The Port Lockdown feature prevents unwanted connection attempts to a Self IP.
Which three types of connection attempts are unaffected by Port Lockdown settings?

Correct Answer:C
Port Lockdown controls which ports and protocols aSelf IPwill respond to.
However, certain traffic types bypass Port Lockdown for BIG-IP functionality and routing integrity.
The three types that areNOT affectedby Port Lockdown are:
* 1. Defined Virtual Server Traffic
Traffic destined to a Self IP that matches aconfigured virtual serveris always accepted by the BIG-IP, regardless of Port Lockdown settings.
This ensures that traffic processing does not break when administrators restrict Self-IP ports.
* 2. ICMP (Internet Control Message Protocol)
ICMP (such as ping, traceroute responses, etc.) always passes through a Self IP even when Port Lockdown is set to:
Allow Default
Allow None
Allow Custom
F5 allows ICMP for reachability and diagnostic purposes independent of Port Lockdown rules.
* 3. Centralized Management Infrastructure (CMI)
CMI includes the internal HA services used for:
Device Trust
ConfigSync
Failover
Mirroring
These essential HA communications bypass Port Lockdown to prevent accidental cluster failure.
The well-known port for this traffic isTCP 4353, which is always permitted.
Why the other options are incorrect:
Option A:SSHisrestricted by Port Lockdown unless explicitly allowed.
Option B:Same issue — SSH does not bypass Port Lockdown.
OnlyDefined VS Traffic,ICMP, andCMIbypass Port Lockdown.

An F5 BIG-IP Administrator is asked to report which modules areprovisionedon the BIG-IP.
In which two ways can this be done? (Choose two.)

Correct Answer:AD
Provisioning determines:
Which BIG-IP modules are enabled (LTM, ASM, APM, AFM, DNS, etc.)
Their provisioning levels (None, Minimal, Nominal, Dedicated)
Two accurate ways to view provisioning settings are:
* A. GUI — System # Resource Provisioning # Module Allocation
This is the primary GUI screen showing:
All modules
Their provisioning level
System resource distribution impact
Administrators commonly use this page to confirm or change module provisioning.
* D. TMSH — list /sys provision
This tmsh command displays each module and its provisioning level: sys provision ltm { level nominal }
sys provision asm { level none }
This is the authoritative CLI method for checking module provisioning configurations.
Why the other options are incorrect:
* B. show /sys provision
Showsruntimeinformation butnot the actual configuration levels.
list is the correct command for configuration details.
* C. Statistics # Module Statistics
Shows performance statistics, NOT provisioning status.
Therefore, the correct responses areAandD.

The BIG-IP Administrator wants to manage the newly built F5 system through anin-band Self-IP.
The administrator has configured a VLAN and Self-IP and can ping the IP from their workstation, but cannot access the system viaSSHorHTTPS.
What port lock down settings should the BIG-IP Administrator use to allow management access on the Self-IP?
(Choose two.)

Correct Answer:CD
Self-IPs include a security feature calledPort Lockdown, which restricts which services respond on that Self- IP.
By default, Self-IPs block management access (SSH and HTTPS/TMUI), meaning an administrator cannot manage the device through in-band Self-IPs unless explicitly allowed.
Allow Mgmt / Allow Management
These settings enable only the management services required for administrative access, specifically:
SSH (22)
HTTPS/TMUI (443)
These options allow secure administration without opening unnecessary ports.
Why these are correct:
They provide only the essential access for management.
They follow F5 security best practices when using in-band admin access.
They donotexpose all services, reducing the attack surface.
Why the other options are incorrect:
* A. Allow Default
Administrator access would still fail.
* B. Allow All
Opens all ports on the Self-IP, which isnot secure.
Exposes services that should remain restricted.
Therefore,Allow Mgmt / Allow Managementare the correct choices.

The device is currently onv15.1.2.1.
The BIG-IP Administrator needs to boot the device back tov13.1.0.6to gather data for troubleshooting.
The system shows: Sys::Software Status
Volume Product Version Build Active Status Allowed HD1.1 BIG-IP 15.1.2.1 0.0.10 yes complete yes HD1.2 BIG-IP 13.1.0.6 0.0.3 no complete yes
Which is the correct command-line sequence to boot the device to version13.1.0.6?

Correct Answer:B
To change the boot volume on a BIG-IP system from one installed TMOS version to another, the correct CLI tool is:
switchboot
The correct syntax uses the-bflag:
switchboot -b <volume>
This command marks the specified boot location as the one to be used on the next reboot. Thus, to boot intoHD1.2which contains13.1.0.6, the sequence is:
Mark HD1.2 as the next boot location:
switchboot -b HD1.2
Reboot the system:
reboot
This is the standard and officially supported method for selecting a different installed volume.
Why the other options are incorrect:
* A. "tmsh reboot HD1.2"
There is no such tmsh syntax.
Boot volume cannot be selected by adding a parameter to reboot.
* C. switchboot -I HD1.2
The -I flag is invalid. Only -b is used.
* D. "tmsh switchboot HD1.2"
switchboot isnota tmsh command; it is a system-level shell utility.
Therefore,Option Bis the correct and valid command sequence.

Which command will display the current active volume on a BIG-IP system?

Correct Answer:B
To identify which boot volume is currently active on a BIG-IP system, the correct command is:
tmsh show sys software status
This command displays:
All installed boot volumes (HD1.1, HD1.2, HD1.3, etc.)
The BIG-IP software version installed on each volume
The Active field, indicating which volume the system is currently booted from
The installation status (''complete'', ''in-progress'', ''allowed'')
This is the standard and authoritative way to determine the active boot location.
Why the other options are incorrect:
* A . tmsh show sys version
Displays OS version, build, and date.
Does not show boot locations or which volume is active.
* C . tmsh list sys software update
Shows software update configurations, not boot volume status.
Does not display which volume is active.

Which port is an exception to the Port Lockdown function of Self-IPs if a device-group synchronization cluster is configured?

Correct Answer:B
Self-IPs implement a security feature known asPort Lockdown, which limits which services are reachable on a Self-IP.
However, certain services required for BIG-IP device-to-device communication bypass Port Lockdown to ensure cluster and HA functionality.
TCP 4353
TCP port4353is used byDevice Service Clustering (DSC)for:
Device trust establishment
Configuration synchronization
Failover communication
Because BIG-IP devices must always be able to communicate for HA functions to remain operational, port 4353 isexempt from Port Lockdown rules.
Why the other options are incorrect
* A. TCP 443
Not required for device trust or synchronization.
HTTPS access is fully controlled by Port Lockdown.
* C. UDP 53
DNS traffic is not required for synchronization and has no exemption under Port Lockdown.