Provisioning settings define which modules are enabled and how system resources are allocated to them.

These provisioning declarations are stored in:

/config/bigip.conf

This file contains:

Full module provisioning statements

TMSH-equivalent provisioning configurations such as:

sys provision ltm { level nominal }

sys provision asm { level nominal }

It is the primary system configuration file that stores all active provisioning details.

Why the other answers are incorrect

A. /config/bigip.license

Shows licensed modules, not provisioned modules.

B. /config/bigip_base.conf

Stores base networking (VLANs, Self-IPs, routes), not provisioning.

D. config.ucs

A backup archive, not a live configuration file.

Thus, the correct file to review active module provisioning is /config/bigip.conf .

BIG-IP provisioning determines how CPU, memory, and disk resources are allocated to each module. The goal is to provision only the modules required and at levels appropriate to their performance needs.

Requirements in the question

The device will be used for:

LTM (Local Traffic Manager) → load balancing

ASM (Application Security Manager) → WAF

No functions require:

APM (Access Policy Manager)

AFM (Advanced Firewall Manager)

Why Option C is correct

Provisioning both LTM and ASM at Nominal level provides:

Adequate performance for production load

Plentiful system resources while avoiding dedicating the entire system to a single module

Balanced allocation without starving memory or CPU

Setting APM: None and AFM: None ensures unused modules consume zero resources.

Why the other options are incorrect

A. Dedicated provisioning for both LTM and ASM

Two modules cannot both run in “Dedicated” mode.

Dedicated mode allocates all resources to a single module — the second module cannot be dedicated simultaneously.

B. LTM and ASM both Dedicated

Same issue: only one module can be Dedicated at a time.

Also unnecessary for load balancing + WAF.

D. Setting APM and AFM to Minimal

Minimal still consumes memory and CPU.

Unused modules should be set to None .

Therefore, Option C is the best provisioning strategy.

Self-IPs implement a security feature known as Port Lockdown , which limits which services are reachable on a Self-IP.

However, certain services required for BIG-IP device-to-device communication bypass Port Lockdown to ensure cluster and HA functionality.

TCP 4353

TCP port 4353 is used by Device Service Clustering (DSC) for:

Device trust establishment

Configuration synchronization

Failover communication

Because BIG-IP devices must always be able to communicate for HA functions to remain operational, port 4353 is exempt from Port Lockdown rules .

Why the other options are incorrect

A. TCP 443

Not required for device trust or synchronization.

HTTPS access is fully controlled by Port Lockdown.

C. UDP 53

DNS traffic is not required for synchronization and has no exemption under Port Lockdown.

The HTTPD allow list controls which IP addresses or subnets may access the Configuration Utility (TMUI) on the BIG-IP system. The Administrator already has two subnets allowed and needs to add a single host IP to the existing list.

The object /sys httpd allow supports actions such as add , delete , and replace-all-with .

Because the goal is to add one more entry without removing the existing permitted subnets, the correct command is:

modify /sys httpd allow add { 172.28.32.22 }

This appends the new host to the existing list while preserving the previously configured networks.

Why the other options are incorrect:

Option A (replace-all-with) would overwrite the entire allow list, removing existing permitted subnets—unacceptable.

Option B (delete) would remove the existing networks and not add the required host.

Therefore, the correct administrative action is to add the jump host’s IP.

When a TMOS image (.iso file) is uploaded into the /shared/images/ directory, the BIG-IP performs an internal validation step before the ISO appears in the GUI.

1. The system verifies the internal checksum

BIG-IP automatically reads the embedded checksum inside the ISO file

Verifies integrity of the uploaded image

Confirms the file is not corrupted or incomplete

Ensures the image is a valid F5 TMOS software image

Only after this checksum verification succeeds does the image appear under:

System → Software Management → Image List

Why the other options are incorrect:

A. The system performs a reboot into a new partition

Uploading an ISO file never triggers a reboot.

C. The system copies the image to /var/local/images/

All valid TMOS images remain in /shared/images/ .

No copying occurs.

Access to the BIG-IP Configuration Utility (TMUI) is controlled through the /sys httpd allow list.

This list defines which IP addresses or subnets are allowed to connect to the management web interface.

To allow two new subnets— 172.28.31.0/24 and 172.28.65.0/24 —the administrator must add both subnets to the existing list without removing current entries.

In tmsh, subnet entries must be specified in network/netmask format , for example:

172.28.31.0/255.255.255.0

The correct tmsh command to append these networks is:

modify /sys httpd allow add { 172.28.31.0/255.255.255.0 172.28.65.0/255.255.255.0 }

Why the other options are incorrect:

Option B:

IPs are listed without masks, which is invalid for subnet-based access control.

The system requires network/netmask format.

Option C:

The command uses permit instead of allow, which is not a valid attribute of /sys httpd.

The correct keyword must be allow .

Thus, only Option A correctly adds both permitted subnets in the proper tmsh format.

BIG-IP controls access to the web-based Configuration Utility (TMUI) through the /sys httpd allow list. This parameter specifies which client IPs or subnets may initiate HTTP/HTTPS connections to the management interface.

To restrict TMUI access to only the 10.0.0.0/24 subnet:

The correct method is to modify the HTTPD allow list so that it contains only this subnet.

This requires replacing the entire current list with the new subnet using:

modify /sys httpd allow replace-all-with {10.0.0.0/24}

This ensures that only clients within 10.0.0.0/24 can reach the Configuration Utility.

Why the other options are incorrect:

Options A and C create network ACL objects under /net acl, which apply to data-plane traffic, not management-plane TMUI access. TMUI access is not controlled by LTM ACLs but by the HTTPD allow directive.

Option B is incorrect syntax and references /ltm httpd, which is not the proper object; the correct hierarchy is /sys httpd.

Thus, only modifying the /sys httpd allow list achieves the required restriction.

When logged into the bash shell of a BIG-IP system, there are two valid ways to view the management-ip address:

A. tmsh list /sys management-ip

Even from the bash shell, the administrator can enter a tmsh command by typing:

tmsh list /sys management-ip

This displays:

Management IP address

Netmask

Any configured management routes

This is the official tmsh method for viewing the management-ip configuration.

C. ifconfig mgmt

In the underlying Linux OS, the management interface maps to the mgmt interface.

Running:

ifconfig mgmt

displays:

Assigned management IP

Netmask

Link-level status

This is a valid Linux-level method used frequently for troubleshooting.

Why the other options are incorrect:

B. show mgmt ip

Not a valid bash or tmsh command on BIG-IP.

D. list / sys management-ip

Missing the tmsh prefix.

In bash, this will generate a syntax error.

The correct form requires:

tmsh list /sys management-ip

Comprehensive and Detailed Explanation (Paraphrased)

The BIG-IP stores the configured management IP address as a system configuration object under the /sys hierarchy.

To display configured (persistent) values, BIG-IP uses the tmsh list command , not show.

Why tmsh list sys management-ip is correct

The management IP configuration is defined under:

/sys management-ip

Running:

tmsh list sys management-ip

displays:

The configured management IP address

Netmask

Associated attributes

This command shows the actual configured management IP , which is what the question asks for.

Why the other options are incorrect

A. tmsh show sys management-ip

The show command is used for runtime statistics and status.

management-ip is a configuration object, not a statistics object.

C. tmsh list sys management-route

Displays management routing information, not the management IP address itself.

D. tmsh list net self

Displays Self IPs used on the data plane.

Does not show the management interface IP.

The BIG-IP system has built-in licensing enforcement.

If an administrator provisions a module that the device is not licensed to run, the system will still allow the provisioning action to occur initially , but the system detects the mismatch and displays an alert.

What actually happens:

The GUI places a warning banner in the upper-left corner labeled something similar to: “Provisioning Warning”

This appears immediately after provisioning a module that is not included in the active license.

The system remains in an “inconsistent state” until the module is disabled again or the license is updated.

This is the visual cue BIG-IP uses to indicate that a module was provisioned without valid licensing.

Why the other options are incorrect:

A. “A BIG-IP does not allow unlicensed modules to be provisioned.”

Not true. BIG-IP does allow provisioning, but warns afterward.

B. “A warning will appear when provisioning an unlicensed module.”

The warning does not appear during the provisioning step itself.

It appears after provisioning , in the main GUI, as a system banner.