F5CAB3 Exam Questions 2026 – Real Practice Test with Verified Answers

Home / F5 / F5CAB3

Latest F5CAB3 Exam Practice Questions

The practice questions for F5CAB3 exam was last updated on 2026-07-09 .

Viewing page 1 out of 2 pages.

Viewing questions 1 out of 12 questions.

Question#1

What would be the best persistence method for F5 to load balance traffic from clients via a single source IP (NAT) to multiple pool members with even distribution for an HTTPS web application?

A. Destination address affinity persistence
B. Cookie persistence
C. SSL persistence
D. Source address affinity persistence

Explanation:
When clients connect through a single source IP (NAT) ― such as a corporate proxy or carrier-grade NAT ― Source Address Affinity persistence becomes entirely ineffective because all clients share an identical source IP address. This would force every client session to the same pool member, completely eliminating even distribution and defeating the purpose of load balancing.
Cookie Persistence is the optimal solution in this scenario because it operates at Layer 7, inserting a unique cookie into each client's HTTP/HTTPS response. Each individual browser session carries its own distinct cookie value, allowing the BIG-IP to identify and persist individual clients to specific pool members ― regardless of whether they share a common source IP address. This guarantees both session persistence and even load distribution across pool members.
The remaining options are unsuitable because:
Destination Address Affinity persists based on destination IP, irrelevant for client-to-server session stickiness.
SSL Persistence uses the SSL Session ID for persistence, but SSL session IDs are frequently renegotiated and are unreliable for long-term persistence across modern TLS implementations.
Source Address Affinity fails entirely under NAT conditions as described.
Cookie persistence is the industry-standard method for HTTPS application load balancing requiring per-client session affinity.
Reference: BIG-IP Administration ― Data Plane Configuration, Module: Persistence Methods ―
Cookie, Source Address, and SSL Persistence.

Question#2

A BIG-IP Administrator adds new pool members into an existing, highly utilized pool. Soon after, there are reports that the application is failing to load for some users.
What pool-level setting should the BIG-IP Administrator check?

A. Availability Requirement
B. Allow SNAT
C. Action On Service Down
D. Slow Ramp Time

Explanation:
Slow Ramp Time prevents new pool members from receiving a full share of traffic immediately, allowing applications to warm up gradually.

Question#3

The BIG-IP Administrator has to provide encrypted communication between users and the virtual server they access. Multiple hostnames are configured in DNS with the same IP address.
Which profile type and setting in the profile should be used? (Choose one answer)

A. Client SSL, Client Name
B. Server SSL, Server Name
C. Client SSL, Server Name
D. Server SSL, Client Name

Explanation:
When multiple hostnames resolve to the same IP address and encrypted communication is required, the BIG-IP must be able to present the correct SSL certificate based on the hostname requested by the client. This is accomplished using Server Name Indication (SNI).
According to BIG-IP Administration: Data Plane Configuration documentation:
SNI is a client-side TLS extension, where the client includes the requested hostname during the SSL handshake.
BIG-IP evaluates this hostname using the Client SSL profile, not the Server SSL profile.
The “Server Name” setting in the Client SSL profile enables BIG-IP to select the appropriate SSL certificate for the requested hostname.
Why option C is correct:
Client SSL profile handles inbound (client-side) encryption.
Server Name enables SNI-based certificate selection when multiple DNS names share the same virtual server IP.
Why the other options are incorrect:
A. Client SSL, Client Name There is no Client SSL setting called Client Name for SNI certificate selection.
B. Server SSL, Server Name Server SSL is used for encryption between BIG-IP and backend servers, not for client-side hostname identification.
D. Server SSL, Client Name Server SSL does not process client-requested hostnames during TLS negotiation.
Correct Resolution:
Configure a Client SSL profile and enable the Server Name (SNI) setting to support multiple encrypted hostnames on the same virtual server IP.

Question#4

Where in the configuration utility should the BIG-IP Administrator verify the pool member currently assigned to a pool is on port 80?

A. Local Traffic > Nodes: Node List. Select the node in question, view the Health Monitor next to Configuration.
B. Local Traffic > Pools: Pool List. Select the pool in question, select Members tab, view the configured Health Monitor.
C. Local Traffic > Pools: Pool List. Select the pool in question, select the Members tab, view the configured Service Port.

Explanation:
The BIG-IP Configuration Utility (GUI) organizes information hierarchically to allow for granular management of application objects. A Pool is a collection of backend servers (pool members) that provide the same service. To verify the specific network parameters―such as the IP address and the service port―of the servers within a pool, the administrator must navigate to the specific pool's configuration.
The standard procedural path to verify this is Local Traffic > Pools: Pool List, where the administrator selects the specific pool name. Once inside the pool's configuration, the Members tab displays a list of all IP addresses and service ports associated with that pool. Under the "Service Port" column, the administrator can confirm if the member is listening on port 80 (HTTP).
Options A and B are incorrect for this specific verification task. While Nodes (Option A) show the health of a physical server, a node represents only an IP address and does not have a "Service Port" associated with it until it is defined as a pool member. Verifying the Health Monitor (Option B) would tell the administrator how the system is checking the member's status, but it does not definitively show the port on which the member is actually receiving application traffic. In a BIG-IP environment, a pool member is uniquely identified by the combination of its Node IP and its Service Port, and the Members tab is the primary interface for managing and auditing these specific member attributes.

Question#5

Application administrators are reporting that nodes different from those configured in the pool are selected. The use of an iRule is suspected.
How can the BIG-IP Administrator check if an iRule is used for this traffic? (Pick the 2 correct responses below)

A. Via TMSH with the list /ltm rule <irule> command.
B. Via TMSH with the list /ltm virtual <virtual_server> command.
C. Via the GUI at the iRule tab for the virtual server.
D. Via the GUI at the Resources tab for the virtual server.

Explanation:
To determine if an iRule is influencing traffic for a specific Virtual Server, the administrator must verify the association between the Virtual Server object and any applied scripts. In the BIG-IP Configuration Utility (GUI), this association is found under the Resources tab of the specific Virtual Server. While there is an "iRules" sub-menu under Local Traffic, checking the Virtual Server's Resources tab is the definitive way to see which specific rules are currently active and in what order they are being processed for that particular traffic flow.
From the Command Line Interface (CLI), the tmsh list /ltm virtual <virtual_server> command provides a full text-based output of the virtual server's configuration. If iRules are applied, they will appear within a "rules { ... }" block in the command output. This is more effective than Option A, which only lists the contents of the iRule itself but does not show if or where it is applied.
Option C is a common misconception; while some versions of the GUI have reorganized menus, the standard location for managing the association of profiles, policies, and iRules to a Virtual Server remains the "Resources" section. By identifying the applied iRule, an administrator can then review the script logic―often containing commands like pool or node―to see if it is overriding the default pool selection based on specific HTTP headers, URI paths, or client IP addresses.

Disclaimer

This page is for educational and exam preparation reference only. It is not affiliated with F5, F5-CA, or the official exam provider. Candidates should refer to official documentation and training for authoritative information.

Exam Code: F5CAB3Q & A:  82  Q&As Updated:  2026-07-09

  Get All F5CAB3 Q&As