Pearson F5CAB1 New Attempt

Access to the BIG-IP Configuration Utility (TMUI) is controlled through the/sys httpd allowlist.

This list defines which IP addresses or subnets are allowed to connect to the management web interface.

To allow two new subnets—172.28.31.0/24and172.28.65.0/24—the administrator mustaddboth subnets to the existing list without removing current entries.

In tmsh, subnet entries must be specified innetwork/netmask format, for example:

172.28.31.0/255.255.255.0

The correct tmsh command to append these networks is:

modify /sys httpd allow add { 172.28.31.0/255.255.255.0 172.28.65.0/255.255.255.0 }

Why the other options are incorrect:

Option B:

IPs are listed without masks, which is invalid for subnet-based access control.

The system requiresnetwork/netmaskformat.

Option C:

The command uses permit instead of allow, which is not a valid attribute of /sys httpd.

The correct keyword must beallow.

Thus, onlyOption Acorrectly adds both permitted subnets in the proper tmsh format.

When installing a HotFix on a BIG-IP device, F5 best practices require:

Installing the base TMOS image on a new, unused boot volume (HD1.2)

This ensures the upgrade happens on a clean volume.

The existing active boot location remains untouched for rollback.

Installing the HotFix onto the SAME new boot volume (HD1.2)

HotFixes must be applied on top of a base version.

They cannot be installed on an empty volume.

They must match the base image version.

Activating the new boot volume (HD1.2)

The system reboots into the updated software stack.

Activation happensafterbase + HotFix installation is complete.

This sequence is exactly shown inOption C:

Install base Image in HD1.2

Install HotFix in HD1.2

Activate HD1.2

Why the other options are incorrect:

A. Install HotFix before base image

Impossible.

HotFix requires an installed base version first.

B. Installing HotFix on HD1.1 (active boot volume)

Not recommended.

Upgrading in-place removes rollback safety.

HotFix cannot be applied cleanly without applying base image first.

D. Activate HD1.2 before installing anything

You cannot activate an empty boot volume.

Activation only occurs after the base + HotFix software is installed.

When upgrading to a newer TMOS software version, BIG-IP validates whether the current license is permitted to run that version.

This is controlled by theService Check Datein the device’s license file.

If the Service Check Date is older than the minimum required for the target version:

The systemboots into the new volume,

Butfails to load the configuration,

And will instead present messages indicating that the configuration cannot be applied due to aninvalid or outdated license.

This is a well-known behavior:

An outdated license, not reactivated before upgrade, causes configuration load failure after reboot into the new software.

Why the other options are incorrect:

A. Performed on the standby unit

Upgrading a standby unit does not cause configuration load failure.

Standby-only upgrades are standard best practice.

C. Two reboots required

BIG-IP does not require two reboots during an upgrade.

One reboot into the new volume is sufficient.

D. DNS connectivity failure

DNS connectivity does not affect configuration loading.

DNS is only needed for automatic license activation, not for applying config at boot.

Thus, the configuration failed to load because thelicense was not reactivated before the upgrade, makingOption Bcorrect.

Securing the BIG-IP management interface is a fundamental administrative responsibility. F5 best practices emphasize restricting who can reach the management port and ensuring that only authorized systems are allowed access.

A. Limiting management access to trusted network segments

F5 recommends placing the management interface on adedicated, isolated, and secured management network or VLAN, rather than exposing it to production or untrusted networks.

This reduces the attack surface by ensuring only trusted segments have visibility to administrative interfaces.

D. Restricting management access by IP or subnet

F5 BIG-IP uses the/sys httpd allowlist (for HTTPS) and configuration options insshd(for SSH) to control which IP addresses or subnets can access the device.

By specifying only known administrative IPs or ranges, unauthorized users cannot reach the login services.

Why the other options are incorrect

B. Blocking all management HTTPS/SSH ports

This would prevent any administrative access and is not a viable security practice.

C. Using Self-IP addresses for administrative access

F5 explicitly warns against using Self-IPs for management access unless strictly necessary.

Self-IPs are exposed to the data plane and should not be used as the primary administrative interface.