Get 2026 Updated Free F5 F5CAB3 Exam Questions and Answer
F5CAB3 Dumps PDF and Test Engine Exam Questions
NEW QUESTION # 15
The BIG-IP Administrator has to provide encrypted communication between users and the virtual server they access. Multiple hostnames are configured in DNS with the same IP address.
Which profile type and setting in the profile should be used? (Choose one answer)
- A. Server SSL, Client Name
- B. Server SSL, Server Name
- C. Client SSL, Server Name
- D. Client SSL, Client Name
Answer: C
Explanation:
When multiple hostnames resolve to the same IP address and encrypted communication is required, the BIG- IP must be able to present the correct SSL certificate based on the hostname requested by the client. This is accomplished using Server Name Indication (SNI).
According to BIG-IP Administration: Data Plane Configuration documentation:
* SNI is a client-side TLS extension, where the client includes the requested hostname during the SSL handshake.
* BIG-IP evaluates this hostname using the Client SSL profile, not the Server SSL profile.
* The "Server Name" setting in the Client SSL profile enables BIG-IP to select the appropriate SSL certificate for the requested hostname.
Why option C is correct:
* Client SSL profile handles inbound (client-side) encryption.
* Server Name enables SNI-based certificate selection when multiple DNS names share the same virtual server IP.
Why the other options are incorrect:
* A. Client SSL, Client NameThere is no Client SSL setting called Client Name for SNI certificate selection.
* B. Server SSL, Server NameServer SSL is used for encryption between BIG-IP and backend servers, not for client-side hostname identification.
* D. Server SSL, Client NameServer SSL does not process client-requested hostnames during TLS negotiation.
Correct Resolution:
Configure a Client SSL profile and enable the Server Name (SNI) setting to support multiple encrypted hostnames on the same virtual server IP.
NEW QUESTION # 16
A BIG-IP Administrator uses backend servers to host multiple services per server. There are multiple virtual servers and pools defined, referencing the same backend servers.
Which load balancing algorithm is most appropriate to have an equal number of connections on each backend server? (Choose one answer)
- A. Predictive (member)
- B. Least Connections (node)
- C. Least Connections (member)
- D. Predictive (node)
Answer: B
Explanation:
In this scenario, each backend node (server) hosts multiple services and is referenced by multiple pools and virtual servers. The goal is to ensure an equal number of total connections per backend server, regardless of how many pool members (services/ports) exist on that server.
According to the BIG-IP Administration: Data Plane Configuration documentation:
* Least Connections (node) tracks the total number of active connections to a node across all pool members and services.
* This algorithm ensures load distribution is balanced at the server level, not just at the individual service (member) level.
* It is specifically recommended when:
* Multiple pool members exist on the same backend server
* Multiple virtual servers reference the same backend servers
Why the other options are incorrect:
* B. Predictive (member)Predictive algorithms are advanced and traffic-pattern based, but they operate at the member level and do not guarantee equal connections per server.
* C. Least Connections (member)This balances connections per pool member, which can overload a server hosting multiple members while still appearing "balanced" per member.
* D. Predictive (node)Although node-aware, predictive algorithms are less deterministic and not the best choice when strict equality of connections is required.
Correct Resolution:
Using Least Connections (node) ensures that each backend server carries an equal connection load across all services and pools.
NEW QUESTION # 17
In a pool there are 2 pool members (older servers) that can handle fewer connections than the other 3 newer servers.
Which load balancing method would allow more traffic to be directed to the newer servers? (Choose one answer)
- A. Round Robin
- B. Global Availability
- C. Weighted Least Connections (member)
- D. Least Connections (member)
Answer: C
Explanation:
This scenario requires unequal load distribution based on server capacity. The newer servers must receive more connections than the older ones, while still dynamically accounting for active connection counts.
According to BIG-IP Administration: Data Plane Configuration documentation:
Weighted Least Connections (member) combines:
Connection awareness (least connections)
Administrator-defined weights (ratios) to reflect server capacity
Pool members with higher weights receive proportionally more new connections than members with lower weights, even when using the same load balancing algorithm.
Why B is correct:
Allows assigning higher weights to newer servers and lower weights to older servers Ensures smarter traffic distribution based on both capacity and real-time load Why the other options are incorrect:
A). Global AvailabilityUsed for disaster recovery and site failover, not intra-pool load distribution.
C). Round RobinDistributes connections evenly without considering server capacity.
D). Least Connections (member)Balances only by current connection count and does not account for differences in server performance or capacity.
Correct Resolution:
Use Weighted Least Connections (member) and assign higher weights to newer servers so they receive more traffic while protecting older servers from overload.
NEW QUESTION # 18
An organization reports slow performance accessing an Intranet website. All employees use a single proxy IP.
What should the BIG-IP Administrator do?
- A. Change Fallback Persistence to source_addr
- B. Change Source Address to proxy IP
- C. Change Default Persistence to cookie
- D. Change Load Balancing to Least Connections
Answer: C
Explanation:
When many users share one source IP, source-address persistence fails. Cookie persistence uniquely identifies clients at Layer 7.
NEW QUESTION # 19
Refer to the exhibit.
A BIG-IP Administrator configures a Virtual Server to handle HTTPS traffic. Users report that the application is NOT working. Which additional configuration is required to resolve this issue?
- A. Configure Protocol Profile (Server)
- B. Configure SSL Profile (Client)
- C. Configure Service Port to HTTP
- D. Configure SSL Profile (Server)
Answer: B
Explanation:
According to the provided exhibit, the "SSL Profile (Client)" section in the Virtual Server configuration is empty. For a BIG-IP system to process HTTPS traffic, it must act as an SSL/TLS endpoint. This process, known as SSL Termination or SSL Offload, requires the assignment of a Client SSL Profile to the Virtual Server. Without this profile, the BIG-IP does not have the necessary certificate and private key information to perform the SSL handshake with the client's browser. Consequently, when a user attempts to connect via HTTPS, the TCP connection may establish, but the SSL handshake will fail because the BIG-IP will not know how to decrypt the incoming encrypted packets.
A Client SSL profile defines the ciphers, certificates, and keys that the BIG-IP uses to communicate securely with the client. In a standard HTTPS deployment, the BIG-IP decrypts the traffic and can then send it to the backend pool members either as plain text (header insertion/manipulation) or re-encrypt it using a Server SSL profile. While a Server SSL profile (Option C) is needed if the backend servers themselves require HTTPS, the initial failure for a user reaching a Virtual Server is almost always the lack of a Client SSL profile to terminate the user's connection. Changing the Service Port to HTTP (Option D) would be incorrect because the goal is to handle HTTPS traffic (typically port 443). Assigning the "clientssl" or a custom client-side profile from the "Available" list to the "Selected" list in the GUI is the mandatory step to make the Virtual Server operational for secure web traffic.
NEW QUESTION # 20
During high-demand traffic events, the BIG-IP Administrator needs to limit new connections per second.
What should be applied?
- A. Connection limit
- B. HTTP Compression profile
- C. Connection rate limit
- D. OneConnect profile
Answer: C
Explanation:
Connection rate limiting controls how many new connections per second are accepted, protecting backend resources.
NEW QUESTION # 21
All pool members are online. All other virtual server settings are at default. What might alter the load balancing behavior?
- A. Adding a persistence profile
- B. Enabling SNAT automap
- C. Adding a oneconnect profile
- D. Enabling a fallback host in the http profile
Answer: A
Explanation:
In a default BIG-IP configuration, the system utilizes the Load Balancing Method (typically Round Robin) to distribute each new connection across available pool members. However, the introduction of a persistence profile fundamentally changes this behavior. Persistence (also known as "stickiness") ensures that once a client has been load balanced to a specific pool member, all subsequent requests from that same client during a defined session or timeout period are directed to that same member, bypassing the standard load balancing algorithm. This is critical for applications that maintain state, such as shopping carts or authenticated sessions, where moving a user to a different server would result in a loss of session data.
While other options affect traffic handling, they do not "alter" the fundamental load balancing decision in the same way. A OneConnect profile (Option A) optimizes connection management by pooling idle server-side connections; while it changes how connections are reused, the initial load balancing decision still follows the configured method. A fallback host (Option C) is only utilized when the primary pool is unavailable, and since the question states all pool members are online, it remains inactive. SNAT Automap (Option D) changes the source IP address of the packet as it exits the BIG-IP toward the server to ensure return traffic passes back through the ADC, but it does not dictate which server is chosen for the request. Therefore, the persistence profile is the primary configuration element that overrides the load balancing algorithm to maintain a client-to- server relationship.
NEW QUESTION # 22
All pool members are online. All other virtual server settings are at default.
What might alter the load balancing behavior? (Choose one answer)
- A. Adding a persistence profile
- B. Enabling SNAT automap
- C. Adding a OneConnect profile
- D. Enabling a fallback host in the HTTP profile
Answer: A
Explanation:
By default, BIG-IP load balancing algorithms (such as Round Robin) distribute connections evenly across all available pool members. However, persistence profiles override normal load balancing decisions by forcing subsequent connections from a client to be sent to the same pool member.
According to the BIG-IP Administration: Data Plane Configuration documentation:
* Persistence creates a client-to-server mapping that is honored before load balancing algorithms are applied.
* When persistence is enabled, BIG-IP may repeatedly select the same pool member even if others are available.
* This directly alters load balancing behavior.
Why the other options are incorrect:
* A. Adding a OneConnect profileOneConnect optimizes server-side TCP connections but does not change which pool member is selected.
* B. Enabling SNAT automapSNAT affects source address translation, not pool member selection.
* C. Enabling a fallback host in the HTTP profileA fallback host is only used when no pool members are available.
Correct Resolution:
Adding a persistence profile alters load balancing behavior by maintaining client affinity to a specific pool member.
NEW QUESTION # 23
Exhibit:
Due to a change in application requirements, a BIG-IP Administrator needs to modify the configuration of a Virtual Server to include a Fallback Persistence Profile. Which persistence profile type should the BIG-IP Administrator use for this purpose?
- A. SSL
- B. Universal
- C. Source Address Affinity
- D. Hash
Answer: C
Explanation:
In a BIG-IP environment, a Fallback Persistence Profile is utilized as a secondary "stickiness" mechanism when the primary (Default) persistence method fails to provide a valid persistence record. For example, if a Virtual Server uses HTTP Cookie Persistence as its primary method, but a client's browser has cookies disabled, the BIG-IP will be unable to find a persistence cookie in the request. Without a fallback method, the system would treat every request from that client as a new, independent connection, potentially breaking the application session.
Source Address Affinity (also known as Source Address Persistence) is the most common and standard choice for a fallback profile. It operates at the network layer (Layer 3) by tracking the client's source IP address.
Because every IP packet contains a source address, this method is virtually guaranteed to work even when application-layer data (like Cookies or SSL Session IDs) is missing or encrypted beyond the BIG-IP's visibility. While Universal (Option A) and Hash (Option D) profiles are highly flexible and can use iRules to persist on almost any data, they require specific configuration and logic that may not always be present or valid. SSL persistence (Option C) relies on the SSL Session ID, which frequently changes due to modern browser security practices (session renegotiation), making it less reliable than Source Address Affinity. By configuring Source Address Affinity as the fallback, the administrator ensures that the BIG-IP has a "safety net" to maintain session integrity based on the client's IP address when the more granular cookie-based persistence is unavailable.
NEW QUESTION # 24
A BIG-IP Administrator adds new pool members to a highly utilized pool. The application begins failing.
What pool-level setting should be checked?
- A. Allow SNAT
- B. Slow Ramp Time
- C. Action On Service Down
- D. Availability Requirement
Answer: B
Explanation:
Slow Ramp Time prevents new members from being overwhelmed immediately after activation.
NEW QUESTION # 25
Application administrators are reporting that nodes different from those configured in the pool are selected.
The use of an iRule is suspected. How can the BIG-IP Administrator check if an iRule is used for this traffic?
(Pick the 2 correct responses below)
- A. Via the GUI at the iRule tab for the virtual server.
- B. Via TMSH with the list /ltm rule <irule> command.
- C. Via the GUI at the Resources tab for the virtual server.
- D. Via TMSH with the list /ltm virtual <virtual_server> command.
Answer: C,D
Explanation:
To determine if an iRule is influencing traffic for a specific Virtual Server, the administrator must verify the association between the Virtual Server object and any applied scripts. In the BIG-IP Configuration Utility (GUI), this association is found under the Resources tab of the specific Virtual Server. While there is an
"iRules" sub-menu under Local Traffic, checking the Virtual Server's Resources tab is the definitive way to see which specific rules are currently active and in what order they are being processed for that particular traffic flow.
From the Command Line Interface (CLI), the tmsh list /ltm virtual <virtual_server> command provides a full text-based output of the virtual server's configuration. If iRules are applied, they will appear within a "rules {
... }" block in the command output. This is more effective than Option A, which only lists the contents of the iRule itself but does not show if or where it is applied. Option C is a common misconception; while some versions of the GUI have reorganized menus, the standard location for managing the association of profiles, policies, and iRules to a Virtual Server remains the "Resources" section. By identifying the applied iRule, an administrator can then review the script logic-often containing commands like pool or node-to see if it is overriding the default pool selection based on specific HTTP headers, URI paths, or client IP addresses.
NEW QUESTION # 26
Which type of Virtual Server requires the use of a FastL4 profile?
- A. Performance (HTTP)
- B. Standard
- C. Stateless
- D. Performance (Layer 4)
Answer: D
Explanation:
Performance (Layer 4) virtual servers rely on FastL4 profiles for high-speed Layer 4 traffic handling.
NEW QUESTION # 27
A BIG-IP Administrator creates a new Virtual Server. The end user is unable to access the page. During troubleshooting, the administrator learns that the connection between the BIG-IP system and server is NOT set up correctly. What should the administrator do to solve this issue? (Choose one answer)
- A. Disable Address Translation
- B. Set Address Translation to Auto Map, configure a SNAT pool, and have pool members in the same subnet as the servers
- C. Set Address Translation to SNAT and configure a specific translation address
- D. Set Address Translation to SNAT and have a self-IP configured in the same subnet as the servers
Answer: D
Explanation:
The issue described is a classic symptom of asymmetric routing, which frequently occurs when the BIG-IP system and the back-end servers reside on the same subnet (often referred to as a "one-arm" deployment).
The Routing Problem: By default, the BIG-IP system preserves the original client source IP address when forwarding traffic to a pool member. If the server is in the same subnet as the client or if the server's default gateway is not the BIG-IP, the server will attempt to send its response directly back to the client's IP address, bypassing the BIG-IP.
Stateful Failure: Since the BIG-IP is a Full Proxy, it maintains a state table. Because the response packet never returns through the BIG-IP, the system cannot complete the three-way handshake or manage the application session, resulting in a connection failure for the user.
The Solution (SNAT): Enabling Source Network Address Translation (SNAT) solves this by changing the source IP address of the request to an IP address owned by the BIG-IP (typically a self-IP).
Requirement for Subnet Alignment: To ensure the server sends the response back to the BIG-IP, the translation address must be reachable. By using a self-IP configured in the same subnet as the servers, the BIG-IP ensures that the server sees the request coming from a local "neighbor." The server will then naturally send the response back to that self-IP, allowing the BIG-IP to translate the packet back and forward it to the client.
Why other options are incorrect:
A: Disabling address translation would ensure the server-side traffic uses the client IP, making asymmetric routing inevitable in this scenario.
B: This is technically contradictory; "Auto Map" specifically uses existing self-IPs and does not require or use a "SNAT pool" configuration.
C: While using a specific translation address can work, it does not inherently guarantee the Layer 2/Layer 3 reachability mentioned in the scenario as effectively as ensuring the self-IP is correctly placed in the server's subnet.
NEW QUESTION # 28
Where in the configuration utility should the BIG-IP Administrator verify the pool member currently assigned to a pool is on port 80?
- A. Local Traffic > Nodes: Node List. Select the node in question, view the Health Monitor next to Configuration.
- B. Local Traffic > Pools: Pool List. Select the pool in question, select the Members tab, view the configured Service Port.
- C. Local Traffic > Pools: Pool List. Select the pool in question, select Members tab, view the configured Health Monitor.
Answer: B
Explanation:
The BIG-IP Configuration Utility (GUI) organizes information hierarchically to allow for granular management of application objects. A Pool is a collection of backend servers (pool members) that provide the same service. To verify the specific network parameters-such as the IP address and the service port-of the servers within a pool, the administrator must navigate to the specific pool's configuration.
The standard procedural path to verify this is Local Traffic > Pools: Pool List, where the administrator selects the specific pool name. Once inside the pool's configuration, the Members tab displays a list of all IP addresses and service ports associated with that pool. Under the "Service Port" column, the administrator can confirm if the member is listening on port 80 (HTTP).
Options A and B are incorrect for this specific verification task. While Nodes (Option A) show the health of a physical server, a node represents only an IP address and does not have a "Service Port" associated with it until it is defined as a pool member. Verifying the Health Monitor (Option B) would tell the administrator how the system is checking the member's status, but it does not definitively show the port on which the member is actually receiving application traffic. In a BIG-IP environment, a pool member is uniquely identified by the combination of its Node IP and its Service Port, and the Members tab is the primary interface for managing and auditing these specific member attributes.
NEW QUESTION # 29
A Standard Virtual Server for a web application is configured with Automap for the Source Address Translation option. The original source address of the client must be known by the backend servers. What should the BIG-IP Administrator configure to meet this requirement?
- A. A SNAT Pool with the client IP
- B. The Virtual Server type as Performance (HTTP)
- C. An HTTP Transparent profile
- D. An HTTP profile to insert the X-Forward-For header
Answer: D
Explanation:
SNAT Automap is a common configuration that replaces the client's original source IP address with one of the BIG-IP's self IP addresses. This ensures that the backend servers send return traffic back through the BIG- IP, which is necessary for the ADC to process the traffic correctly. However, a side effect of SNAT is that the backend servers only see the BIG-IP's IP in their logs, losing visibility into the true identity of the client.
To resolve this while still using SNAT for routing purposes, the administrator must configure the BIG-IP to
"pass" the client's IP address at the application layer. This is achieved by using an HTTP Profile with the Insert X-Forwarded-For setting enabled. When this profile is applied to the Virtual Server, the BIG-IP intercepts the HTTP request, adds a header (X-Forwarded-For) containing the client's original IP, and then forwards the modified request to the server. The backend web server can then be configured to read this header and log the original client IP instead of the BIG-IP's SNAT address.
Other options are incorrect for this requirement. Performance (HTTP) (Option A) is a virtual server type optimized for speed but often lacks the full Layer 7 header manipulation capabilities of a Standard Virtual Server. SNAT Pool with the client IP (Option C) is technically impossible as SNAT pools use static, pre- defined IPs. There is no such thing as an HTTP Transparent profile (Option D) in standard BIG-IP administration for this purpose. The X-Forwarded-For header insertion within the HTTP profile is the standard procedural method for maintaining client visibility in SNAT-enabled environments.
NEW QUESTION # 30
......
F5 F5CAB3 Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
Verified F5CAB3 exam dumps Q&As with Correct 76 Questions and Answers: https://www.itpass4sure.com/F5CAB3-practice-exam.html
Get New F5CAB3 Certification – Valid Exam Dumps Questions: https://drive.google.com/open?id=1dzaWC4ZQIpPcl3apCxaGW60fPlFMlCzK
