F5 BIG-IP Administration Install, Initial Configuration, and Upgrade F5CAB1 Exam Dumps: Updated Questions & Answers (January 2026)

BIG-IP module provisioning determines howCPU, memory, and disk resourcesare allocated to each licensed module. F5 defines a specific set of supported provisioning levels.

Valid provisioning (resource allocation) settings

Nominal

Allocates a standard, balanced amount of system resources to a module.

Intended for typical production deployments where multiple modules may be provisioned at the same time.

Dedicated

Allocatesall available system resourcesto a single module.

Used when the BIG-IP device is dedicated to running only one module (for example, ASM-only or APM-only deployments).

No other modules can be provisioned when one is set to Dedicated.

These two options are valid and supported provisioning levels.

Why the other options are incorrect

Maximum

This is not a valid BIG-IP provisioning level.

BIG-IP does not use “Maximum” as a resource allocation setting.

Limited

This is also not a supported provisioning level.

BIG-IP uses levels such as None, Minimal, Nominal, and Dedicated (module-dependent), not Limited.

Self-IPs include a security feature calledPort Lockdown, which restricts which services respond on that Self-IP.

By default, Self-IPs block management access (SSH and HTTPS/TMUI), meaning an administrator cannot manage the device through in-band Self-IPs unless explicitly allowed.

Allow Mgmt / Allow Management

These settings enable only the management services required for administrative access, specifically:

SSH (22)

HTTPS/TMUI (443)

These options allow secure administration without opening unnecessary ports.

Why these are correct:

They provide only the essential access for management.

They follow F5 security best practices when using in-band admin access.

They donotexpose all services, reducing the attack surface.

Why the other options are incorrect:

A. Allow Default

This allows only a minimal set of system-required ports (e.g., failover, config sync), not SSH or HTTPS.

Administrator access would still fail.

B. Allow All

Opens all ports on the Self-IP, which isnot secure.

Exposes services that should remain restricted.

Therefore,Allow Mgmt / Allow Managementare the correct choices.

Comprehensive and Detailed Explanation (Paraphrased from F5 BIG-IP Administration / Installation / Initial Configuration concepts)

Within the BIG-IP Traffic Management Shell (tmsh), system configuration objects—including the management IP—are organized under the/syshierarchy. The management IP address is a configurable property stored in the system configuration and can be viewed using the tmshlistcommand, which displays configuration objects and their currently assigned values.

Why “list /sys management-ip” is correct

The list command in tmsh is used todisplay configured system values, not runtime statistics.

The object that holds the management IP settings on BIG-IP systems is located at:/sys management-ip

Running the command:list /sys management-ipwill reveal the settings for the management IP interface, including the address, netmask, and any associated attributes.

This is the standard method used during system setup and verification to confirm the management IP configuration.

This behavior aligns with BIG-IP administration procedures, where configuration information is retrieved usinglist, while operational data is retrieved usingshow.

Why the other options are incorrect

A. run /util bash ifconfig mgmt

This command enters the Bash shell, then runs ifconfig to display the management interface.

While this can show the management interface address, it isnot a tmsh-native command, and the question specifically asks for a tmsh command.

Administrators use tmsh directly for configuration display rather than leaving the shell.

C. show /sys management-ip

The show command displaysstatistics or operational data, not configuration values.

The management-ip object does not maintain statistics; therefore show does not return the configuration details required.

Only thelistcommand reveals stored configuration data such as IP address and netmask.

When upgrading to a newer TMOS software version, BIG-IP validates whether the current license is permitted to run that version.

This is controlled by theService Check Datein the device’s license file.

If the Service Check Date is older than the minimum required for the target version:

The systemboots into the new volume,

Butfails to load the configuration,

And will instead present messages indicating that the configuration cannot be applied due to aninvalid or outdated license.

This is a well-known behavior:

An outdated license, not reactivated before upgrade, causes configuration load failure after reboot into the new software.

Why the other options are incorrect:

A. Performed on the standby unit

Upgrading a standby unit does not cause configuration load failure.

Standby-only upgrades are standard best practice.

C. Two reboots required

BIG-IP does not require two reboots during an upgrade.

One reboot into the new volume is sufficient.

D. DNS connectivity failure

DNS connectivity does not affect configuration loading.

DNS is only needed for automatic license activation, not for applying config at boot.

Thus, the configuration failed to load because thelicense was not reactivated before the upgrade, makingOption Bcorrect.

BIG-IP licensing information, including theService Check Date, is stored in the file:

/config/bigip.license

This file contains all license attributes downloaded from the F5 licensing server, including:

License key

Licensed modules

Useful life date

Service check date

TheService Check Datedetermines whether the system is eligible for upgrades to specific TMOS versions. When reviewing upgrade readiness, administrators extract this value directly from the license file with:

grep "Service check date" /config/bigip.license

Why the other options are incorrect:

/config/bigip.confstores BIG-IP configuration objects, not license metadata.

/config/svc_chk_date.datisnota valid file in the licensing system; it does not contain license parameters.

/config/BigDB.datstores internal database values, not licensing attributes.

Thus, only thebigip.licensefile contains the correct licensing information required for verifying upgrade eligibility.

When logged into thebash shellof a BIG-IP system, there are two valid ways to view themanagement-ipaddress:

A. tmsh list /sys management-ip

Even from the bash shell, the administrator can enter a tmsh command by typing:

tmsh list /sys management-ip

This displays:

Management IP address

Netmask

Any configured management routes

This is theofficial tmsh methodfor viewing the management-ip configuration.

C. ifconfig mgmt

In the underlying Linux OS, the management interface maps to themgmtinterface.

Running:

ifconfig mgmt

displays:

Assigned management IP

Netmask

Link-level status

This is a valid Linux-level method used frequently for troubleshooting.

Why the other options are incorrect:

B. show mgmt ip

Not a valid bash or tmsh command on BIG-IP.

D. list / sys management-ip

Missing thetmshprefix.

In bash, this will generate a syntax error.

The correct form requires:

tmsh list /sys management-ip

In BIG-IP, software images are installed onboot volumes(for example, HD1.1, HD1.2, HD1.3, etc.).

To install software on anew volume, the administrator must instruct the system to create a new boot location before installation.

There are two correct ways to create a new volume:

A. tmsh command (with correct syntax)

tmsh install software image /shared/images/BIGIP-.iso volume HD1.5 create-volume

This syntax correctly includes:

install software image

full path to ISO (/shared/images/...)

volume name (HD1.5)

create-volumekeyword

This instructs BIG-IP to create the new boot volume as part of the installation.

C. Using the GUI → System > Disk Management

From the Disk Management menu, the administrator can:

Select “New Volume”

Enter the volume identifier (e.g., HD1.5)

Apply changes

This GUI method is officially supported and explicitly creates a new boot volume before installing the software.

Why the other options are incorrect:

B. Incorrect tmsh syntax

Missing /shared/images/ path

Incorrect command structure

D. Incorrect command structure

Missing required keywords and correct command hierarchy

E. Software Management → Install does NOT create volumes

This installs to anexistingvolume only

The GUI install dialog does not create new boot volumes

Thus, onlyOption AandOption Cproperly create a new software volume.

The exhibit shows the configuration of aSelf IPwith:

Port Lockdown: Allow Custom

ACustom Listthat includes the following TCP ports:

443

22

Meaning of these ports:

TCP 443→ HTTPS (TMUI — web-based management)

TCP 22→ SSH (command-line remote access)

No other TCP, UDP, or protocol entries are listed; therefore, only these two services are allowed to reach the BIG-IP via this Self IP.

Evaluating the answer choices:

Option

Service

Port

Allowed?

FTP

TCP 21

Not listed

Not allowed

SSH

TCP 22

Listed

Allowed

Telnet

TCP 23

Not listed

Not allowed

Thus,SSHis the only traffic permitted through this Self IP configuration.

BIG-IP controls access to the web-based Configuration Utility (TMUI) through the/sys httpd allowlist. This parameter specifies which client IPs or subnets may initiate HTTP/HTTPS connections to the management interface.

To restrict TMUI access toonlythe 10.0.0.0/24 subnet:

The correct method is tomodify the HTTPD allow listso that it contains only this subnet.

This requires replacing the entire current list with the new subnet using:

modify /sys httpd allow replace-all-with {10.0.0.0/24}

This ensures thatonlyclients within 10.0.0.0/24 can reach the Configuration Utility.

Why the other options are incorrect:

Options A and Ccreate network ACL objects under /net acl, which apply to data-plane traffic, not management-plane TMUI access. TMUI access is not controlled by LTM ACLs but by the HTTPD allow directive.

Option Bis incorrect syntax and references /ltm httpd, which is not the proper object; the correct hierarchy is /sys httpd.

Thus, only modifying the/sys httpd allowlist achieves the required restriction.

The BIG-IP system has built-in licensing enforcement.

If an administrator provisions a module that the device isnot licensedto run, the system will still allow the provisioning action to occurinitially, but the system detects the mismatch and displays an alert.

What actually happens:

The GUI places awarning bannerin theupper-left cornerlabeled something similar to:“Provisioning Warning”

This appears immediately after provisioning a module that is not included in the active license.

The system remains in an “inconsistent state” until the module is disabled again or the license is updated.

This is the visual cue BIG-IP uses to indicate that a module was provisioned without valid licensing.

Why the other options are incorrect:

A. “A BIG-IP does not allow unlicensed modules to be provisioned.”

Not true. BIG-IPdoesallow provisioning, but warns afterward.

B. “A warning will appear when provisioning an unlicensed module.”

The warning doesnotappear during the provisioning step itself.

It appearsafter provisioning, in the main GUI, as a system banner.