• Home
  • Articles
  • [2025] New F5CAB1 exam Free Sample Questions to Practice [Q20-Q38]

[2025] New F5CAB1 exam Free Sample Questions to Practice [Q20-Q38]

Share

[2025] New F5CAB1 exam Free Sample Questions to Practice

Cover Real F5CAB1 Exam Questions Make Sure You 100% Pass

NEW QUESTION # 20
An F5 VE has been deployed into a VMware environment via an OVF file.
An administrator wants to configure the management IP address so the VE can be accessed for further setup.
Which two are valid methods for configuring the management-ip address? (Choose two.)

  • A. Log into the remote console and configure the management IP by running theconfigexecutable.
  • B. Log into the remote console and configure the management IP through TMSH using:
    create ltm management-ip <ip address>/<mask>
  • C. Log into the remote console and configure the management IP by running thesetupcommand.
  • D. Log into the remote console and configure the management IP through TMSH using:
    create sys management-ip <ip address>/<mask>

Answer: A,D

Explanation:
A newly deployed BIG-IP Virtual Edition (VE) in VMware requires initial configuration of itsmanagement- ipaddress so it can be accessed over the network. F5 provides several valid mechanisms during initial console access:
A). Running the config utility
* The config script is available on new BIG-IP installations and VE deployments.
* It launches a guided text-based wizard allowing configuration of:
* Management IP
* Netmask
* Default route
* This is a standard and recommended method during first-time setup.
B). Using TMSH with create sys management-ip
* Administrators can enter TMSH directly from the console and run:
* create sys management-ip <ip>/<mask>
* The management-ip object resides undersys, not under ltm or any other module.
* This is the correct tmsh method for defining the management interface address.
Why the other options are incorrect:
C). create ltm management-ip
* There isnosuch object under /ltm.
* LTM handles traffic objects (virtual servers, pools), not system management interfaces.
D). Running the setup command
* The setup command is used for general system configuration butdoes not configure the management- ip.
* It is not the supported method for initial management IP assignment on VE deployments.
Therefore, the valid methods are running theconfigutility and using thesys management-ipcommand within TMSH.


NEW QUESTION # 21
The Configuration Utility of a BIG-IP device is currently accessible via its management IP10.53.1.245from all VLANs.
The BIG-IP Administrator needs to restrict access so only hosts from the10.0.0.0/24subnet can access the Configuration Utility.
Which TMSH command accomplishes this?

  • A. (tmos)# create /net acl MGMT.HTTP rule add { (permit tcp 10.0.0.0 0.0.0.255 host 10.53.1.245 http) }
  • B. (tmos)# modify /ltm httpd allow replace-all-with {10.0.0.0/24}
  • C. (tmos)# modify /sys httpd allow replace-all-with {10.0.0.0/24}
  • D. (tmos)# create /net acl MGMT.HTTP rule add { (permit tcp 10.0.0.0/24 10.53.1.245 http) (deny ip any any http) }

Answer: C

Explanation:
BIG-IP controls access to the web-based Configuration Utility (TMUI) through the/sys httpd allowlist. This parameter specifies which client IPs or subnets may initiate HTTP/HTTPS connections to the management interface.
To restrict TMUI access toonlythe 10.0.0.0/24 subnet:
* The correct method is tomodify the HTTPD allow listso that it contains only this subnet.
* This requires replacing the entire current list with the new subnet using:
modify /sys httpd allow replace-all-with {10.0.0.0/24}
This ensures thatonlyclients within 10.0.0.0/24 can reach the Configuration Utility.
Why the other options are incorrect:
* Options A and Ccreate network ACL objects under /net acl, which apply to data-plane traffic, not management-plane TMUI access. TMUI access is not controlled by LTM ACLs but by the HTTPD allow directive.
* Option Bis incorrect syntax and references /ltm httpd, which is not the proper object; the correct hierarchy is /sys httpd.
Thus, only modifying the/sys httpd allowlist achieves the required restriction.


NEW QUESTION # 22
The BIG-IP Administrator received a ticket that an authorized user is attempting to connect to the Configuration Utility from a jump host and is being denied.
The HTTPD allow list is configured as:
sys httpd {
allow { 172.28.31.0/255.255.255.0 172.28.65.0/255.255.255.0 }
}
The jump host IP is172.28.32.22.
What command should the BIG-IP Administrator use to allow HTTPD access for this jump host?

  • A. modify /sys httpd allow add { 172.28.32.22 }
  • B. modify /sys httpd allow replace-all-with { 172.28.32.22 }
  • C. modify /sys httpd allow delete { 172.28.31.0/255.255.255.0 172.28.65.0/255.255.255.0 }

Answer: A

Explanation:
The HTTPD allow list controls which IP addresses or subnets may access the Configuration Utility (TMUI) on the BIG-IP system. The Administrator already has two subnets allowed and needs to add asingle host IPto the existing list.
* The object/sys httpd allowsupports actions such asadd,delete, andreplace-all-with.
* Because the goal is toaddone more entry without removing the existing permitted subnets, the correct command is:
modify /sys httpd allow add { 172.28.32.22 }
This appends the new host to the existing list while preserving the previously configured networks.
Why the other options are incorrect:
* Option A (replace-all-with)wouldoverwritethe entire allow list, removing existing permitted subnets- unacceptable.
* Option B (delete)wouldremovethe existing networks and not add the required host.
Therefore, the correct administrative action is toaddthe jump host's IP.


NEW QUESTION # 23
What are the two options for securing a BIG-IP's management interface?
(Choose two.)

  • A. Limiting network access through the management interface to a trusted/secured network VLAN.
  • B. Block all management-interface administrative HTTPS and SSH service ports to prevent access.
  • C. Use the BIG-IP's Self-IP addresses for administrative access rather than the management interface.
  • D. Restrict administrative HTTPS and SSH access to specific IP addresses or IP ranges.

Answer: A,D

Explanation:
Securing the BIG-IP management interface is a fundamental administrative responsibility. F5 best practices emphasize restricting who can reach the management port and ensuring that only authorized systems are allowed access.
A). Limiting management access to trusted network segments
F5 recommends placing the management interface on adedicated, isolated, and secured management network or VLAN, rather than exposing it to production or untrusted networks.
This reduces the attack surface by ensuring only trusted segments have visibility to administrative interfaces.
D). Restricting management access by IP or subnet
F5 BIG-IP uses the/sys httpd allowlist (for HTTPS) and configuration options insshd(for SSH) to control which IP addresses or subnets can access the device.
By specifying only known administrative IPs or ranges, unauthorized users cannot reach the login services.
Why the other options are incorrect
B). Blocking all management HTTPS/SSH ports
* This would prevent any administrative access and is not a viable security practice.
C). Using Self-IP addresses for administrative access
* F5 explicitly warns against using Self-IPs for management access unless strictly necessary.
* Self-IPs are exposed to the data plane and should not be used as the primary administrative interface.


NEW QUESTION # 24
Refer to the exhibit.

What traffic will be permitted to reach the BIG-IP?

  • A. SSH
  • B. FTP
  • C. Telnet

Answer: A

Explanation:
The exhibit shows the configuration of aSelf IPwith:
* Port Lockdown: Allow Custom
* ACustom Listthat includes the following TCP ports:
* 443
* 22
Meaning of these ports:
* TCP 443# HTTPS (TMUI - web-based management)
* TCP 22# SSH (command-line remote access)
No other TCP, UDP, or protocol entries are listed; therefore, only these two services are allowed to reach the BIG-IP via this Self IP.
Evaluating the answer choices:
Option
Service
Port
Allowed?
FTP
TCP 21
Not listed
#Not allowed
SSH
TCP 22
Listed
#Allowed
Telnet
TCP 23
Not listed
#Not allowed
Thus,SSHis the only traffic permitted through this Self IP configuration.


NEW QUESTION # 25
A secondary administrator has been granted access to a BIG-IP device through itsManagement Interface, but is unable to access theConfiguration Utility (WebUI).
What command can be run from the CLI to capture the network traffic on themanagement interfaceand troubleshoot the issue?
(Choose two.)

  • A. tcpdump -i mgmt -n port 443
  • B. tcpdump -i tun0 -n port 443
  • C. tcpdump -i management -n port 443
  • D. tcpdump -i eth0 -n port 443
  • E. tcpdump -i 0.0 -n port 443

Answer: A,D

Explanation:
The BIG-IP has two distinct planes:
* Management-plane# handled entirely by the management interface (MGMT)
* Data-plane (TMM)# handles Self IPs, VLAN interfaces, and traffic processing To capture traffic on the management interface, only the management-side NICs may be used:
* mgmt# Logical name for the management interface
* eth0# Physical Linux interface mapped to the management port on most BIG-IP platforms Both of these correctly capture inbound/outbound WebUI (HTTPS/443) traffic on the management port.
Why the correct answers are A and B
A). tcpdump -i eth0 -n port 443
* On BIG-IP appliances and VMs, the management port maps toeth0at the Linux OS level.
* Capturing on eth0 correctly shows HTTPS traffic to the WebUI.
B). tcpdump -i mgmt -n port 443
* mgmtis the BIG-IP alias for the management interface.
* This is thepreferredand most explicit capture interface for management-plane packet captures.
Why the other options are incorrect:
C). tcpdump -i 0.0
* Interface0.0is the TMM switch interface used for data-plane packet captures.
* Itdoes NOTcapture management-plane traffic.
D). tcpdump -i tun0
* Used for tunnel interfaces (IPsec, VXLAN, etc.)
* Not related to management access.
E). tcpdump -i management
* There isnointerface named management on BIG-IP.
* The correct names are mgmt or eth0.


NEW QUESTION # 26
A BIG-IP Administrator is responsible for deploying a new software image on an F5 BIG-IP HA pair and has scheduled a one-hour maintenance window.
With a focus on minimizing service disruption, which of the following strategies is the most appropriate?

  • A. Update the active node first, reboot to the newly updated boot location and verify functionality, then push the update from the active to the standby node and reboot the standby node.
  • B. Update the standby node first and reboot it to the newly updated boot location, failover to the newly updated node and verify functionality. Repeat the upgrade procedures on the next node, which is now in standby mode.
  • C. Reset the Device Trust, apply the update to each node separately, reboot both nodes, then re-establish the Device Trust.
  • D. Update both nodes in the HA pair, then reboot both nodes simultaneously to ensure they run the same software version.

Answer: B

Explanation:
For BIG-IP high-availability (HA) pairs, F5's recommended upgrade workflow prioritizesservice continuity, predictable failover, andminimal downtime. The established best-practice sequence is:
* Upgrade the standby unit first
* Because the standby device is not passing traffic, upgrading and rebooting it does not impact production.
* Boot the standby unit into the newly installed version
* Once online, the administrator verifies basic health, device sync status, cluster communication, and module functionality.
* Perform a controlled failover to the upgraded unit
* Traffic shifts to the newly upgraded device, allowing validation of the configuration and operational behavior under real traffic loads.
* Upgrade the second device (now standby)
* The previously active device becomes standby after failover, allowing it to be safely upgraded and rebooted without interruption.
This phased approach ensures only one device is unavailable at a time, allowing continuous traffic flow throughout the upgrade process.
Why the Correct Answer is C
OptionCexactly matches F5's documented production-safe upgrade method:
* Upgrade thestandbynode first
* Reboot into new image
* Failover to upgraded device
* Validate
* Upgrade the remaining (now-standby) device
This procedure minimizes risk and traffic disruption.
Why the other options are incorrect:
A). Upgrade the active node first
* Upgrading the active device requires removing it from service and failing over abruptly. This is not recommended and increases service disruption risk.
B). Resetting device trust
* Resetting trust is unnecessary and can disrupt configuration sync, peer communication, and cluster operation. It is not part of any standard upgrade workflow.
D). Upgrading and rebooting both nodes simultaneously
* This would causetotal outage, because both HA members would be unavailable at the same time.


NEW QUESTION # 27
A BIG-IP device will be dedicated to functioning as a WAF, requiring only theASMmodule to be provisioned.
What provisioning level will ensure that the system allocatesall CPU, memory, and disk resourcesto this module exclusively?

  • A. Comprehensive
  • B. Nominal
  • C. Dedicated
  • D. Maximal

Answer: C

Explanation:
Provisioning defines how BIG-IP allocates system resources to modules. The provisioning levels include:
* Dedicated- allocatesallCPU, memory, and disk resources to a single module
* Nominal- standard resource allocation balanced with other modules
* Minimal- lowest level, used for basic utility needs
* None- module disabled
* Comprehensive / Maximal- not valid TMOS provisioning levels
Why "Dedicated" is correct
When a BIG-IP device is intended to runonly ASM(Web Application Firewall), the recommended way to maximize performance is to provision the module atDedicatedlevel.
WithASM: Dedicated:
* ASM receives theentire hardware capacity
* No other modules can or should be provisioned
* This is explicitly recommended when a device is used solely as a WAF platform Why other options are incorrect B). Comprehensive / C. Maximal
* These arenot valid provisioning modesin BIG-IP.
* TMOS supports: Nominal, Minimal, Large (module-specific), and Dedicated.
D). Nominal
* Shares resources with other modules
* Does not provide full system performance
* Not suitable when exclusive resource allocation is required
Thus,Dedicatedis the correct provisioning choice.


NEW QUESTION # 28
The BIG-IP Administrator uses Secure Copy Protocol (SCP) to upload a TMOS image to the/shared/images/ directory in preparation for an upgrade.
After the upload is complete, what will the system dobeforethe image appears in the GUI under:
System Software Management Image List?

  • A. The system verifies the internal checksum
  • B. The system copies the image to /var/local/images/
  • C. The system performs a reboot into the new partition

Answer: A

Explanation:
When a TMOS ISO file is transferred to/shared/images/, the BIG-IP automatically performs a validation step:
Checksum Verification
* Before the image becomes visible in the GUI, the systemverifies the internal checksumembedded inside the ISO.
* This ensures:
* The file was fully transferred
* The image is not corrupted
* It matches the official F5 release signature
* Only after passing this verification does the GUI display the ISO under "Available Images." Why the other options are incorrect:
A). Reboot into a new partition
* No reboot occurs simply from uploading an image.
C). Copying into /var/local/images/
* This directory isnotused for ISO storage.
* All valid images remain in/shared/images/.
Thus, the correct system action ischecksum verification.


NEW QUESTION # 29
A BIG-IP Administrator discovers malicious brute-force attempts to access the BIG-IP device on the management interfacevia SSH.
The administrator needs to restrict SSH access to the management interface.
Where should this be accomplished?

  • A. System > Platform
  • B. System > Configuration
  • C. Network > Interfaces
  • D. Network > Self IPs

Answer: B

Explanation:
The BIG-IPmanagement interface (MGMT port)is controlled throughSystem settings, not through the Network menu.
SSH access on the management interface is configured here:
System # Configuration # Device # General # SSH Access / SSH IP Allow
This section allows the administrator to:
* Enable or disable SSH service
* Restrict SSH access to specific IP addresses or subnets
* Apply security policies to the management interface
Why the other options are incorrect:
A). Network > Interfaces
* Used for data-plane physical interface settings, not management plane SSH restrictions.
B). Network > Self IPs
* Controls in-band management or data-plane access, not the dedicated management port.
D). System > Platform
* Used for hostname, time zone, LCD contrast, hardware settings - not SSH security on the management port.
Therefore, restricting SSH access to themanagement interfacemust be done under:
#System # Configuration # Device # General
Which corresponds toOption C.


NEW QUESTION # 30
The monitoring team reports that the SNMP server is unable to poll data from a BIG-IP device.

What information will help the BIG-IP Administrator determine whether the issue originates from the BIG-IP system?

  • A. The configuration on the exhibit is correct and other options should be explored.
  • B. The "Traffic Group" setting must use a floating Traffic Group.
  • C. The "Port Lockdown" setting is preventing the SNMP server from polling data from the BIG-IP.
  • D. The "VLAN / Tunnel" setting must allow All Vlans.

Answer: C

Explanation:
The exhibit shows aSelf IPwith:
* VLAN:Data
* Port Lockdown:Allow None
Impact of "Allow None" on SNMP
When a Self IP is configured with:
Port Lockdown: Allow None
the BIG-IP blocksallservices and ports except a few hardcoded HA communication ports.
This means:
* UDP/161 (SNMP)is blocked
* UDP/162 (SNMP traps)is blocked
* The SNMP server cannot poll or receive data from the BIG-IP through this Self IP SNMP relies on access through the Self IP if out-of-band (mgmt interface) is not used.
Thus, the issue is directly caused byPort Lockdown = Allow None, which prevents SNMP communication.
Why the other options are incorrect:
B). Traffic Group must use a floating Traffic Group
* SNMP polling doesnotrequire floating Self IPs.
* Floating groups apply to HA failover IPs, not SNMP functionality.
C). VLAN/Tunnel must allow All VLANs
* Self IPs are always bound to a VLAN; SNMP doesnotrequire All VLANs.
* As long as the Self IP belongs to a reachable VLAN, SNMP can work.
D). Configuration is correct
* It is not correct:Allow Noneblocks SNMP and is the problem.


NEW QUESTION # 31
The device is currently onv15.1.2.1.
The BIG-IP Administrator needs to boot the device back tov13.1.0.6to gather data for troubleshooting.
The system shows:
Sys::Software Status
Volume Product Version Build Active Status Allowed
HD1.1 BIG-IP 15.1.2.1 0.0.10 yes complete yes
HD1.2 BIG-IP 13.1.0.6 0.0.3 no complete yes
Which is the correct command-line sequence to boot the device to version13.1.0.6?

  • A. Use tmsh to select a new boot volume, tmsh reboot HD1.2
  • B. switchboot -b HD1.2, then reboot
  • C. switchboot -I HD1.2, then reboot
  • D. Use tmsh to select a new boot volume, tmsh switchboot HD1.2

Answer: B

Explanation:
To change the boot volume on a BIG-IP system from one installed TMOS version to another, the correct CLI tool is:
switchboot
The correct syntax uses the-bflag:
switchboot -b <volume>
This command marks the specified boot location as the one to be used on the next reboot.
Thus, to boot intoHD1.2which contains13.1.0.6, the sequence is:
* Mark HD1.2 as the next boot location:
* switchboot -b HD1.2
* Reboot the system:
* reboot
This is the standard and officially supported method for selecting a different installed volume.
Why the other options are incorrect:
A). "tmsh reboot HD1.2"
* There is no such tmsh syntax.
* Boot volume cannot be selected by adding a parameter to reboot.
C). switchboot -I HD1.2
* The -I flag is invalid. Only -b is used.
D). "tmsh switchboot HD1.2"
* switchboot isnota tmsh command; it is a system-level shell utility.
Therefore,Option Bis the correct and valid command sequence.


NEW QUESTION # 32
A BIG-IP Administrator needs to install a HotFix on a standalone BIG-IP device, which hasHD1.1as the Active Boot Location.
The administrator has already re-activated the license and created a UCS archive.
In which sequence should the administrator perform the remaining steps?

  • A. Activate HD1.2, Install base Image in HD1.2, Install HotFix in HD1.2
  • B. Install HotFix in HD1.1, Reboot the BIG-IP device, Install UCS Archive
  • C. Install base Image in HD1.2, Install HotFix in HD1.2, Activate HD1.2
  • D. Install HotFix in HD1.2, Install base Image in HD1.2, Activate HD1.2

Answer: C

Explanation:
When installing a HotFix on a BIG-IP device, F5 best practices require:
* Installing the base TMOS image on a new, unused boot volume (HD1.2)
* This ensures the upgrade happens on a clean volume.
* The existing active boot location remains untouched for rollback.
* Installing the HotFix onto the SAME new boot volume (HD1.2)
* HotFixes must be applied on top of a base version.
* They cannot be installed on an empty volume.
* They must match the base image version.
* Activating the new boot volume (HD1.2)
* The system reboots into the updated software stack.
* Activation happensafterbase + HotFix installation is complete.
This sequence is exactly shown inOption C:
Install base Image in HD1.2
Install HotFix in HD1.2
Activate HD1.2
Why the other options are incorrect:
A). Install HotFix before base image
* Impossible.
* HotFix requires an installed base version first.
B). Installing HotFix on HD1.1 (active boot volume)
* Not recommended.
* Upgrading in-place removes rollback safety.
* HotFix cannot be applied cleanly without applying base image first.
D). Activate HD1.2 before installing anything
* You cannot activate an empty boot volume.
* Activation only occurs after the base + HotFix software is installed.


NEW QUESTION # 33
An F5 BIG-IP Administrator is asked to report which modules areprovisionedon the BIG-IP.
In which two ways can this be done?
(Choose two.)

  • A. Via TMSH withlist /sys provision
  • B. Via the GUI atSystem # Resource Provisioning # Module Allocation
  • C. Via the GUI atStatistics # Module Statistics # System
  • D. Via TMSH withshow /sys provision

Answer: A,B

Explanation:
Provisioning determines:
* Which BIG-IP modules are enabled (LTM, ASM, APM, AFM, DNS, etc.)
* Their provisioning levels (None, Minimal, Nominal, Dedicated)
Two accurate ways to view provisioning settings are:
A). GUI - System # Resource Provisioning # Module Allocation
This is the primary GUI screen showing:
* All modules
* Their provisioning level
* System resource distribution impact
Administrators commonly use this page to confirm or change module provisioning.
D). TMSH - list /sys provision
This tmsh command displays each module and its provisioning level:
sys provision ltm { level nominal }
sys provision asm { level none }
This is the authoritative CLI method for checking module provisioning configurations.
Why the other options are incorrect:
B). show /sys provision
* Showsruntimeinformation butnot the actual configuration levels.
* list is the correct command for configuration details.
C). Statistics # Module Statistics
* Shows performance statistics, NOT provisioning status.
Therefore, the correct responses areAandD.


NEW QUESTION # 34
The BIG-IP Administrator wants to manage the newly built F5 system through anin-band Self-IP.
The administrator has configured a VLAN and Self-IP and can ping the IP from their workstation, but cannot access the system viaSSHorHTTPS.
Whatport lockdownsettings should the BIG-IP Administrator use to allow management access on the Self-IP?
(Choose two.)

  • A. The Self-IP port lockdown behavior could be adjusted toAllow All
  • B. The Self-IP port lockdown behavior could be adjusted toAllow Mgmt
  • C. The Self-IP port lockdown behavior could be adjusted toAllow Management
  • D. The Self-IP port lockdown behavior could be adjusted toAllow Default

Answer: B,C

Explanation:
Self-IPs include a security feature calledPort Lockdown, which restricts which services respond on that Self- IP.
By default, Self-IPs block management access (SSH and HTTPS/TMUI), meaning an administrator cannot manage the device through in-band Self-IPs unless explicitly allowed.
Allow Mgmt / Allow Management
These settings enable only the management services required for administrative access, specifically:
* SSH (22)
* HTTPS/TMUI (443)
These options allow secure administration without opening unnecessary ports.
Why these are correct:
* They provide only the essential access for management.
* They follow F5 security best practices when using in-band admin access.
* They donotexpose all services, reducing the attack surface.
Why the other options are incorrect:
A). Allow Default
* This allows only a minimal set of system-required ports (e.g., failover, config sync), not SSH or HTTPS.
* Administrator access would still fail.
B). Allow All
* Opens all ports on the Self-IP, which isnot secure.
* Exposes services that should remain restricted.
Therefore,Allow Mgmt / Allow Managementare the correct choices.


NEW QUESTION # 35
A new logging solution is being implemented on the network. Policy requires keeping management traffic sent from the BIG-IPout of the management interface. After configuring the BIG-IP to forward messages to the new Syslog server, the BIG-IP Administrator notices that packets are being sentfrom a numbered data- plane Self IP.
What should the BIG-IP Administrator change to send the traffic out of thecorrect interface?

  • A. Modify the port lockdown settings on the Self IP address to allow UDP port 514 traffic.
  • B. Set the Management IP as the source address when configuring a Remote Syslog destination.
  • C. Create a new Self IP in the same subnet as the management IP address using a route domain.
  • D. Create a Management Route for the specific address/subnet of the syslog service via TMSH.

Answer: D

Explanation:
By default,management-plane trafficuses themanagement routing table, whiledata-plane trafficuses the TMM routing table.
Remote Syslog traffic ismanagement-planetrafficunlessa management route exists.
If noManagement Routematches the Syslog server's destination IP, the BIG-IP will instead:
* UseTMM routes, and
* Source the packets from aSelf IP
This is exactly what the administrator is observing.
To force Syslog traffic out the management port:
You must create aManagement Route, which is configured using:
tmsh create /sys management-route <name> gateway <ip> network <syslog subnet> This sends syslog traffic:
* Out of themanagement interface
* Using theManagement IPas the source
Thus,Option Bis correct.
Why the other options are incorrect:
A). Set the Management IP as the source address
* Source address selection is overridden by routing.
* Without a management route, traffic still goes out the data plane.
C). Create a new Self IP using a route domain
* Unnecessary and not related to management-plane routing.
* Syslog traffic should not rely on data-plane Self IPs.
D). Modify port lockdown on Self IP to allow UDP/514
* This would allow Syslog trafficintothe BIG-IP over a Self IP, not forceoutboundtraffic via management.


NEW QUESTION # 36
The BIG-IP Administrator needs to update access to the Configuration Utility to include the172.28.31.0/24and
172.28.65.0/24networks.
From the TMOS Shell (tmsh), which command should the BIG-IP Administrator use to complete this task?

  • A. modify /sys httpd allow add { 172.28.31.0 172.28.65.0 }
  • B. modify /sys httpd allow add { 172.28.31.0/255.255.255.0 172.28.65.0/255.255.255.0 }
  • C. modify /sys httpd permit add { 172.28.31.0/255.255.255.0 172.28.65.0/255.255.255.0 }

Answer: B

Explanation:
Access to the BIG-IP Configuration Utility (TMUI) is controlled through the/sys httpd allowlist.
This list defines which IP addresses or subnets are allowed to connect to the management web interface.
To allow two new subnets-172.28.31.0/24and172.28.65.0/24-the administrator mustaddboth subnets to the existing list without removing current entries.
In tmsh, subnet entries must be specified innetwork/netmask format, for example:
172.28.31.0/255.255.255.0
The correct tmsh command to append these networks is:
modify /sys httpd allow add { 172.28.31.0/255.255.255.0 172.28.65.0/255.255.255.0 } Why the other options are incorrect:
Option B:
* IPs are listed without masks, which is invalid for subnet-based access control.
* The system requiresnetwork/netmaskformat.
Option C:
* The command uses permit instead of allow, which is not a valid attribute of /sys httpd.
* The correct keyword must beallow.
Thus, onlyOption Acorrectly adds both permitted subnets in the proper tmsh format.


NEW QUESTION # 37
The BIG-IP Administrator uses Secure Copy Protocol (SCP) to upload a TMOS image to the/shared/images/ directory in preparation for a TMOS upgrade.
After the upload is completed, what will the system dobeforethe image is shown in the GUI under:
System » Software Management » Image List?

  • A. The system verifies the internal checksum
  • B. The system copies the image to /var/local/images/
  • C. The system performs a reboot into a new partition

Answer: A

Explanation:
When a TMOS image (.iso file) is uploaded into the/shared/images/directory, the BIG-IP performs an internal validation step before the ISO appears in the GUI.
1. The system verifies the internal checksum
* BIG-IP automatically reads the embedded checksum inside the ISO file
* Verifies integrity of the uploaded image
* Confirms the file is not corrupted or incomplete
* Ensures the image is a valid F5 TMOS software image
Only after this checksum verification succeeds does the image appear under:
System # Software Management # Image List
Why the other options are incorrect:
A). The system performs a reboot into a new partition
* Uploading an ISO file never triggers a reboot.
C). The system copies the image to /var/local/images/
* All valid TMOS images remain in/shared/images/.
* No copying occurs.


NEW QUESTION # 38
......

Real F5CAB1 Quesions Pass Certification Exams Easily: https://exams4sure.actualcollection.com/F5CAB1-exam-questions.html

Related Articles

more
F5 F5CAB1 Certification Practice Exam

Copyright © 2026 ActualCollection NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy