F5CAB1 BIG-IP Administration Install, Initial Configuration, and Upgrade Questions and Answers

The screenshot shown is from theUser Administrationsection of the BIG-IP GUI.

This section controls:

Root and Admin passwords

SSH Access

SSH IP Allow settings

However,it does not contain any controls for restricting access to the WebUI (TMUI).

BIG-IP does not provide TMUI access restrictions from this part of the GUI.

Access to the web-based Configuration Utility is controlled by thehttpd allow list, configured through TMSH:

tmsh modify /sys httpd allow { }

This setting is not displayed in the User Administration panel, and in many BIG-IP versions, the httpd allow list isonly configurable from the CLI, not the GUI.

Therefore, the administrator cannot find the setting in the screen shown because:

TMUI access restriction isnotlocated in this GUI section

It must be configured usingtmshunder/sys httpd allow

This is whyOption Ais correct.

The exhibit shows aSelf IPwith:

VLAN:Data

Port Lockdown:Allow None

Impact of “Allow None” on SNMP

When a Self IP is configured with:

Port Lockdown: Allow None

the BIG-IP blocksallservices and ports except a few hardcoded HA communication ports.

This means:

UDP/161 (SNMP)is blocked

UDP/162 (SNMP traps)is blocked

The SNMP server cannot poll or receive data from the BIG-IP through this Self IP

SNMP relies on access through the Self IP if out-of-band (mgmt interface) is not used.

Thus, the issue is directly caused byPort Lockdown = Allow None, which prevents SNMP communication.

Why the other options are incorrect:

B. Traffic Group must use a floating Traffic Group

SNMP polling doesnotrequire floating Self IPs.

Floating groups apply to HA failover IPs, not SNMP functionality.

C. VLAN/Tunnel must allow All VLANs

Self IPs are always bound to a VLAN; SNMP doesnotrequire All VLANs.

As long as the Self IP belongs to a reachable VLAN, SNMP can work.

D. Configuration is correct

It is not correct:Allow Noneblocks SNMP and is the problem.

The BIG-IP has two distinct planes:

Management-plane→ handled entirely by the management interface (MGMT)

Data-plane (TMM)→ handles Self IPs, VLAN interfaces, and traffic processing

To capture traffic on the management interface, only the management-side NICs may be used:

mgmt→ Logical name for the management interface

eth0→ Physical Linux interface mapped to the management port on most BIG-IP platforms

Both of these correctly capture inbound/outbound WebUI (HTTPS/443) traffic on the management port.

Why the correct answers are A and B

A. tcpdump -i eth0 -n port 443

On BIG-IP appliances and VMs, the management port maps toeth0at the Linux OS level.

Capturing on eth0 correctly shows HTTPS traffic to the WebUI.

B. tcpdump -i mgmt -n port 443

mgmtis the BIG-IP alias for the management interface.

This is thepreferredand most explicit capture interface for management-plane packet captures.

Why the other options are incorrect:

C. tcpdump -i 0.0

Interface0.0is the TMM switch interface used for data-plane packet captures.

Itdoes NOTcapture management-plane traffic.

D. tcpdump -i tun0

Used for tunnel interfaces (IPsec, VXLAN, etc.)

Not related to management access.

E. tcpdump -i management

There isnointerface named management on BIG-IP.

The correct names are mgmt or eth0.

By default,management-plane trafficuses themanagement routing table, whiledata-plane trafficuses theTMM routing table.

Remote Syslog traffic ismanagement-planetrafficunlessa management route exists.

If noManagement Routematches the Syslog server’s destination IP, the BIG-IP will instead:

UseTMM routes, and

Source the packets from aSelf IP

This is exactly what the administrator is observing.

To force Syslog traffic out the management port:

You must create aManagement Route, which is configured using:

tmsh create /sys management-route gateway network

This sends syslog traffic:

Out of themanagement interface

Using theManagement IPas the source

Thus,Option Bis correct.

Why the other options are incorrect:

A. Set the Management IP as the source address

Source address selection is overridden by routing.

Without a management route, traffic still goes out the data plane.

C. Create a new Self IP using a route domain

Unnecessary and not related to management-plane routing.

Syslog traffic should not rely on data-plane Self IPs.

D. Modify port lockdown on Self IP to allow UDP/514

This would allow Syslog trafficintothe BIG-IP over a Self IP, not forceoutboundtraffic via management.

BIG-IP module provisioning determines howCPU, memory, and disk resourcesare allocated to each licensed module. F5 defines a specific set of supported provisioning levels.

Valid provisioning (resource allocation) settings

Nominal

Allocates a standard, balanced amount of system resources to a module.

Intended for typical production deployments where multiple modules may be provisioned at the same time.

Dedicated

Allocatesall available system resourcesto a single module.

Used when the BIG-IP device is dedicated to running only one module (for example, ASM-only or APM-only deployments).

No other modules can be provisioned when one is set to Dedicated.

These two options are valid and supported provisioning levels.

Why the other options are incorrect

Maximum

This is not a valid BIG-IP provisioning level.

BIG-IP does not use “Maximum” as a resource allocation setting.

Limited

This is also not a supported provisioning level.

BIG-IP uses levels such as None, Minimal, Nominal, and Dedicated (module-dependent), not Limited.

Provisioning determines:

Which BIG-IP modules are enabled (LTM, ASM, APM, AFM, DNS, etc.)

Their provisioning levels (None, Minimal, Nominal, Dedicated)

Two accurate ways to view provisioning settings are:

A. GUI — System → Resource Provisioning → Module Allocation

This is the primary GUI screen showing:

All modules

Their provisioning level

System resource distribution impact

Administrators commonly use this page to confirm or change module provisioning.

D. TMSH — list /sys provision

This tmsh command displays each module and its provisioning level:

sys provision ltm { level nominal }

sys provision asm { level none }

This is the authoritative CLI method for checking module provisioning configurations.

Why the other options are incorrect:

B. show /sys provision

Showsruntimeinformation butnot the actual configuration levels.

list is the correct command for configuration details.

C. Statistics → Module Statistics

Shows performance statistics, NOT provisioning status.

Therefore, the correct responses areAandD.

Comprehensive and Detailed Explanation (Paraphrased from F5 BIG-IP Administration / Installation / Initial Configuration concepts)

Within the BIG-IP Traffic Management Shell (tmsh), system configuration objects—including the management IP—are organized under the/syshierarchy. The management IP address is a configurable property stored in the system configuration and can be viewed using the tmshlistcommand, which displays configuration objects and their currently assigned values.

Why “list /sys management-ip” is correct

The list command in tmsh is used todisplay configured system values, not runtime statistics.

The object that holds the management IP settings on BIG-IP systems is located at:/sys management-ip

Running the command:list /sys management-ipwill reveal the settings for the management IP interface, including the address, netmask, and any associated attributes.

This is the standard method used during system setup and verification to confirm the management IP configuration.

This behavior aligns with BIG-IP administration procedures, where configuration information is retrieved usinglist, while operational data is retrieved usingshow.

Why the other options are incorrect

A. run /util bash ifconfig mgmt

This command enters the Bash shell, then runs ifconfig to display the management interface.

While this can show the management interface address, it isnot a tmsh-native command, and the question specifically asks for a tmsh command.

Administrators use tmsh directly for configuration display rather than leaving the shell.

C. show /sys management-ip

The show command displaysstatistics or operational data, not configuration values.

The management-ip object does not maintain statistics; therefore show does not return the configuration details required.

Only thelistcommand reveals stored configuration data such as IP address and netmask.

The HTTPD allow list controls which IP addresses or subnets may access the Configuration Utility (TMUI) on the BIG-IP system. The Administrator already has two subnets allowed and needs to add asingle host IPto the existing list.

The object/sys httpd allowsupports actions such asadd,delete, andreplace-all-with.

Because the goal is toaddone more entry without removing the existing permitted subnets, the correct command is:

modify /sys httpd allow add { 172.28.32.22 }

This appends the new host to the existing list while preserving the previously configured networks.

Why the other options are incorrect:

Option A (replace-all-with)wouldoverwritethe entire allow list, removing existing permitted subnets—unacceptable.

Option B (delete)wouldremovethe existing networks and not add the required host.

Therefore, the correct administrative action is toaddthe jump host’s IP.

A newly deployed BIG-IP Virtual Edition (VE) in VMware requires initial configuration of itsmanagement-ipaddress so it can be accessed over the network. F5 provides several valid mechanisms during initial console access:

A. Running the config utility

The config script is available on new BIG-IP installations and VE deployments.

It launches a guided text-based wizard allowing configuration of:

Management IP

Netmask

Default route

This is a standard and recommended method during first-time setup.

B. Using TMSH with create sys management-ip

Administrators can enter TMSH directly from the console and run:

create sys management-ip /

The management-ip object resides undersys, not under ltm or any other module.

This is the correct tmsh method for defining the management interface address.

Why the other options are incorrect:

C. create ltm management-ip

There isnosuch object under /ltm.

LTM handles traffic objects (virtual servers, pools), not system management interfaces.

D. Running the setup command

The setup command is used for general system configuration butdoes not configure the management-ip.

It is not the supported method for initial management IP assignment on VE deployments.

Therefore, the valid methods are running theconfigutility and using thesys management-ipcommand within TMSH.

Comprehensive and Detailed Explanation (Paraphrased)

The BIG-IP stores the configured management IP address as asystem configuration objectunder the/syshierarchy.

To display configured (persistent) values, BIG-IP uses thetmsh list command, not show.

Why tmsh list sys management-ip is correct

The management IP configuration is defined under:

/sys management-ip

Running:

tmsh list sys management-ip

displays:

The configured management IP address

Netmask

Associated attributes

This command shows theactual configured management IP, which is what the question asks for.

Why the other options are incorrect

A. tmsh show sys management-ip

The show command is used for runtime statistics and status.

management-ip is a configuration object, not a statistics object.

C. tmsh list sys management-route

Displays management routing information, not the management IP address itself.

D. tmsh list net self

Displays Self IPs used on the data plane.

Does not show the management interface IP.