F5CAB1 Exam Questions 2026 – Real Practice Test with Verified Answers

Explanation:
Self-IPs implement a security feature known as Port Lockdown, which limits which services are reachable on a Self-IP.
However, certain services required for BIG-IP device-to-device communication bypass Port Lockdown to ensure cluster and HA functionality.
TCP 4353
TCP port 4353 is used by Device Service Clustering (DSC) for:
Device trust establishment
Configuration synchronization
Failover communication
Because BIG-IP devices must always be able to communicate for HA functions to remain operational, port 4353 is exempt from Port Lockdown rules.
Why the other options are incorrect
A. TCP 443
Not required for device trust or synchronization.
HTTPS access is fully controlled by Port Lockdown.
C.UDP53
DNS traffic is not required for synchronization and has no exemption under Port Lockdown.

Explanation:
Port Lockdown controls which ports and protocols a Self IP will respond to.
However, certain traffic types bypass Port Lockdown for BIG-IP functionality and routing integrity.
The three types that are NOT affected by Port Lockdown are:

Explanation:
The Service Check Date determines whether a particular software version is allowed to run under the device’s license.
When installing or upgrading TMOS, the installer checks the Service Check Date stored in the BIG-IP license file.
If the license date is older than the minimum required for the target version, the software installation is blocked.
This check happens specifically during a software install, not during routine device operations.
Editing virtual servers or system startup do not trigger this validation.
Thus, the enforcement happens during software installation.

Explanation:
The Port Lockdown feature controls which services a Self-IP will respond to.
Setting a Self-IP to Allow None means:
The Self-IP will not accept any traffic except the very limited, hard-coded HA ports such as TCP 4353 used for device trust and configuration sync.
All other HA ports, including those needed for network failover and other HA mechanisms, are blocked.
When essential HA services cannot communicate, each device assumes its peer is down.
This results in:
HA failover misbehavior
Both devices thinking the other is offline
Potential active-active condition, which is not intended and can cause traffic disruption Thus, Allow None can break HA functionality unless the Self-IP is not used for HA links.

Explanation:
License reactivation updates the BIG-IP device’s license file to ensure:
The Service Check Date is current
The device is eligible to install the intended TMOS version
Any module entitlement updates are received
Reactivation does not interrupt traffic and does not require a reboot, making it safe to perform before the maintenance window.
F5 best practices state:
Perform all non-impact tasks prior to the scheduled maintenance window
Leave the window available for activities that require rebooting, such as the software installation itself
Since license reactivation is non-disruptive, it should be done before the upgrade window starts.