For BIG-IP high-availability (HA) pairs, F5’s recommended upgrade workflow prioritizesservice continuity,predictable failover, andminimal downtime. The established best-practice sequence is:

Upgrade the standby unit first

Because the standby device is not passing traffic, upgrading and rebooting it does not impact production.

Boot the standby unit into the newly installed version

Once online, the administrator verifies basic health, device sync status, cluster communication, and module functionality.

Perform a controlled failover to the upgraded unit

Traffic shifts to the newly upgraded device, allowing validation of the configuration and operational behavior under real traffic loads.

Upgrade the second device (now standby)

The previously active device becomes standby after failover, allowing it to be safely upgraded and rebooted without interruption.

This phased approach ensures only one device is unavailable at a time, allowing continuous traffic flow throughout the upgrade process.

Why the Correct Answer is C

OptionCexactly matches F5’s documented production-safe upgrade method:

Upgrade thestandbynode first

Reboot into new image

Failover to upgraded device

Validate

Upgrade the remaining (now-standby) device

This procedure minimizes risk and traffic disruption.

Why the other options are incorrect:

A. Upgrade the active node first

Upgrading the active device requires removing it from service and failing over abruptly. This is not recommended and increases service disruption risk.

B. Resetting device trust

Resetting trust is unnecessary and can disrupt configuration sync, peer communication, and cluster operation. It is not part of any standard upgrade workflow.

D. Upgrading and rebooting both nodes simultaneously

This would causetotal outage, because both HA members would be unavailable at the same time.

Comprehensive and Detailed Explanation (Paraphrased)

The BIG-IP stores the configured management IP address as asystem configuration objectunder the/syshierarchy.

To display configured (persistent) values, BIG-IP uses thetmsh list command, not show.

Why tmsh list sys management-ip is correct

The management IP configuration is defined under:

/sys management-ip

Running:

tmsh list sys management-ip

displays:

The configured management IP address

Netmask

Associated attributes

This command shows theactual configured management IP, which is what the question asks for.

Why the other options are incorrect

A. tmsh show sys management-ip

The show command is used for runtime statistics and status.

management-ip is a configuration object, not a statistics object.

C. tmsh list sys management-route

Displays management routing information, not the management IP address itself.

D. tmsh list net self

Displays Self IPs used on the data plane.

Does not show the management interface IP.

When installing a BIG-IP software versionwith a HotFixon anew boot volume, F5 requires that both thebase TMOS imageand theHotFix imagebe installed together as part of the same installation workflow.

The correct process is:

Specify thebase TMOS ISO

Specify theHotFix ISOthat corresponds to that base version

Instruct the system tocreate a new boot volume

Install both images into that new volume

This is achieved with the following tmsh syntax:

tmsh install /sys software BIGIP-.iso hotfix Hotfix-BIGIP--ENG.iso create-volume HD1.2

This command:

Installs the base image first

Applies the HotFix on top of the base image

Creates and installs everything onHD1.2

Leaves the currently active volume untouched for rollback

Why the other options are incorrect

A. Installing only the hotfix

A HotFix cannot be installed by itself on a new volume. A base image must already be present.

C. Using create instead of install

The create keyword is not valid for software installation operations.

D. Using copy

The copy command does not install software images or hotfixes.

Provisioning settings define which modules are enabled and how system resources are allocated to them.

These provisioning declarations are stored in:

/config/bigip.conf

This file contains:

Full module provisioning statements

TMSH-equivalent provisioning configurations such as:

sys provision ltm { level nominal }

sys provision asm { level nominal }

It is theprimary system configuration filethat stores all active provisioning details.

Why the other answers are incorrect

A. /config/bigip.license

Showslicensedmodules, not provisioned modules.

B. /config/bigip_base.conf

Stores base networking (VLANs, Self-IPs, routes), not provisioning.

D. config.ucs

A backup archive, not a live configuration file.

Thus, the correct file to review active module provisioning is/config/bigip.conf.

BIG-IP systems require all ISO images (base TMOS images and HotFix images) to be stored in a specific directory used for software installation:

/shared/images/

This directory:

Is theonly supported locationfrom which the BIG-IP software installation system validates and installs ISO files

Is accessible by both the GUI and TMSH installers

Has adequate storage space allocated specifically for images

Is part of the shared partition that persists across reboots

When transferring images via SCP, the administrator must copy them directly into/shared/images/so that:

The GUI (System → Software Management → Available Images) can detect the image

TMSH install software image commands can reference it

Other directories such as/local/images/or/var/images/are not valid storage paths for software images.

The exhibit shows aSelf IPwith:

VLAN:Data

Port Lockdown:Allow None

Impact of “Allow None” on SNMP

When a Self IP is configured with:

Port Lockdown: Allow None

the BIG-IP blocksallservices and ports except a few hardcoded HA communication ports.

This means:

UDP/161 (SNMP)is blocked

UDP/162 (SNMP traps)is blocked

The SNMP server cannot poll or receive data from the BIG-IP through this Self IP

SNMP relies on access through the Self IP if out-of-band (mgmt interface) is not used.

Thus, the issue is directly caused byPort Lockdown = Allow None, which prevents SNMP communication.

Why the other options are incorrect:

B. Traffic Group must use a floating Traffic Group

SNMP polling doesnotrequire floating Self IPs.

Floating groups apply to HA failover IPs, not SNMP functionality.

C. VLAN/Tunnel must allow All VLANs

Self IPs are always bound to a VLAN; SNMP doesnotrequire All VLANs.

As long as the Self IP belongs to a reachable VLAN, SNMP can work.

D. Configuration is correct

It is not correct:Allow Noneblocks SNMP and is the problem.

The exhibit shows theCurrent Resource Allocationfor:

CPU

Disk

Memory

In particular, theMemory Allocationbar displays the modules that are currently provisioned.

Memory is the most reliable indicator because BIG-IP allocates memoryonlyto modules that are actively provisioned.

From the exhibit:

MGMT(Management) – always present

TMM(Traffic Management Microkernel) – indicatesLTM is provisioned

GTM– this label indicates that theDNS moduleis provisioned (GTM = Global Traffic Manager, now called DNS)

APM– explicitly shown, indicatingAccess Policy Manageris provisioned

Therefore, the provisioned modules are:

LTM(implied by TMM allocation)

DNS/GTM

APM

This matchesOption C: LTM, DNS, APM.