F5CAB1 BIG-IP Administration Install, Initial Configuration, and Upgrade Questions and Answers

When installing a BIG-IP software version with a HotFix on a new boot volume , F5 requires that both the base TMOS image and the HotFix image be installed together as part of the same installation workflow.

The correct process is:

Specify the base TMOS ISO

Specify the HotFix ISO that corresponds to that base version

Instruct the system to create a new boot volume

Install both images into that new volume

This is achieved with the following tmsh syntax:

tmsh install /sys software BIGIP- < version > .iso hotfix Hotfix-BIGIP- < version > -ENG.iso create-volume HD1.2

This command:

Installs the base image first

Applies the HotFix on top of the base image

Creates and installs everything on HD1.2

Leaves the currently active volume untouched for rollback

Why the other options are incorrect

A. Installing only the hotfix

A HotFix cannot be installed by itself on a new volume. A base image must already be present.

C. Using create instead of install

The create keyword is not valid for software installation operations.

D. Using copy

The copy command does not install software images or hotfixes.

Provisioning settings define which modules are enabled and how system resources are allocated to them.

These provisioning declarations are stored in:

/config/bigip.conf

This file contains:

Full module provisioning statements

TMSH-equivalent provisioning configurations such as:

sys provision ltm { level nominal }

sys provision asm { level nominal }

It is the primary system configuration file that stores all active provisioning details.

Why the other answers are incorrect

A. /config/bigip.license

Shows licensed modules, not provisioned modules.

B. /config/bigip_base.conf

Stores base networking (VLANs, Self-IPs, routes), not provisioning.

D. config.ucs

A backup archive, not a live configuration file.

Thus, the correct file to review active module provisioning is /config/bigip.conf .

When a TMOS ISO file is transferred to /shared/images/ , the BIG-IP automatically performs a validation step:

Checksum Verification

Before the image becomes visible in the GUI, the system verifies the internal checksum embedded inside the ISO.

This ensures:

The file was fully transferred

The image is not corrupted

It matches the official F5 release signature

Only after passing this verification does the GUI display the ISO under “Available Images.”

Why the other options are incorrect:

A. Reboot into a new partition

No reboot occurs simply from uploading an image.

C. Copying into /var/local/images/

This directory is not used for ISO storage.

All valid images remain in /shared/images/ .

Thus, the correct system action is checksum verification .

The screenshot shown is from the User Administration section of the BIG-IP GUI.

This section controls:

Root and Admin passwords

SSH Access

SSH IP Allow settings

However, it does not contain any controls for restricting access to the WebUI (TMUI) .

BIG-IP does not provide TMUI access restrictions from this part of the GUI.

Access to the web-based Configuration Utility is controlled by the httpd allow list , configured through TMSH:

tmsh modify /sys httpd allow { < IP/subnet > }

This setting is not displayed in the User Administration panel, and in many BIG-IP versions, the httpd allow list is only configurable from the CLI , not the GUI.

Therefore, the administrator cannot find the setting in the screen shown because:

TMUI access restriction is not located in this GUI section

It must be configured using tmsh under /sys httpd allow

This is why Option A is correct.

To change the boot volume on a BIG-IP system from one installed TMOS version to another, the correct CLI tool is:

switchboot

The correct syntax uses the -b flag:

switchboot -b < volume >

This command marks the specified boot location as the one to be used on the next reboot.

Thus, to boot into HD1.2 which contains 13.1.0.6 , the sequence is:

Mark HD1.2 as the next boot location:

switchboot -b HD1.2

Reboot the system:

reboot

This is the standard and officially supported method for selecting a different installed volume.

Why the other options are incorrect:

A. " tmsh reboot HD1.2 "

There is no such tmsh syntax.

Boot volume cannot be selected by adding a parameter to reboot.

C. switchboot -I HD1.2

The -I flag is invalid. Only -b is used.

D. " tmsh switchboot HD1.2 "

switchboot is not a tmsh command; it is a system-level shell utility.

Therefore, Option B is the correct and valid command sequence.

Comprehensive and Detailed Explanation From BIG-IP Administration — Install, Initial Configuration, and Upgrade:

BIG-IP Self IP addresses have an associated Port Lockdown feature that governs which protocols and services are permitted to communicate directly with that Self IP. By default, Self IPs may allow broader access than desired, making Port Lockdown a critical hardening control.

The Allow Custom option under Port Lockdown is the precise mechanism for administrators who need granular, port-specific filtering. When selected, only the explicitly listed TCP/UDP ports are permitted — all others, including port 443 (HTTPS), are implicitly denied. This satisfies the requirement of blocking 443 specifically while preserving access on other required ports.

The remaining options are incorrect for this scenario:

Option A references SSH access control under System » Platform, which governs management-plane SSH — not Self IP service filtering.

Option B disables the entire Self IP, removing all traffic handling, which is operationally disruptive.

Option D — Allow None — blocks all traffic to the Self IP, not selectively port 443.

The Allow Custom approach provides the surgical precision required: administrators enumerate permitted ports, and everything outside that list — including 443 — is dropped.

Reference Topics: Self IP Port Lockdown, Network Security Hardening, Self IP Configuration — BIG-IP Administration Study Guide.

BIG-IP systems require all ISO images (base TMOS images and HotFix images) to be stored in a specific directory used for software installation:

/shared/images/

This directory:

Is the only supported location from which the BIG-IP software installation system validates and installs ISO files

Is accessible by both the GUI and TMSH installers

Has adequate storage space allocated specifically for images

Is part of the shared partition that persists across reboots

When transferring images via SCP, the administrator must copy them directly into /shared/images/ so that:

The GUI (System → Software Management → Available Images) can detect the image

TMSH install software image commands can reference it

Other directories such as /local/images/ or /var/images/ are not valid storage paths for software images.

By default, management-plane traffic uses the management routing table , while data-plane traffic uses the TMM routing table .

Remote Syslog traffic is management-plane traffic unless a management route exists.

If no Management Route matches the Syslog server’s destination IP, the BIG-IP will instead:

Use TMM routes , and

Source the packets from a Self IP

This is exactly what the administrator is observing.

To force Syslog traffic out the management port:

You must create a Management Route , which is configured using:

tmsh create /sys management-route < name > gateway < ip > network < syslog subnet >

This sends syslog traffic:

Out of the management interface

Using the Management IP as the source

Thus, Option B is correct.

Why the other options are incorrect:

A. Set the Management IP as the source address

Source address selection is overridden by routing.

Without a management route, traffic still goes out the data plane.

C. Create a new Self IP using a route domain

Unnecessary and not related to management-plane routing.

Syslog traffic should not rely on data-plane Self IPs.

D. Modify port lockdown on Self IP to allow UDP/514

This would allow Syslog traffic into the BIG-IP over a Self IP, not force outbound traffic via management.

Within the BIG-IP Traffic Management Shell (tmsh), system configuration objects—including the management IP—are organized under the /sys hierarchy. The management IP address is a configurable property stored in the system configuration and can be viewed using the tmsh list command, which displays configuration objects and their currently assigned values.

Why “list /sys management-ip” is correct

The list command in tmsh is used to display configured system values , not runtime statistics.

The object that holds the management IP settings on BIG-IP systems is located at: /sys management-ip

Running the command: list /sys management-ip will reveal the settings for the management IP interface, including the address, netmask, and any associated attributes.

This is the standard method used during system setup and verification to confirm the management IP configuration.

This behavior aligns with BIG-IP administration procedures, where configuration information is retrieved using list , while operational data is retrieved using show .

Why the other options are incorrect

A. run /util bash ifconfig mgmt

This command enters the Bash shell, then runs ifconfig to display the management interface.

While this can show the management interface address, it is not a tmsh-native command , and the question specifically asks for a tmsh command.

Administrators use tmsh directly for configuration display rather than leaving the shell.

C. show /sys management-ip

The show command displays statistics or operational data , not configuration values.

The management-ip object does not maintain statistics; therefore show does not return the configuration details required.

Only the list command reveals stored configuration data such as IP address and netmask.

The BIG-IP system has built-in licensing enforcement.

If an administrator provisions a module that the device is not licensed to run, the system will still allow the provisioning action to occur initially , but the system detects the mismatch and displays an alert.

What actually happens:

The GUI places a warning banner in the upper-left corner labeled something similar to: “Provisioning Warning”

This appears immediately after provisioning a module that is not included in the active license.

The system remains in an “inconsistent state” until the module is disabled again or the license is updated.

This is the visual cue BIG-IP uses to indicate that a module was provisioned without valid licensing.

Why the other options are incorrect:

A. “A BIG-IP does not allow unlicensed modules to be provisioned.”

Not true. BIG-IP does allow provisioning, but warns afterward.

B. “A warning will appear when provisioning an unlicensed module.”

The warning does not appear during the provisioning step itself.

It appears after provisioning , in the main GUI, as a system banner.

From the exhibit, the administrator performs the following actions:

Displays the current SSH allow configuration:

tmsh list sys sshd allow

allow { ALL }

Replaces the existing SSH allow list with a specific subnet:

tmsh modify sys sshd allow replace-all-with { 10.0.0.0/24 }

Confirms the updated configuration:

tmsh list sys sshd allow

allow { 10.0.0.0/24 }

This configuration restricts SSH access to only hosts that fall within the 10.0.0.0/24 network.

Evaluation of the options

A. 10.0.0.100

This address is within the 10.0.0.0/24 subnet and is a valid host address, so SSH access is permitted.

B. 10.0.0.254

This address is also within the 10.0.0.0/24 subnet and is a valid host address, so SSH access is permitted.

C. 10.0.0.256

This is not a valid IP address because an IPv4 octet cannot exceed 255.

D. 100.0.1.10

This address is outside the configured 10.0.0.0/24 subnet and will not be allowed.

E. 100.0.0.10

This address is also outside the configured subnet and will not be allowed.