Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
All Vendors
  1. Home
  2. F5
  3. F5CAB1

F5 F5CAB1 Exam (page: 2)
F5 BIG-IP Administration Install, Initial Configuration, and Upgrade
Updated on: 12-Jan-2026

Viewing Page 2 of 7
F5CAB1 PDF 42 Questions

What are the two options for securing a BIG-IP's management interface?

(Choose two.)

  1. Limiting network access through the management interface to a trusted/secured network VLAN.
  2. Block all management-interface administrative HTTPS and SSH service ports to prevent access.
  3. Use the BIG-IP's Self-IP addresses for administrative access rather than the management interface.
  4. Restrict administrative HTTPS and SSH access to specific IP addresses or IP ranges.

Answer(s): A,D

Explanation:

Securing the BIG-IP management interface is a fundamental administrative responsibility. F5 best practices emphasize restricting who can reach the management port and ensuring that only authorized systems are allowed access.

A . Limiting management access to trusted network segments

F5 recommends placing the management interface on a dedicated, isolated, and secured management network or VLAN, rather than exposing it to production or untrusted networks.

This reduces the attack surface by ensuring only trusted segments have visibility to administrative interfaces.

D . Restricting management access by IP or subnet

F5 BIG-IP uses the /sys httpd allow list (for HTTPS) and configuration options in sshd (for SSH) to control which IP addresses or subnets can access the device.

By specifying only known administrative IPs or ranges, unauthorized users cannot reach the login services.

Why the other options are incorrect

B . Blocking all management HTTPS/SSH ports

This would prevent any administrative access and is not a viable security practice.

C . Using Self-IP addresses for administrative access

F5 explicitly warns against using Self-IPs for management access unless strictly necessary.

Self-IPs are exposed to the data plane and should not be used as the primary administrative interface.



Which port is an exception to the Port Lockdown function of Self-IPs if a device-group synchronization cluster is configured?

  1. TCP 443
  2. TCP 4353
  3. UDP 53

Answer(s): B

Explanation:

Self-IPs implement a security feature known as Port Lockdown, which limits which services are reachable on a Self-IP.

However, certain services required for BIG-IP device-to-device communication bypass Port Lockdown to ensure cluster and HA functionality.

TCP 4353

TCP port 4353 is used by Device Service Clustering (DSC) for:

Device trust establishment

Configuration synchronization

Failover communication

Because BIG-IP devices must always be able to communicate for HA functions to remain operational, port 4353 is exempt from Port Lockdown rules.

Why the other options are incorrect

A . TCP 443

Not required for device trust or synchronization.

HTTPS access is fully controlled by Port Lockdown.

C . UDP 53

DNS traffic is not required for synchronization and has no exemption under Port Lockdown.



A BIG-IP device is licensed for LTM, ASM, APM, and AFM.

Currently, it will only be used for load balancing and web application firewalling.

To ensure optimal performance and efficient resource utilization, which of the following module provisioning combinations is the best choice?

  1. LTM: Dedicated
    ASM: Dedicated
    APM: Minimal
    AFM: Minimal
  2. LTM: Dedicated
    ASM: Dedicated
    APM: None
    AFM: None
  3. LTM: Nominal
    ASM: Nominal
    APM: None
    AFM: None
  4. LTM: Nominal
    ASM: Nominal
    APM: Minimal
    AFM: Minimal

Answer(s): C

Explanation:

BIG-IP provisioning determines how CPU, memory, and disk resources are allocated to each module. The goal is to provision only the modules required and at levels appropriate to their performance needs.

Requirements in the question

The device will be used for:

LTM (Local Traffic Manager) load balancing

ASM (Application Security Manager) WAF

No functions require:

APM (Access Policy Manager)

AFM (Advanced Firewall Manager)

Why Option C is correct

Provisioning both LTM and ASM at Nominal level provides:

Adequate performance for production load

Plentiful system resources while avoiding dedicating the entire system to a single module

Balanced allocation without starving memory or CPU

Setting APM: None and AFM: None ensures unused modules consume zero resources.

Why the other options are incorrect

A . Dedicated provisioning for both LTM and ASM

Two modules cannot both run in "Dedicated" mode.

Dedicated mode allocates all resources to a single module -- the second module cannot be dedicated simultaneously.

B . LTM and ASM both Dedicated

Same issue: only one module can be Dedicated at a time.

Also unnecessary for load balancing + WAF.

D . Setting APM and AFM to Minimal

Minimal still consumes memory and CPU.

Unused modules should be set to None.

Therefore, Option C is the best provisioning strategy.



A BIG-IP device will be dedicated to functioning as a WAF, requiring only the ASM module to be provisioned.

What provisioning level will ensure that the system allocates all CPU, memory, and disk resources to this module exclusively?

  1. Dedicated
  2. Comprehensive
  3. Maximal
  4. Nominal

Answer(s): A

Explanation:

Provisioning defines how BIG-IP allocates system resources to modules. The provisioning levels include:

Dedicated ­ allocates all CPU, memory, and disk resources to a single module

Nominal ­ standard resource allocation balanced with other modules

Minimal ­ lowest level, used for basic utility needs

None ­ module disabled

Comprehensive / Maximal ­ not valid TMOS provisioning levels

Why "Dedicated" is correct

When a BIG-IP device is intended to run only ASM (Web Application Firewall), the recommended way to maximize performance is to provision the module at Dedicated level.

With ASM: Dedicated:

ASM receives the entire hardware capacity

No other modules can or should be provisioned

This is explicitly recommended when a device is used solely as a WAF platform

Why other options are incorrect

B . Comprehensive / C. Maximal

These are not valid provisioning modes in BIG-IP.

TMOS supports: Nominal, Minimal, Large (module-specific), and Dedicated.

D . Nominal

Shares resources with other modules

Does not provide full system performance

Not suitable when exclusive resource allocation is required

Thus, Dedicated is the correct provisioning choice.



The BIG-IP Administrator wants to manage the newly built F5 system through an in-band Self-IP.

The administrator has configured a VLAN and Self-IP and can ping the IP from their workstation, but cannot access the system via SSH or HTTPS.

What port lockdown settings should the BIG-IP Administrator use to allow management access on the Self-IP?

(Choose two.)

  1. The Self-IP port lockdown behavior could be adjusted to Allow Default
  2. The Self-IP port lockdown behavior could be adjusted to Allow All
  3. The Self-IP port lockdown behavior could be adjusted to Allow Mgmt
  4. The Self-IP port lockdown behavior could be adjusted to Allow Management

Answer(s): C,D

Explanation:

Self-IPs include a security feature called Port Lockdown, which restricts which services respond on that Self-IP.

By default, Self-IPs block management access (SSH and HTTPS/TMUI), meaning an administrator cannot manage the device through in-band Self-IPs unless explicitly allowed.

Allow Mgmt / Allow Management

These settings enable only the management services required for administrative access, specifically:

SSH (22)

HTTPS/TMUI (443)

These options allow secure administration without opening unnecessary ports.

Why these are correct:

They provide only the essential access for management.

They follow F5 security best practices when using in-band admin access.

They do not expose all services, reducing the attack surface.

Why the other options are incorrect:

A . Allow Default

This allows only a minimal set of system-required ports (e.g., failover, config sync), not SSH or HTTPS.

Administrator access would still fail.

B . Allow All

Opens all ports on the Self-IP, which is not secure.

Exposes services that should remain restricted.

Therefore, Allow Mgmt / Allow Management are the correct choices.



Which two items demonstrate the creation of a new volume for software images?

(Choose two.)

  1. tmsh install software image /shared/images/BIGIP-<version>.iso volume HD1.5 create-volume
  2. tmsh install /sys software image BIGIP-<version>.iso volume HD1.5 create-volume
  3. Using the GUI, go to System > Disk Management, select New Volume. In the pop-up window, type the name or number of the new volume and click Apply.
  4. tmsh install sys software image /shared/images/BIGIP-<version>.iso volume HD1.5 create-volume
  5. Using the GUI, go to System > Software Management > Available Images > Install, and in the Install Software Image pop-up window, type the new volume name or number and click Install.

Answer(s): A,C

Explanation:

In BIG-IP, software images are installed on boot volumes (for example, HD1.1, HD1.2, HD1.3, etc.).

To install software on a new volume, the administrator must instruct the system to create a new boot location before installation.

There are two correct ways to create a new volume:

A . tmsh command (with correct syntax)

tmsh install software image /shared/images/BIGIP-<version>.iso volume HD1.5 create-volume

This syntax correctly includes:

install software image full path to ISO (/shared/images/...)

volume name (HD1.5)

create-volume keyword

This instructs BIG-IP to create the new boot volume as part of the installation.

C . Using the GUI System > Disk Management

From the Disk Management menu, the administrator can:

Select "New Volume"

Enter the volume identifier (e.g., HD1.5)

Apply changes

This GUI method is officially supported and explicitly creates a new boot volume before installing the software.

Why the other options are incorrect:

B . Incorrect tmsh syntax

Missing /shared/images/ path

Incorrect command structure

D . Incorrect command structure

Missing required keywords and correct command hierarchy
E . Software Management Install does NOT create volumes

This installs to an existing volume only

The GUI install dialog does not create new boot volumes

Thus, only Option A and Option C properly create a new software volume.



modification]

For an upgrade of a standalone BIG-IP, a maintenance window is available in which brief interruptions are allowed.

Actions with no impact can be done outside the maintenance window.

When should a license reactivation be performed?

  1. During the maintenance window.
  2. Before the maintenance window.
  3. After the maintenance window.

Answer(s): B

Explanation:

License reactivation updates the BIG-IP device's license file to ensure:

The Service Check Date is current

The device is eligible to install the intended TMOS version

Any module entitlement updates are received

Reactivation does not interrupt traffic and does not require a reboot, making it safe to perform before the maintenance window.

F5 best practices state:

Perform all non-impact tasks prior to the scheduled maintenance window

Leave the window available for activities that require rebooting, such as the software installation itself

Since license reactivation is non-disruptive, it should be done before the upgrade window starts.



Which configuration file can a BIG-IP administrator use to verify the provisioned modules?

  1. /config/bigip.license
  2. /config/bigip_base.conf
  3. /config/bigip.conf
  4. /var/local/ucs/config.ucs

Answer(s): C

Explanation:

Provisioning settings define which modules are enabled and how system resources are allocated to them.

These provisioning declarations are stored in:

/config/bigip.conf

This file contains:

Full module provisioning statements

TMSH-equivalent provisioning configurations such as:

sys provision ltm { level nominal }

sys provision asm { level nominal }

It is the primary system configuration file that stores all active provisioning details.

Why the other answers are incorrect

A . /config/bigip.license

Shows licensed modules, not provisioned modules.

B . /config/bigip_base.conf

Stores base networking (VLANs, Self-IPs, routes), not provisioning.

D . config.ucs

A backup archive, not a live configuration file.

Thus, the correct file to review active module provisioning is /config/bigip.conf.



Viewing Page 2 of 7



Share your comments for F5 F5CAB1 exam with other users:

Chiranthaka 9/20/2023 11:22:00 AM

very useful!
Anonymous


Not Miguel 11/26/2023 9:43:00 PM

for this question - "which three type of basic patient or member information is displayed on the patient info component? (choose three.)", list of conditions is not displayed (it is displayed in patient card, not patient info). so should be thumbnail of chatter photo
Anonymous


Andrus 12/17/2023 12:09:00 PM

q52 should be d. vm storage controller bandwidth represents the amount of data (in terms of bandwidth) that a vms storage controller is using to read and write data to the storage fabric.
Anonymous


Raj 5/25/2023 8:43:00 AM

nice questions
UNITED STATES


max 12/22/2023 3:45:00 PM

very useful
Anonymous


Muhammad Rawish Siddiqui 12/8/2023 6:12:00 PM

question # 208: failure logs is not an example of operational metadata.
SAUDI ARABIA


Sachin Bedi 1/5/2024 4:47:00 AM

good questions
Anonymous


Kenneth 12/8/2023 7:34:00 AM

thank you for the test materials!
KOREA REPUBLIC OF


Harjinder Singh 8/9/2023 4:16:00 AM

its very helpful
HONG KONG


SD 7/13/2023 12:56:00 AM

good questions
UNITED STATES


kanjoe 7/2/2023 11:40:00 AM

good questons
UNITED STATES


Mahmoud 7/6/2023 4:24:00 AM

i need the dumb of the hcip security v4.0 exam
EGYPT


Wei 8/3/2023 4:18:00 AM

upload the dump please
HONG KONG


Stephen 10/3/2023 6:24:00 PM

yes, iam looking this
AUSTRALIA


Stephen 8/4/2023 9:08:00 PM

please upload cima e2 managing performance dumps
Anonymous


hp 6/16/2023 12:44:00 AM

wonderful questions
Anonymous


Priyo 11/14/2023 2:23:00 AM

i used this site since 2000, still great to support my career
INDONESIA


Jude 8/29/2023 1:56:00 PM

why is the answer to "which of the following is required by scrum?" all of the following stated below since most of them are not mandatory? sprint retrospective. members must be stand up at the daily scrum. sprint burndown chart. release planning.
UNITED STATES


Marc blue 9/15/2023 4:11:00 AM

great job. hope this helps out.
UNITED STATES


Anne 9/13/2023 2:33:00 AM

upload please. many thanks!
Anonymous


pepe el toro 9/12/2023 7:55:00 PM

this is so interesting
Anonymous


Antony 11/28/2023 12:13:00 AM

great material thanks
AUSTRALIA


Thembelani 5/30/2023 2:22:00 AM

anyone who wrote this exam recently
Anonymous


P 9/16/2023 1:27:00 AM

ok they re good
Anonymous


Jorn 7/13/2023 5:05:00 AM

relevant questions
UNITED KINGDOM


AM 6/20/2023 7:54:00 PM

please post
UNITED STATES


Nagendra Pedipina 7/13/2023 2:22:00 AM

q:42 there has to be a image in the question to choose what does it mean from the options
INDIA


BrainDumpee 11/18/2023 1:36:00 PM

looking for cphq dumps, where can i find these for free? please and thank you.
UNITED STATES


sheik 10/14/2023 11:37:00 AM

@aarun , thanks for the information. it would be great help if you share your email
Anonymous


Random user 12/11/2023 1:34:00 AM

1z0-1078-23 need this dumps
Anonymous


labuschanka 11/16/2023 6:06:00 PM

i gave the microsoft azure az-500 tests and prepared from this site as it has latest mock tests available which helped me evaluate my performance and score 919/1000
Anonymous


Marianne 10/22/2023 11:57:00 PM

i cannot see the button to go to the questions
Anonymous


sushant 6/28/2023 4:52:00 AM

good questions
EUROPEAN UNION


A\MAM 6/27/2023 5:17:00 PM

q-6 ans-b correct. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-cli-quick-start/use-the-cli/commit-configuration-changes
UNITED STATES