F5CAB1 BIG-IP Administration Install, Initial Configuration, and Upgrade Questions and Answers

Port Lockdown controls which ports and protocols aSelf IPwill respond to.

However, certain traffic types bypass Port Lockdown for BIG-IP functionality and routing integrity.

The three types that areNOT affectedby Port Lockdown are:

1. Defined Virtual Server Traffic

Traffic destined to a Self IP that matches aconfigured virtual serveris always accepted by the BIG-IP, regardless of Port Lockdown settings.

This ensures that traffic processing does not break when administrators restrict Self-IP ports.

2. ICMP (Internet Control Message Protocol)

ICMP (such as ping, traceroute responses, etc.) always passes through a Self IP even when Port Lockdown is set to:

Allow Default

Allow None

Allow Custom

F5 allows ICMP for reachability and diagnostic purposes independent of Port Lockdown rules.

3. Centralized Management Infrastructure (CMI)

CMI includes the internal HA services used for:

Device Trust

ConfigSync

Failover

Mirroring

These essential HA communications bypass Port Lockdown to prevent accidental cluster failure.

The well-known port for this traffic isTCP 4353, which is always permitted.

Why the other options are incorrect:

Option A:SSHisrestricted by Port Lockdown unless explicitly allowed.

Option B:Same issue — SSH does not bypass Port Lockdown.

OnlyDefined VS Traffic,ICMP, andCMIbypass Port Lockdown.

The BIG-IPmanagement interface (MGMT port)is controlled throughSystem settings, not through the Network menu.

SSH access on the management interface is configured here:

System → Configuration → Device → General → SSH Access / SSH IP Allow

This section allows the administrator to:

Enable or disable SSH service

Restrict SSH access to specific IP addresses or subnets

Apply security policies to the management interface

Why the other options are incorrect:

A. Network > Interfaces

Used for data-plane physical interface settings, not management plane SSH restrictions.

B. Network > Self IPs

Controls in-band management or data-plane access, not the dedicated management port.

D. System > Platform

Used for hostname, time zone, LCD contrast, hardware settings — not SSH security on the management port.

Therefore, restricting SSH access to themanagement interfacemust be done under:

✔System → Configuration → Device → General

Which corresponds toOption C.

ThePort Lockdownfeature controls which services a Self-IP will respond to.

Setting a Self-IP toAllow Nonemeans:

The Self-IP will not acceptanytraffic except the very limited, hard-coded HA ports such asTCP 4353used for device trust and configuration sync.

All other HA ports, including those needed for network failover and other HA mechanisms,are blocked.

When essential HA services cannot communicate, each device assumes its peer is down.

This results in:

HA failover misbehavior

Both devices thinking the other is offline

Potentialactive-active condition, which is not intended and can cause traffic disruption

Thus,Allow Nonecan break HA functionality unless the Self-IP is not used for HA links.

TheService Check Datedetermines whether a particular software version is allowed to run under the device’s license.

When installing or upgrading TMOS, the installer checks theService Check Datestored in the BIG-IP license file.

If the license date isolderthan the minimum required for the target version, the software installation isblocked.

This check happensspecifically during a software install, not during routine device operations.

Editing virtual servers or system startup do not trigger this validation.

Thus, the enforcement happensduring software installation.

Comprehensive and Detailed Explanation (Paraphrased from F5 BIG-IP Administration / Installation / Initial Configuration concepts)

Within the BIG-IP Traffic Management Shell (tmsh), system configuration objects—including the management IP—are organized under the/syshierarchy. The management IP address is a configurable property stored in the system configuration and can be viewed using the tmshlistcommand, which displays configuration objects and their currently assigned values.

Why “list /sys management-ip” is correct

The list command in tmsh is used todisplay configured system values, not runtime statistics.

The object that holds the management IP settings on BIG-IP systems is located at:/sys management-ip

Running the command:list /sys management-ipwill reveal the settings for the management IP interface, including the address, netmask, and any associated attributes.

This is the standard method used during system setup and verification to confirm the management IP configuration.

This behavior aligns with BIG-IP administration procedures, where configuration information is retrieved usinglist, while operational data is retrieved usingshow.

Why the other options are incorrect

A. run /util bash ifconfig mgmt

This command enters the Bash shell, then runs ifconfig to display the management interface.

While this can show the management interface address, it isnot a tmsh-native command, and the question specifically asks for a tmsh command.

Administrators use tmsh directly for configuration display rather than leaving the shell.

C. show /sys management-ip

The show command displaysstatistics or operational data, not configuration values.

The management-ip object does not maintain statistics; therefore show does not return the configuration details required.

Only thelistcommand reveals stored configuration data such as IP address and netmask.

BIG-IP controls access to the web-based Configuration Utility (TMUI) through the/sys httpd allowlist. This parameter specifies which client IPs or subnets may initiate HTTP/HTTPS connections to the management interface.

To restrict TMUI access toonlythe 10.0.0.0/24 subnet:

The correct method is tomodify the HTTPD allow listso that it contains only this subnet.

This requires replacing the entire current list with the new subnet using:

modify /sys httpd allow replace-all-with {10.0.0.0/24}

This ensures thatonlyclients within 10.0.0.0/24 can reach the Configuration Utility.

Why the other options are incorrect:

Options A and Ccreate network ACL objects under /net acl, which apply to data-plane traffic, not management-plane TMUI access. TMUI access is not controlled by LTM ACLs but by the HTTPD allow directive.

Option Bis incorrect syntax and references /ltm httpd, which is not the proper object; the correct hierarchy is /sys httpd.

Thus, only modifying the/sys httpd allowlist achieves the required restriction.

The BIG-IP system has built-in licensing enforcement.

If an administrator provisions a module that the device isnot licensedto run, the system will still allow the provisioning action to occurinitially, but the system detects the mismatch and displays an alert.

What actually happens:

The GUI places awarning bannerin theupper-left cornerlabeled something similar to:“Provisioning Warning”

This appears immediately after provisioning a module that is not included in the active license.

The system remains in an “inconsistent state” until the module is disabled again or the license is updated.

This is the visual cue BIG-IP uses to indicate that a module was provisioned without valid licensing.

Why the other options are incorrect:

A. “A BIG-IP does not allow unlicensed modules to be provisioned.”

Not true. BIG-IPdoesallow provisioning, but warns afterward.

B. “A warning will appear when provisioning an unlicensed module.”

The warning doesnotappear during the provisioning step itself.

It appearsafter provisioning, in the main GUI, as a system banner.

BIG-IP systems require all ISO images (base TMOS images and HotFix images) to be stored in a specific directory used for software installation:

/shared/images/

This directory:

Is theonly supported locationfrom which the BIG-IP software installation system validates and installs ISO files

Is accessible by both the GUI and TMSH installers

Has adequate storage space allocated specifically for images

Is part of the shared partition that persists across reboots

When transferring images via SCP, the administrator must copy them directly into/shared/images/so that:

The GUI (System → Software Management → Available Images) can detect the image

TMSH install software image commands can reference it

Other directories such as/local/images/or/var/images/are not valid storage paths for software images.

Provisioning settings define which modules are enabled and how system resources are allocated to them.

These provisioning declarations are stored in:

/config/bigip.conf

This file contains:

Full module provisioning statements

TMSH-equivalent provisioning configurations such as:

sys provision ltm { level nominal }

sys provision asm { level nominal }

It is theprimary system configuration filethat stores all active provisioning details.

Why the other answers are incorrect

A. /config/bigip.license

Showslicensedmodules, not provisioned modules.

B. /config/bigip_base.conf

Stores base networking (VLANs, Self-IPs, routes), not provisioning.

D. config.ucs

A backup archive, not a live configuration file.

Thus, the correct file to review active module provisioning is/config/bigip.conf.

Comprehensive and Detailed Explanation (Paraphrased)

The BIG-IP stores the configured management IP address as asystem configuration objectunder the/syshierarchy.

To display configured (persistent) values, BIG-IP uses thetmsh list command, not show.

Why tmsh list sys management-ip is correct

The management IP configuration is defined under:

/sys management-ip

Running:

tmsh list sys management-ip

displays:

The configured management IP address

Netmask

Associated attributes

This command shows theactual configured management IP, which is what the question asks for.

Why the other options are incorrect

A. tmsh show sys management-ip

The show command is used for runtime statistics and status.

management-ip is a configuration object, not a statistics object.

C. tmsh list sys management-route

Displays management routing information, not the management IP address itself.

D. tmsh list net self

Displays Self IPs used on the data plane.

Does not show the management interface IP.