote access)

No other TCP, UDP, or protocol entries are listed; therefore, only these two services are allowed to reach the BIG-IP via this Self IP.

Evaluating the answer choices:

Option

Service

Port

Allowed?

FTP

TCP 21

Not listed

Not allowed

SSH

TCP 22

Listed

Allowed

Telnet

TCP 23

Not listed

Not allowed

Thus, SSH is the only traffic permitted through this Self IP configuration.

Answer : B, D

Comprehensive and Detailed Explanation (Paraphrased from F5 BIG-IP Administration Install, Initial Configuration, and Upgrade concepts)

When performing a TMOS upgrade, F5 recommends validating the target software version to ensure that the release does not contain defects that may impact system behavior. The upgrade preparation process includes checking for known issues, validating compatibility, and reviewing advisory information for the intended version. Two primary F5 tools serve this purpose:

B . F5 iHealth

iHealth is a cloud-based diagnostic and analysis platform used to evaluate the operational state of a BIG-IP system.

Administrators upload a QKView file to iHealth to receive an automated assessment of the system. As part of upgrade planning, iHealth provides:

Upgrade advisories, identifying potential risks such as deprecated features, module compatibility concerns, or changes in behavior between TMOS versions.

Checks against known defects, allowing administrators to determine whether the target TMOS version contains issues relevant to their deployment.

This aligns with F5's recommended upgrade workflow, where iHealth is used before upgrading to confirm system readiness and detect software-level concerns.

D . F5 Bug Tracker

The Bug Tracker is F5's dedicated interface for reviewing software defects across TMOS releases.

It enables administrators to:

Search for known bugs by TMOS version, module, severity, or defect ID.

Review the status of defects (open, resolved, fixed in later releases).

Identify whether high-impact or security-related issues are associated with the target upgrade version.

F5 documentation emphasizes reviewing known defects prior to installation of new software images, making the Bug Tracker a critical resource for upgrade validation.

Why the other options are not correct

A . F5 End User Diagnostics (EUD)

EUD is used exclusively for hardware diagnostics (ports, memory, fans). It does not provide software-related issue verification and is not used for upgrade planning.

C . F5 University

This is a training platform, not an operational tool. It does not provide defect listings or upgrade-specific warnings.

E . F5 Downloads

Although it provides access to software images and release notes, it is not a tool for identifying known bugs. Release notes summarize general fixes and features, but systematic bug verification requires iHealth or the Bug Tracker.

Answer : A

BIG-IP systems require all ISO images (base TMOS images and HotFix images) to be stored in a specific directory used for software installation:

/shared/images/

This directory:

Is the only supported location from which the BIG-IP software installation system validates and installs ISO files

Is accessible by both the GUI and TMSH installers

Has adequate storage space allocated specifically for images

Is part of the shared partition that persists across reboots

When transferring images via SCP, the administrator must copy them directly into /shared/images/ so that:

The GUI (System Software Management Available Images) can detect the image

TMSH install software image commands can reference it

Other directories such as /local/images/ or /var/images/ are not valid storage paths for software images.

Answer : C

The HTTPD allow list controls which IP addresses or subnets may access the Configuration Utility (TMUI) on the BIG-IP system. The Administrator already has two subnets allowed and needs to add a single host IP to the existing list.

The object /sys httpd allow supports actions such as add, delete, and replace-all-with.

Because the goal is to add one more entry without removing the existing permitted subnets, the correct command is:

modify /sys httpd allow add { 172.28.32.22 }

This appends the new host to the existing list while preserving the previously configured networks.

Why the other options are incorrect:

Option A (replace-all-with) would overwrite the entire allow list, removing existing permitted subnets---unacceptable.

Option B (delete) would remove the existing networks and not add the required host.

Therefore, the correct administrative action is to add the jump host's IP.

Answer : A, D

Provisioning determines:

Which BIG-IP modules are enabled (LTM, ASM, APM, AFM, DNS, etc.)

Their provisioning levels (None, Minimal, Nominal, Dedicated)

Two accurate ways to view provisioning settings are:

A . GUI --- System Resource Provisioning Module Allocation

This is the primary GUI screen showing:

All modules

Their provisioning level

System resource distribution impact

Administrators commonly use this page to confirm or change module provisioning.

D . TMSH --- list /sys provision

This tmsh command displays each module and its provisioning level:

sys provision ltm { level nominal }

sys provision asm { level none }

...

This is the authoritative CLI method for checking module provisioning configurations.

Why the other options are incorrect:

B . show /sys provision

Shows runtime information but not the actual configuration levels.

list is the correct command for configuration details.

C . Statistics Module Statistics

Shows performance statistics, NOT provisioning status.

Therefore, the correct responses are A and D.