[2026年01月] 更新されたのはF5 F5CAB1問題集PDFオンラインエンジン
F5CAB1.PDFで問題解答PDFサンプル問題は信頼され続ける
質問 # 26
A BIG-IP Administrator upgrades the BIG-IP LTM to a newer software version. After the administrator reboots into the new volume, the configuration fails to load.
Why is the configuration failing to load?
- A. The license needed to be reactivated before the upgrade.
- B. The upgrade was performed on the standby unit.
- C. Connectivity to the DNS server failed to be established.
- D. A minimum of at least two reboots is required.
正解:A
解説:
When upgrading to a newer TMOS software version, BIG-IP validates whether the current license is permitted to run that version.
This is controlled by theService Check Datein the device's license file.
If the Service Check Date is older than the minimum required for the target version:
* The systemboots into the new volume,
* Butfails to load the configuration,
* And will instead present messages indicating that the configuration cannot be applied due to aninvalid or outdated license.
This is a well-known behavior:
An outdated license, not reactivated before upgrade, causes configuration load failure after reboot into the new software.
Why the other options are incorrect:
A). Performed on the standby unit
* Upgrading a standby unit does not cause configuration load failure.
* Standby-only upgrades are standard best practice.
C). Two reboots required
* BIG-IP does not require two reboots during an upgrade.
* One reboot into the new volume is sufficient.
D). DNS connectivity failure
* DNS connectivity does not affect configuration loading.
* DNS is only needed for automatic license activation, not for applying config at boot.
Thus, the configuration failed to load because thelicense was not reactivated before the upgrade, making Option Bcorrect.
質問 # 27
A BIG-IP Administrator needs to purchase new licenses for a BIG-IP appliance.
The administrator needs to know:
* Whether a module is licensed
* The memory requirement for that module
Where should the administrator view this information in theSystem menu?
- A. Resource Provisioning
- B. Software Management
- C. Configuration Device
- D. Configuration OVSDB
正解:A
解説:
To understand:
* Which modules arelicensed
* Which modules areprovisioned
* Theresource requirements(CPU / RAM) of each module
The administrator uses:
System Resource Provisioning
This page displays:
* All modules present in the license
* Whether they are enabled or disabled
* Required memory to activate each module
* CPU and disk allocation information
* Provisioning level options (None / Minimal / Nominal / Dedicated)
This is the exact location where BIG-IP administrators evaluate module capacity before enabling or purchasing licensing upgrades.
Why the other options are incorrect:
A). Configuration OVSDB
* Used for network virtualization integrations, not licenses or modules.
B). Software Management
* Used for software image installation, not licensing.
C). Configuration Device
* Displays hostname, failover settings, device properties - not module resource requirements.
Thus, module licensing and memory requirement data are found underResource Provisioning.
質問 # 28
For security reasons, a BIG-IP Administrator needs to specify allowable IP ranges for access to the Configuration Utility (WebUI).
The exhibit shows the User Administration section of the Configuration Utility.
The administrator could not find any setting that explicitly restricts access to the Configuration Utility.
Which one of the following is a reason for that?
- A. The administrator must restrict access by IP address for SSH, which will implicitly restrict access to the Configuration Utility
- B. The administrator needs to switch to the "Advanced" view mode in order to display the relevant setting
- C. To avoid locking out the administrator, recent versions of BIG-IP no longer allow restricting administrator access to the Configuration Utility by source IP address
- D. Restricting access to the Configuration Utility can only be done from the Command Line Interface
正解:D
解説:
The screenshot shown is from theUser Administrationsection of the BIG-IP GUI.
This section controls:
* Root and Admin passwords
* SSH Access
* SSH IP Allow settings
However,it does not contain any controls for restricting access to the WebUI (TMUI).
BIG-IP does not provide TMUI access restrictions from this part of the GUI.
Access to the web-based Configuration Utility is controlled by thehttpd allow list, configured through TMSH:
tmsh modify /sys httpd allow { <IP/subnet> }
This setting is not displayed in the User Administration panel, and in many BIG-IP versions, the httpd allow list isonly configurable from the CLI, not the GUI.
Therefore, the administrator cannot find the setting in the screen shown because:
* TMUI access restriction isnotlocated in this GUI section
* It must be configured usingtmshunder/sys httpd allow
This is whyOption Ais correct.
質問 # 29
A secondary administrator has been granted access to a BIG-IP device through itsManagement Interface, but is unable to access theConfiguration Utility (WebUI).
What command can be run from the CLI to capture the network traffic on themanagement interfaceand troubleshoot the issue?
(Choose two.)
- A. tcpdump -i tun0 -n port 443
- B. tcpdump -i management -n port 443
- C. tcpdump -i 0.0 -n port 443
- D. tcpdump -i eth0 -n port 443
- E. tcpdump -i mgmt -n port 443
正解:D、E
解説:
The BIG-IP has two distinct planes:
* Management-plane# handled entirely by the management interface (MGMT)
* Data-plane (TMM)# handles Self IPs, VLAN interfaces, and traffic processing To capture traffic on the management interface, only the management-side NICs may be used:
* mgmt# Logical name for the management interface
* eth0# Physical Linux interface mapped to the management port on most BIG-IP platforms Both of these correctly capture inbound/outbound WebUI (HTTPS/443) traffic on the management port.
Why the correct answers are A and B
A). tcpdump -i eth0 -n port 443
* On BIG-IP appliances and VMs, the management port maps toeth0at the Linux OS level.
* Capturing on eth0 correctly shows HTTPS traffic to the WebUI.
B). tcpdump -i mgmt -n port 443
* mgmtis the BIG-IP alias for the management interface.
* This is thepreferredand most explicit capture interface for management-plane packet captures.
Why the other options are incorrect:
C). tcpdump -i 0.0
* Interface0.0is the TMM switch interface used for data-plane packet captures.
* Itdoes NOTcapture management-plane traffic.
D). tcpdump -i tun0
* Used for tunnel interfaces (IPsec, VXLAN, etc.)
* Not related to management access.
E). tcpdump -i management
* There isnointerface named management on BIG-IP.
* The correct names are mgmt or eth0.
質問 # 30
Which port is an exception to the Port Lockdown function of Self-IPs if a device-group synchronization cluster is configured?
- A. TCP 4353
- B. UDP 53
- C. TCP 443
正解:A
解説:
Self-IPs implement a security feature known asPort Lockdown, which limits which services are reachable on a Self-IP.
However, certain services required for BIG-IP device-to-device communication bypass Port Lockdown to ensure cluster and HA functionality.
TCP 4353
* TCP port4353is used byDevice Service Clustering (DSC)for:
* Device trust establishment
* Configuration synchronization
* Failover communication
* Because BIG-IP devices must always be able to communicate for HA functions to remain operational, port 4353 isexempt from Port Lockdown rules.
Why the other options are incorrect
A). TCP 443
* Not required for device trust or synchronization.
* HTTPS access is fully controlled by Port Lockdown.
C). UDP 53
* DNS traffic is not required for synchronization and has no exemption under Port Lockdown.
質問 # 31
A BIG-IP Administrator needs to install aHotFixon a standalone BIG-IP device.
The device currently hasHD1.1as the Active Boot Location.
The administrator has already reactivated the license and created a UCS archive.
In which sequence should the administrator perform theremaining steps?
- A. Install base Image in HD1.2, Install HotFix in HD1.2, Activate HD1.2
- B. Activate HD1.2, Install base Image in HD1.2, Install HotFix in HD1.2
- C. Install HotFix in HD1.2, Install base Image in HD1.2, Activate HD1.2
- D. Install HotFix in HD1.1, Reboot the BIG-IP device, Install UCS Archive
正解:A
解説:
When installing a software upgrade with a HotFix on BIG-IP, the correct workflow requires:
* Install the base TMOS imageon an unused boot volume
* Install the corresponding HotFixonto that same boot volume
* Activate the updated boot volumeto boot into the new software
This method ensures:
* The existing active system (HD1.1) is untouched
* The upgrade occurs in a new, clean volume (HD1.2)
* The HotFix applies properly to the same base image
* The administrator can revert to HD1.1 if issues occur
OptionCmatches the correct F5 upgrade sequence:
1. Install base image on HD1.2
2. Install HotFix on HD1.2
3. Activate HD1.2
Why the other options are incorrect:
A). Install HotFix before base image
* HotFixes must be appliedafterthe base image; not valid.
B). Installing a HotFix on the active boot location (HD1.1)
* Not recommended and does not use a clean new volume.
* Also does not involve installing the base image.
D). Activating HD1.2 before installing anything
* Cannot activate an empty or invalid boot volume.
Thus,Option Cis the correct sequence.
質問 # 32
A BIG-IP Administrator plans to upgrade a BIG-IP device to the latest TMOS version.
Which two tools could the administrator leverage to verify known issues for the target versions? (Choose two.)
- A. F5 Downloads
- B. F5 iHealth
- C. F5 Bug Tracker
- D. F5 University
- E. F5 End User Diagnostics (EUD)
正解:B、C
解説:
Comprehensive and Detailed Explanation (Paraphrased from F5 BIG-IP Administration Install, Initial Configuration, and Upgrade concepts) When performing a TMOS upgrade, F5 recommends validating the target software version to ensure that the release does not contain defects that may impact system behavior. The upgrade preparation process includes checking for known issues, validating compatibility, and reviewing advisory information for the intended version. Two primary F5 tools serve this purpose:
B). F5 iHealth
iHealth is a cloud-based diagnostic and analysis platform used to evaluate the operational state of a BIG-IP system.
Administrators upload a QKView file to iHealth to receive an automated assessment of the system. As part of upgrade planning, iHealth provides:
* Version-specific issue analysis, comparing the system's configuration and hardware against F5's internal catalog of published issues.
* Upgrade advisories, identifying potential risks such as deprecated features, module compatibility concerns, or changes in behavior between TMOS versions.
* Checks against known defects, allowing administrators to determine whether the target TMOS version contains issues relevant to their deployment.
This aligns with F5's recommended upgrade workflow, where iHealth is used before upgrading to confirm system readiness and detect software-level concerns.
D). F5 Bug Tracker
The Bug Tracker is F5's dedicated interface for reviewing software defects across TMOS releases.
It enables administrators to:
* Search forknown bugs by TMOS version, module, severity, or defect ID.
* Review thestatus of defects(open, resolved, fixed in later releases).
* Identify whether high-impact or security-related issues are associated with the target upgrade version.
F5 documentation emphasizes reviewing known defects prior to installation of new software images, making the Bug Tracker a critical resource for upgrade validation.
Why the other options are not correct
A). F5 End User Diagnostics (EUD)
EUD is used exclusively forhardware diagnostics(ports, memory, fans). It does not provide software-related issue verification and is not used for upgrade planning.
C). F5 University
This is atraining platform, not an operational tool. It does not provide defect listings or upgrade-specific warnings.
E). F5 Downloads
Although it provides access to software images and release notes, it isnot a tool for identifying known bugs.
Release notes summarize general fixes and features, but systematic bug verification requires iHealth or the Bug Tracker.
質問 # 33
The Port Lockdown feature prevents unwanted connection attempts to a Self IP.
Which three types of connection attempts areunaffectedby Port Lockdown settings?
- A. Defined virtual server traffic, Secure Shell (SSH), Centralized Management Infrastructure (CMI)
- B. Defined virtual server traffic, Internet Control Message Protocol (ICMP), Centralized Management Infrastructure (CMI)
- C. Centralized Management Infrastructure (CMI), Secure Shell (SSH), Internet Control Message Protocol (ICMP)
正解:B
解説:
Port Lockdown controls which ports and protocols aSelf IPwill respond to.
However, certain traffic types bypass Port Lockdown for BIG-IP functionality and routing integrity.
The three types that areNOT affectedby Port Lockdown are:
1. Defined Virtual Server Traffic
Traffic destined to a Self IP that matches aconfigured virtual serveris always accepted by the BIG-IP, regardless of Port Lockdown settings.
This ensures that traffic processing does not break when administrators restrict Self-IP ports.
2. ICMP (Internet Control Message Protocol)
ICMP (such as ping, traceroute responses, etc.) always passes through a Self IP even when Port Lockdown is set to:
* Allow Default
* Allow None
* Allow Custom
F5 allows ICMP for reachability and diagnostic purposes independent of Port Lockdown rules.
3. Centralized Management Infrastructure (CMI)
CMI includes the internal HA services used for:
* Device Trust
* ConfigSync
* Failover
* Mirroring
These essential HA communications bypass Port Lockdown to prevent accidental cluster failure.
The well-known port for this traffic isTCP 4353, which is always permitted.
Why the other options are incorrect:
Option A:SSHisrestricted by Port Lockdown unless explicitly allowed.
Option B:Same issue - SSH does not bypass Port Lockdown.
OnlyDefined VS Traffic,ICMP, andCMIbypass Port Lockdown.
質問 # 34
Which two items demonstrate thecreation of a new volumefor software images?
(Choose two.)
- A. Using the GUI, go toSystem > Disk Management, selectNew Volume. In the pop-up window, type the name or number of the new volume and clickApply.
- B. Using the GUI, go toSystem > Software Management > Available Images > Install, and in the Install Software Image pop-up window, type the new volume name or number and clickInstall.
- C. tmsh install /sys software image BIGIP-<version>.iso volume HD1.5 create-volume
- D. tmsh install sys software image /shared/images/BIGIP-<version>.iso volume HD1.5 create-volume
- E. tmsh install software image /shared/images/BIGIP-<version>.iso volume HD1.5 create-volume
正解:A、E
解説:
In BIG-IP, software images are installed onboot volumes(for example, HD1.1, HD1.2, HD1.3, etc.).
To install software on anew volume, the administrator must instruct the system to create a new boot location before installation.
There are two correct ways to create a new volume:
A). tmsh command (with correct syntax)
tmsh install software image /shared/images/BIGIP-<version>.iso volume HD1.5 create-volume This syntax correctly includes:
* install software image
* full path to ISO (/shared/images/...)
* volume name (HD1.5)
* create-volumekeyword
This instructs BIG-IP to create the new boot volume as part of the installation.
C). Using the GUI # System > Disk Management
From the Disk Management menu, the administrator can:
* Select "New Volume"
* Enter the volume identifier (e.g., HD1.5)
* Apply changes
This GUI method is officially supported and explicitly creates a new boot volume before installing the software.
Why the other options are incorrect:
B). Incorrect tmsh syntax
* Missing /shared/images/ path
* Incorrect command structure
D). Incorrect command structure
* Missing required keywords and correct command hierarchy
E). Software Management # Install does NOT create volumes
* This installs to anexistingvolume only
* The GUI install dialog does not create new boot volumes
Thus, onlyOption AandOption Cproperly create a new software volume.
質問 # 35
A BIG-IP Administrator needs to verify the state of equipment in the data center.
A BIG-IP appliance has asolid yellow indicatoron the status LED.
How should the administrator interpret this LED indicator?
- A. A warning-level alarm condition is present
- B. Appliance is a standby member in a device group
- C. A power supply is NOT operating properly
- D. Appliance is halted or in End-User Diagnostic (EUD) mode
正解:A
解説:
BIG-IP hardware platforms use chassis LEDs to indicate system health states.
Asolid yellow status LEDtypically indicates awarning condition, such as:
* A non-critical hardware alert
* A temperature threshold nearing limit
* A minor fan or sensor irregularity
* Other non-fatal environmental or system conditions
This state reflects awarning-level alarm, meaning the unit is operational but requires investigation.
Why the other options are incorrect
A). Halted or EUD mode
* This is associated with different LED patterns (usually flashing conditions or specific color codes), not a solid yellow status LED.
B). Standby in device group
* HA state is not indicated by the chassis status LED.
* Standby status is alogicaldevice state, not a hardware LED state.
D). Power supply failure
* Power supply indicators use separate LEDs located on each power module (usually flashing amber/red), not the system status LED.
Thus, asolid yellow status indicatorsignifies awarning-level alarm.
質問 # 36
Refer to the exhibit.
An organization has purchased a BIG-IP license that includes all available modules but has chosen to provision only the modules they require.
The exhibit displays the current resource allocation from theSystem # Resource Provisioningpage.
Based on the information provided, which F5 modules have been provisioned?
- A. LTM, DNS, APM
- B. DNS, APM
- C. TMM, DNS, APS
- D. LTM, APM
正解:A
解説:
The exhibit shows theCurrent Resource Allocationfor:
* CPU
* Disk
* Memory
In particular, theMemory Allocationbar displays the modules that are currently provisioned.
Memory is the most reliable indicator because BIG-IP allocates memoryonlyto modules that are actively provisioned.
From the exhibit:
* MGMT(Management) - always present
* TMM(Traffic Management Microkernel) - indicatesLTM is provisioned
* GTM- this label indicates that theDNS moduleis provisioned (GTM = Global Traffic Manager, now called DNS)
* APM- explicitly shown, indicatingAccess Policy Manageris provisioned
Therefore, the provisioned modules are:
* LTM(implied by TMM allocation)
* DNS/GTM
* APM
This matchesOption C: LTM, DNS, APM.
質問 # 37
For an upgrade of a standalone BIG-IP, a maintenance window is available in which brief interruptions are allowed.
Actions with no impact can be done outside the maintenance window.
When should a license reactivation be performed?
- A. During the maintenance window.
- B. Before the maintenance window.
- C. After the maintenance window.
正解:B
解説:
License reactivation updates the BIG-IP device's license file to ensure:
* TheService Check Dateis current
* The device is eligible to install the intended TMOS version
* Any module entitlement updates are received
Reactivationdoes not interrupt trafficand does not require a reboot, making it safe to performbeforethe maintenance window.
F5 best practices state:
* Performall non-impact tasks priorto the scheduled maintenance window
* Leave the window available for activities that require rebooting, such as the software installation itself Since license reactivation isnon-disruptive, it should be donebeforethe upgrade window starts.
質問 # 38
A BIG-IP Administrator is responsible for deploying a new software image on an F5 BIG-IP HA pair and has scheduled a one-hour maintenance window.
With a focus on minimizing service disruption, which of the following strategies is the most appropriate?
- A. Update both nodes in the HA pair, then reboot both nodes simultaneously to ensure they run the same software version.
- B. Reset the Device Trust, apply the update to each node separately, reboot both nodes, then re-establish the Device Trust.
- C. Update the active node first, reboot to the newly updated boot location and verify functionality, then push the update from the active to the standby node and reboot the standby node.
- D. Update the standby node first and reboot it to the newly updated boot location, failover to the newly updated node and verify functionality. Repeat the upgrade procedures on the next node, which is now in standby mode.
正解:D
解説:
For BIG-IP high-availability (HA) pairs, F5's recommended upgrade workflow prioritizesservice continuity, predictable failover, andminimal downtime. The established best-practice sequence is:
* Upgrade the standby unit first
* Because the standby device is not passing traffic, upgrading and rebooting it does not impact production.
* Boot the standby unit into the newly installed version
* Once online, the administrator verifies basic health, device sync status, cluster communication, and module functionality.
* Perform a controlled failover to the upgraded unit
* Traffic shifts to the newly upgraded device, allowing validation of the configuration and operational behavior under real traffic loads.
* Upgrade the second device (now standby)
* The previously active device becomes standby after failover, allowing it to be safely upgraded and rebooted without interruption.
This phased approach ensures only one device is unavailable at a time, allowing continuous traffic flow throughout the upgrade process.
Why the Correct Answer is C
OptionCexactly matches F5's documented production-safe upgrade method:
* Upgrade thestandbynode first
* Reboot into new image
* Failover to upgraded device
* Validate
* Upgrade the remaining (now-standby) device
This procedure minimizes risk and traffic disruption.
Why the other options are incorrect:
A). Upgrade the active node first
* Upgrading the active device requires removing it from service and failing over abruptly. This is not recommended and increases service disruption risk.
B). Resetting device trust
* Resetting trust is unnecessary and can disrupt configuration sync, peer communication, and cluster operation. It is not part of any standard upgrade workflow.
D). Upgrading and rebooting both nodes simultaneously
* This would causetotal outage, because both HA members would be unavailable at the same time.
質問 # 39
The device is currently onv15.1.2.1.
The BIG-IP Administrator needs to boot the device back tov13.1.0.6to gather data for troubleshooting.
The system shows:
Sys::Software Status
Volume Product Version Build Active Status Allowed
HD1.1 BIG-IP 15.1.2.1 0.0.10 yes complete yes
HD1.2 BIG-IP 13.1.0.6 0.0.3 no complete yes
Which is the correct command-line sequence to boot the device to version13.1.0.6?
- A. switchboot -b HD1.2, then reboot
- B. switchboot -I HD1.2, then reboot
- C. Use tmsh to select a new boot volume, tmsh switchboot HD1.2
- D. Use tmsh to select a new boot volume, tmsh reboot HD1.2
正解:A
解説:
To change the boot volume on a BIG-IP system from one installed TMOS version to another, the correct CLI tool is:
switchboot
The correct syntax uses the-bflag:
switchboot -b <volume>
This command marks the specified boot location as the one to be used on the next reboot.
Thus, to boot intoHD1.2which contains13.1.0.6, the sequence is:
* Mark HD1.2 as the next boot location:
* switchboot -b HD1.2
* Reboot the system:
* reboot
This is the standard and officially supported method for selecting a different installed volume.
Why the other options are incorrect:
A). "tmsh reboot HD1.2"
* There is no such tmsh syntax.
* Boot volume cannot be selected by adding a parameter to reboot.
C). switchboot -I HD1.2
* The -I flag is invalid. Only -b is used.
D). "tmsh switchboot HD1.2"
* switchboot isnota tmsh command; it is a system-level shell utility.
Therefore,Option Bis the correct and valid command sequence.
質問 # 40
The BIG-IP Administrator uses Secure Copy Protocol (SCP) to upload a TMOS image to the/shared/images/ directory in preparation for a TMOS upgrade.
After the upload is completed, what will the system dobeforethe image is shown in the GUI under:
System » Software Management » Image List?
- A. The system verifies the internal checksum
- B. The system copies the image to /var/local/images/
- C. The system performs a reboot into a new partition
正解:A
解説:
When a TMOS image (.iso file) is uploaded into the/shared/images/directory, the BIG-IP performs an internal validation step before the ISO appears in the GUI.
1. The system verifies the internal checksum
* BIG-IP automatically reads the embedded checksum inside the ISO file
* Verifies integrity of the uploaded image
* Confirms the file is not corrupted or incomplete
* Ensures the image is a valid F5 TMOS software image
Only after this checksum verification succeeds does the image appear under:
System # Software Management # Image List
Why the other options are incorrect:
A). The system performs a reboot into a new partition
* Uploading an ISO file never triggers a reboot.
C). The system copies the image to /var/local/images/
* All valid TMOS images remain in/shared/images/.
* No copying occurs.
質問 # 41
An F5 BIG-IP Administrator is asked to report which modules areprovisionedon the BIG-IP.
In which two ways can this be done?
(Choose two.)
- A. Via the GUI atStatistics # Module Statistics # System
- B. Via TMSH withshow /sys provision
- C. Via the GUI atSystem # Resource Provisioning # Module Allocation
- D. Via TMSH withlist /sys provision
正解:C、D
解説:
Provisioning determines:
* Which BIG-IP modules are enabled (LTM, ASM, APM, AFM, DNS, etc.)
* Their provisioning levels (None, Minimal, Nominal, Dedicated)
Two accurate ways to view provisioning settings are:
A). GUI - System # Resource Provisioning # Module Allocation
This is the primary GUI screen showing:
* All modules
* Their provisioning level
* System resource distribution impact
Administrators commonly use this page to confirm or change module provisioning.
D). TMSH - list /sys provision
This tmsh command displays each module and its provisioning level:
sys provision ltm { level nominal }
sys provision asm { level none }
This is the authoritative CLI method for checking module provisioning configurations.
Why the other options are incorrect:
B). show /sys provision
* Showsruntimeinformation butnot the actual configuration levels.
* list is the correct command for configuration details.
C). Statistics # Module Statistics
* Shows performance statistics, NOT provisioning status.
Therefore, the correct responses areAandD.
質問 # 42
......
F5 F5CAB1問題集PDFのベストを目指すなら問題集を使おう 目指そう高得点:https://www.goshiken.com/F5/F5CAB1-mondaishu.html
F5-CA F5CAB1試験と認定テストエンジン:https://drive.google.com/open?id=1dgw1Jn_hlk9YjWLNrFoqD6u-mgQrcHqz