Updated Apr-2026 Pass F5CAB3 Exam - Real Practice Test Questions [Q31-Q51] | TestBraindump

Updated Apr-2026 Pass F5CAB3 Exam - Real Practice Test Questions [Q31-Q51]

Share

Updated Apr-2026 Pass F5CAB3 Exam - Real Practice Test Questions

Download Free F5 F5CAB3 Real Exam Questions


F5 F5CAB3 Exam Syllabus Topics:

TopicDetails
Topic 1
  • Apply procedural concepts required to modify and manage pools: This domain addresses managing server pools including health monitors, load balancing methods, priority groups, and service port configurations.
Topic 2
  • Apply procedural concepts required to modify and manage virtual servers: This domain covers managing virtual servers including applying persistence, encryption, and protocol profiles, identifying iApp objects, reporting iRules, and showing pool configurations.

 

NEW QUESTION # 31
Refer to the exhibit.

A BIG-IP Administrator creates a new Virtual Server to load balance SSH traffic. Users are unable to log on to the servers.
What should the BIG-IP Administrator do to resolve the issue? (Choose one answer)

  • A. Set Destination Address/Mask to 0.0.0.0/0
  • B. Set HTTP Profile to None
  • C. Set Protocol to UDP
  • D. Set Source Address to 10.1.1.2

Answer: B

Explanation:
SSH is a Layer 4 TCP-based protocol that operates on TCP port 22 and does not use HTTP in any capacity. In the exhibit, the Virtual Server is configured with an HTTP Profile applied, which is inappropriate for SSH traffic and causes connection failures.
According to the BIG-IP Administration: Data Plane Configuration documentation:
An HTTP profile must only be applied to Virtual Servers handling HTTP or HTTPS traffic.
When an HTTP profile is attached, BIG-IP expects HTTP headers and attempts to parse application-layer data.
Non-HTTP protocols such as SSH, FTP (control), SMTP, and other raw TCP services will fail if an HTTP profile is enabled.
Why the other options are incorrect:
A . Set Protocol to UDP
SSH uses TCP, not UDP. Changing the protocol would break SSH entirely.
B . Set Source Address to 10.1.1.2
The source address setting controls client access restrictions and is unrelated to protocol parsing issues.
C . Set Destination Address/Mask to 0.0.0.0/0
The destination address is already valid for a specific SSH service and does not impact protocol handling.
Correct Resolution:
The BIG-IP Administrator should remove the HTTP Profile (set it to None) so the Virtual Server functions as a pure Layer 4 TCP service, allowing SSH connections to pass through successfully.


NEW QUESTION # 32
Which type of Virtual Server requires the use of a FastL4 profile?

  • A. Standard
  • B. Performance (Layer 4)
  • C. Stateless
  • D. Performance (HTTP)

Answer: B


NEW QUESTION # 33
A Standard Virtual Server for a web application is configured with Automap for Source Address Translation.
The original client IP must be known by backend servers.
What should the BIG-IP Administrator configure?

  • A. Performance (HTTP) Virtual Server
  • B. HTTP Transparent profile
  • C. SNAT pool using client IP
  • D. HTTP profile to insert X-Forwarded-For

Answer: D

Explanation:
The X-Forwarded-For header preserves the original client IP when SNAT is enabled.


NEW QUESTION # 34
Application administrators are reporting that nodes different from those configured in the pool are selected.
The use of an iRule is suspected. How can the BIG-IP Administrator check if an iRule is used for this traffic?
(Pick the 2 correct responses below)

  • A. Via TMSH with the list /ltm virtual <virtual_server> command.
  • B. Via the GUI at the iRule tab for the virtual server.
  • C. Via TMSH with the list /ltm rule <irule> command.
  • D. Via the GUI at the Resources tab for the virtual server.

Answer: A,D

Explanation:
To determine if an iRule is influencing traffic for a specific Virtual Server, the administrator must verify the association between the Virtual Server object and any applied scripts. In the BIG-IP Configuration Utility (GUI), this association is found under the Resources tab of the specific Virtual Server. While there is an
"iRules" sub-menu under Local Traffic, checking the Virtual Server's Resources tab is the definitive way to see which specific rules are currently active and in what order they are being processed for that particular traffic flow.
From the Command Line Interface (CLI), the tmsh list /ltm virtual <virtual_server> command provides a full text-based output of the virtual server's configuration. If iRules are applied, they will appear within a "rules {
... }" block in the command output. This is more effective than Option A, which only lists the contents of the iRule itself but does not show if or where it is applied. Option C is a common misconception; while some versions of the GUI have reorganized menus, the standard location for managing the association of profiles, policies, and iRules to a Virtual Server remains the "Resources" section. By identifying the applied iRule, an administrator can then review the script logic-often containing commands like pool or node-to see if it is overriding the default pool selection based on specific HTTP headers, URI paths, or client IP addresses.


NEW QUESTION # 35
Refer to the exhibit.


A BIG-IP Administrator configures a Virtual Server to handle HTTPS traffic. Users report that the application is NOT working. Which additional configuration is required to resolve this issue?

  • A. Configure Service Port to HTTP
  • B. Configure SSL Profile (Client)
  • C. Configure SSL Profile (Server)
  • D. Configure Protocol Profile (Server)

Answer: B

Explanation:
According to the provided exhibit, the "SSL Profile (Client)" section in the Virtual Server configuration is empty. For a BIG-IP system to process HTTPS traffic, it must act as an SSL/TLS endpoint. This process, known as SSL Termination or SSL Offload, requires the assignment of a Client SSL Profile to the Virtual Server. Without this profile, the BIG-IP does not have the necessary certificate and private key information to perform the SSL handshake with the client's browser. Consequently, when a user attempts to connect via HTTPS, the TCP connection may establish, but the SSL handshake will fail because the BIG-IP will not know how to decrypt the incoming encrypted packets.
A Client SSL profile defines the ciphers, certificates, and keys that the BIG-IP uses to communicate securely with the client. In a standard HTTPS deployment, the BIG-IP decrypts the traffic and can then send it to the backend pool members either as plain text (header insertion/manipulation) or re-encrypt it using a Server SSL profile. While a Server SSL profile (Option C) is needed if the backend servers themselves require HTTPS, the initial failure for a user reaching a Virtual Server is almost always the lack of a Client SSL profile to terminate the user's connection. Changing the Service Port to HTTP (Option D) would be incorrect because the goal is to handle HTTPS traffic (typically port 443). Assigning the "clientssl" or a custom client-side profile from the "Available" list to the "Selected" list in the GUI is the mandatory step to make the Virtual Server operational for secure web traffic.


NEW QUESTION # 36
A BIG-IP Administrator finds the following log entry after a report of user issues connecting to a virtual server:
01010201: Intercept exhaustion on 10.70.110.112 to 192.28.123.250:80 (proto 6) How should the BIG-IP Administrator modify the SNAT pool that is associated with the virtual server?
(Choose one answer)

  • A. Increase the timeout of the SNAT addresses
  • B. Add an IP address to the SNAT pool
  • C. Remove the SNAT pool and apply SNAT Automap
  • D. Remove an IP address from the SNAT pool

Answer: B

Explanation:
The log message "Intercept exhaustion" indicates that the BIG-IP system has exhausted the available source port translations for one or more SNAT addresses. This occurs when too many concurrent client connections are being translated through a limited number of SNAT IP addresses, and all ephemeral source ports (typically ~64,000 per SNAT IP) are in use.
According to the BIG-IP Administration: Data Plane Configuration documentation:
* Each SNAT IP address provides a finite number of available source ports.
* When the number of concurrent connections exceeds the available port space, the BIG-IP logs an Intercept exhaustion error and new connections fail.
* The recommended resolution is to increase the available SNAT resources by adding additional IP addresses to the SNAT pool.
Why the other options are incorrect:
* A. Increase the timeout of the SNAT addressesIncreasing timeouts may actually worsen the problem by keeping ports allocated longer, accelerating port exhaustion.
* B. Remove the SNAT pool and apply SNAT AutomapSNAT Automap uses the Self IP addresses on the egress VLAN, which may not provide additional capacity and can introduce routing or design issues.
This is not a direct or recommended fix for SNAT exhaustion.
* C. Remove an IP address from the SNAT poolThis would reduce the number of available source ports and further exacerbate the intercept exhaustion condition.
Correct Resolution:
By adding an IP address to the SNAT pool, the BIG-IP increases the total number of available source ports, alleviating intercept exhaustion and restoring successful client connections.


NEW QUESTION # 37
Which persistence profile would be the most appropriate to ensure an HTTP web request connects to the same pool member? (Choose one answer)

  • A. Hash persistence
  • B. Cookie persistence
  • C. Destination address
  • D. SSL persistence

Answer: B

Explanation:
For HTTP-based applications, cookie persistence is the most appropriate and commonly recommended persistence method.
According to the BIG-IP Administration: Data Plane Configuration documentation:
Cookie persistence inserts or uses an HTTP cookie to maintain session affinity.
It operates at Layer 7 (HTTP) and is application-aware.
It allows persistence to be maintained even when multiple clients are behind a NAT device.
Why the other options are incorrect:
A . Destination address
Destination address persistence is generally used for inbound traffic patterns such as firewall or proxy scenarios.
B . Hash persistence
Hash persistence is less granular and not HTTP-specific.
C . SSL persistence
SSL persistence is typically used when SSL session IDs are reused and is less reliable than cookies for HTTP applications.
Correct Resolution:
Using cookie persistence ensures that HTTP web requests are consistently directed to the same pool member.


NEW QUESTION # 38
A BIG-IP Administrator adds new pool members into an existing, highly utilized pool. Soon after, there are reports that the application is failing to load for some users.
What pool-level setting should the BIG-IP Administrator check?

  • A. Allow SNAT
  • B. Availability Requirement
  • C. Slow Ramp Time
  • D. Action On Service Down

Answer: C

Explanation:
Slow Ramp Time prevents new pool members from receiving a full share of traffic immediately, allowing applications to warm up gradually.


NEW QUESTION # 39
Refer to the exhibit.

A BIG-IP Administrator needs to configure health monitors for a newly configured server pool named Pool_B.
Which health monitor settings will ensure that all pool members will be accurately marked as available or unavailable? (Choose one answer)

  • A. HTTPS, HTTP, FTP, and SSH with the Availability Requirement of at least one health monitor
  • B. HTTPS, HTTP, FTP, and SSH with the Availability Requirement of all health monitors
  • C. HTTP, HTTPS, FTP, and ICMP with the Availability Requirement of at least one health monitor
  • D. HTTPS, HTTP, FTP, and SSH with the Availability Requirement of all health monitors

Answer: A

Explanation:
From the exhibit, the pool contains different applications on different service ports (for example, HTTP/80, FTP/21, HTTPS/443, SSH/22). To mark pool members correctly, BIG-IP must be able to verify the actual service running on each member's port.
In BIG-IP Administration: Data Plane Configuration, monitor behavior is described as follows:
* When multiple monitors are assigned to a pool, the Availability Requirement controls how monitor results are evaluated:
* At least one = the pool member is marked up if any one of the assigned monitors succeeds.
* All = the pool member is marked up only if every assigned monitor succeeds.
* For pools containing members with different services/ports, using All can incorrectly mark members down because monitors intended for other services will fail on the wrong port.
Why C is correct:
* Assigning HTTPS, HTTP, FTP, and SSH covers the actual services shown in the pool.
* Setting the Availability Requirement to at least one ensures that each pool member is considered available when its appropriate service monitor succeeds, without being forced to pass unrelated service monitors.
Why the other options are incorrect:
* A / D (Availability Requirement = all): would cause members to be marked down when unrelated monitors fail (e.g., SSH monitor against an HTTP member).
* B (includes ICMP): ICMP can indicate the host is reachable even if the application service is down, which does not "accurately" reflect service availability.
Therefore, the best choice is HTTPS, HTTP, FTP, and SSH with Availability Requirement of at least one health monitor.


NEW QUESTION # 40
Which type of Virtual Server requires the use of a FastL4 profile?

  • A. Standard
  • B. Performance (Layer 4)
  • C. Stateless
  • D. Performance (HTTP)

Answer: B

Explanation:
Performance (Layer 4) virtual servers rely on FastL4 profiles to provide high-speed L4 processing without full proxy overhead.
Below is BATCH 2 (next 10 questions) extracted only from your uploaded document that are clearly related to BIG-IP Administration: Data Plane Configuration topics.
❗As requested, I have strictly excluded questions related to:
Licensing
HA / Device Trust / Sync-only
Logging destinations
User roles
Hardware, EUD, support processes
System-only administration
Source: Your uploaded TMOS Administration v2.0 document


NEW QUESTION # 41
A BIG-IP Administrator needs to apply persistence to a virtual server that is configured as a Performance (Layer 4) virtual server that allows access to a secure (TLS) e-commerce website.
What type of persistence profile can be used? (Choose one answer)

  • A. Source Address Affinity
  • B. Cookie persistence
  • C. Microsoft RDP persistence
  • D. Host persistence

Answer: A

Explanation:
A Performance (Layer 4) virtual server does not inspect or process application-layer data such as HTTP headers or cookies. Therefore, only Layer 4-compatible persistence methods can be used.
According to the BIG-IP Administration: Data Plane Configuration documentation:
* Source Address Affinity persistence operates at Layer 4 and uses the client IP address to maintain session persistence.
* It is fully compatible with Performance (Layer 4) virtual servers.
* It works regardless of encryption, making it suitable for TLS-secured applications.
Why the other options are incorrect:
* B. Cookie persistenceRequires an HTTP profile and Layer 7 inspection, which is not supported on Performance virtual servers.
* C. Microsoft RDP persistenceIs protocol-specific and not applicable to web-based TLS traffic.
* D. Host persistenceRequires HTTP host header inspection, which is not available at Layer 4.
Correct Resolution:
Source Address Affinity persistence is the appropriate choice for maintaining persistence on a Performance (Layer 4) virtual server handling TLS traffic.
Below is Batch 1 (Questions 1-10) extracted only from your uploaded document that are directly related to BIG-IP Administration: Data Plane Configuration topics (Virtual Servers, Pools, Load Balancing, Monitors, Persistence, SNAT, Profiles).
I have excluded system-only, licensing, support, hardware, HA management-only, and admin UI questions that are not Data Plane-focused.
Source: Your uploaded TMOS Administration v2.0 document
# BATCH 1 (10 Questions)


NEW QUESTION # 42
An organization is reporting slow performance accessing their Intranet website. All employees use a single Proxy Server with a public IP.
What should the BIG-IP Administrator do to fix this issue?

  • A. Change Load Balancing Method to Least Connections
  • B. Change Fallback Persistence Profile to source_addr
  • C. Change Default Persistence Profile to cookie
  • D. Change Source Address to proxy IP

Answer: C

Explanation:
When multiple users share one source IP, source-address persistence fails. Cookie persistence uniquely identifies users at Layer 7 and ensures correct session handling.


NEW QUESTION # 43
A BIG-IP Administrator creates a new Virtual Server to load balance SSH traffic. Users are unable to log on to the servers.
What should the BIG-IP Administrator do to resolve the issue?

  • A. Set Destination Address/Mask to 0.0.0.0/0
  • B. Set HTTP Profile to None
  • C. Set Protocol to UDP
  • D. Set Source Address to 10.1.1.2

Answer: B

Explanation:
SSH is a TCP Layer 4 protocol. Applying an HTTP profile causes BIG-IP to expect HTTP headers, breaking SSH sessions. Removing the HTTP profile allows raw TCP forwarding.


NEW QUESTION # 44
Which persistence profile would be the most appropriate to ensure an HTTP web request connects to the same pool member? (Choose one answer)

  • A. Hash persistence
  • B. Cookie persistence
  • C. Destination address
  • D. SSL persistence

Answer: B

Explanation:
For HTTP-based applications, cookie persistence is the most appropriate and commonly recommended persistence method.
According to the BIG-IP Administration: Data Plane Configuration documentation:
Cookie persistence inserts or uses an HTTP cookie to maintain session affinity.
It operates at Layer 7 (HTTP) and is application-aware.
It allows persistence to be maintained even when multiple clients are behind a NAT device.
Why the other options are incorrect:
A). Destination addressDestination address persistence is generally used for inbound traffic patterns such as firewall or proxy scenarios.
B). Hash persistenceHash persistence is less granular and not HTTP-specific.
C). SSL persistenceSSL persistence is typically used when SSL session IDs are reused and is less reliable than cookies for HTTP applications.
Correct Resolution:
Using cookie persistence ensures that HTTP web requests are consistently directed to the same pool member.


NEW QUESTION # 45
Some users who connect to a busy Virtual Server have connections reset by the BIG-IP system. Pool member resources are NOT a factor.
What is a possible cause?

  • A. Connection Rate Limit is set too high
  • B. Rewrite profile not configured
  • C. Connection Limit is set too low
  • D. Server SSL profile not reconfigured

Answer: C

Explanation:
When the connection limit is reached, BIG-IP resets new connections, even if pool members are healthy.


NEW QUESTION # 46
A BIG-IP Administrator needs to configure health monitors for a pool containing HTTP, HTTPS, FTP, and SSH services.
Which configuration ensures accurate member status?

  • A. ICMP + TCP with all
  • B. HTTP and HTTPS only
  • C. All monitors with Availability Requirement = at least one
  • D. All monitors with Availability Requirement = all

Answer: C

Explanation:
Using "at least one" ensures each member is marked up based on its relevant service monitor.


NEW QUESTION # 47
During a high-demand event, the BIG-IP Administrator needs to limit the number of new connections per second to a Virtual Server.
What should be applied?

  • A. HTTP Compression profile
  • B. Connection Limit
  • C. Connection Rate Limit
  • D. OneConnect profile

Answer: C

Explanation:
Connection rate limits restrict how many new connections are accepted per second, protecting application resources.


NEW QUESTION # 48
A BIG-IP Administrator needs to configure health monitors for a pool containing HTTP, HTTPS, FTP, and SSH services.
Which configuration ensures accurate member status?

  • A. ICMP + TCP with all
  • B. HTTP and HTTPS only
  • C. All monitors with Availability Requirement = at least one
  • D. All monitors with Availability Requirement = all

Answer: C

Explanation:
Using "at least one" ensures each member is marked up based on its relevant service monitor.


NEW QUESTION # 49
A Standard Virtual Server for a web application is configured with Automap for Source Address Translation. The original client IP must be known by backend servers.
What should the BIG-IP Administrator configure?

  • A. Performance (HTTP) Virtual Server
  • B. HTTP Transparent profile
  • C. SNAT pool using client IP
  • D. HTTP profile to insert X-Forwarded-For

Answer: D

Explanation:
The X-Forwarded-For header preserves the original client IP when SNAT is enabled.


NEW QUESTION # 50
A virtual server is configured to offload SSL from a pool of backend servers. When users connect to the virtual server, they successfully establish an SSL connection but no content is displayed. A packet trace performed on the server shows that the server receives and responds to the request. What should a BIG-IP Administrator do to resolve the problem? (Choose one answer)

  • A. disable SNAT
  • B. enable SNAT
  • C. enable Server SSL profile
  • D. disable Server SSL profile

Answer: B

Explanation:
This scenario describes a classic case of asymmetric routing in a "one-arm" or non-gateway deployment.
When a BIG-IP system is configured for SSL offloading, the following traffic flow occurs:
* Client-Side: The client establishes a successful SSL/TLS handshake with the Virtual Server. This explains why the user can "successfully establish an SSL connection."
* Server-Side: The BIG-IP decrypts the traffic and forwards it as plain HTTP to the backend server. The packet trace confirms the server receives the HTTP GET request and responds with the content.
* The Routing Failure: By default, the BIG-IP system preserves the client's original source IP address. If the backend server's default gateway is not the BIG-IP system (or if the server is on the same subnet as the client), the server will attempt to send the response directly back to the client's IP address, bypassing the BIG-IP.
* Stateful Drop: Because the BIG-IP is a Full Proxy, it expects the response to return through its own internal state table to be encrypted and sent back to the client. Since the response bypasses the BIG-IP, the BIG-IP connection eventually times out, and the client receives no data despite the server having sent it.
Solution (SNAT): Enabling Secure Network Address Translation (SNAT), specifically SNAT Auto Map, ensures that the BIG-IP replaces the client's source IP with its own internal self-IP before sending the request to the server. This forces the server to send the response back to the BIG-IP, allowing the BIG-IP to complete the transaction and deliver the content to the user.


NEW QUESTION # 51
......

F5CAB3 Dumps 100 Pass Guarantee With Latest Demo: https://www.testbraindump.com/F5CAB3-exam-prep.html

Pass Your Exam With 100% Verified F5CAB3 Exam Questions: https://drive.google.com/open?id=1u7zTr2Q7NDHmM1Fb4BrBpE2x5RUsx4Gr