So the journey is now complete or at least until the renewals come around. I really had no idea that I would have gone this far in the process about a year and a half ago. But, I learned a lot throughout the process and can finally say that I have both 400-level F5 certifications!
Thoughts on the 402 Exam
The hardest part for these 400-level exams is the lack of practice exams to prepare you for what you might experience when you sit for the real one. I understand why there are not any exams but it does make it tough to browse the internet looking for F5 K articles or write-ups for a lot of the topics on the blueprint. Taking two months to study was probably the best thing for me so I didn’t feel rushed in the normal 30-day timeframe that I did with the 300-level exams. With that being said, the exam was tough and really focused on the cloud space, which I enjoyed.
Journey to the 402
If you’re interested in taking the 402 exam, the below graphic should paint a good picture on the pathway to get there. You will need to pass the 101 and 201 exams to achieve the BIG-IP Certified Administrator certification. Then you’ll be able to take both LTM exams (301a and 301b) and the BIG-IP DNS exam (302). This will give you the certifications in both LTM and BIG-IP DNS. These are definitely achievable to anyone with hands-on experience with the modules and LTM is a pretty common module, if you have any BIG-IPs deployed. I would suggest enjoying the journey and not just focus on the end result. It will not feel so overwhelming that way.
Those Study Materials
Like I did with the 401 exam, I tried to create a document that has all the blueprint objectives and any links I found that might apply to those objectives. Since there are no practice exams, this was the best I came up with. Now, I did not find links for every objective but what I did find helped me a great deal. I have provided a link to my Github repo that has the document and I also put it in the markdown file.
I also wanted to call out the link below that provides some really good links to help with this exam. ArvinF from the F5 SIRT team provided his experience on the exam and his reading list. I would suggest using this as well.
Hopefully, you will find these helpful on your journey!
What’s Next?
I’m not really sure where I want to go from here, specifically. I find myself learning more and more on the security front so maybe that’s where I’ll head? For now, I’m just decompressing from this exam and will figure out what’s next shortly. I’m definitely in no rush.
There is a setting within the GSLB (Global Server Load Balancing) settings that allows multiple BIG-IP DNS devices to belong to a group allowing for synchronization of configs between them. There are actually multiple settings that can be configured (as you can see below) but I want to focus solely on the Group Name setting as it’s important for troubleshooting issues.
It is important to note that the default group name is “default“. It is configurable and a recommended best practice by F5 is to rename it to something unique.
Why do we care?
F5 BIG-IP DNS uses a protocol called iQuery, which operates over port 4353 (4 3DNS). I was once told that this was a reference to their old 3-DNS controller but not 100% sure if that’s true.
The iQuery protocol passes configuration information across the devices in XML format and allows an administrator to add a configuration object, such as a Wide IP or Server object, to only one device and it will replicate to the others within the sync group. Here is a sample of XML from iQuery:
As you can see above, there’s some information such as name, uptime, and port info. This information is important when you’re troubleshooting why a virtual server on the BIG-IP DNS is showing offline but the corresponding virtual server on the LTM is showing as available.
The iqdump command can be run from the command line and you just need to specify the Self-IP of the BIG-IP LTM that you want to see the XML being passed.
Changing the Synchronization Group Name
The screenshot in the earlier section was run with the synchronization group name still saying “default“. You can see this in the headers when running iqdump:
This works great out of the box, right? It does but it becomes problematic later down the road when you have a device that either needs to be RMA or reset to its default config. If this happens and all your devices are running the configuration sync group name as default and you add a new device, that blank configuration could wipe out the configuration on the other devices because they belong to the “default” sync group.
To remedy this issue, we can update the synchronization group name to something more unique like “FANCY-DNS“:
This allows us to add a new device without wondering if it will blow away our existing configuration on the other devices in the synchronization group. The new device would have a group name of “default” and would need to be added to the our existing sync group.
Where did it go?
When we run the same command before, we only get basic information. We do not see any of the virtual server information that we saw before. Here is why:
When we run our normal command of iqdump with the Self-IP of the LTM we are wanting to see data, we are still only looking at the “default” synchronization group. We changed this to “FANCY-DNS“. So in order to see the information, we have to add the “-s” switch to the command and use our new synchronization group name:
Now we can see our data again should we need to do any additional troubleshooting.
Story Time
This stumped me for a bit when we had a virtual server object on the BIG-IP DNS that showed as offline (red) but on the corresponding LTM, the virtual server was showing as available (green). Once I figured out how to see the virtual server data in the XML being passed back and forth, I could see that the virtual server name on the BIG-IP DNS did not match with the virtual server name on the LTM it was referencing. Once this was fixed, we were good to go.
The data in the XML is simple and gives you some good information so being able to understand and run iqdump will be a great add to anyone who has to administer BIG-IP DNS.
Hopefully this will help someone in the future but at the very least, I can refer back to it.
Ok. So I know I said that it’s over but I don’t think learning is ever over. I’m proud to say that I’m officially BIG-IP DNS (formerly GTM) certified! It’s been almost a year since I took my last certification exam so I needed one to get back into the swing of things and seeing that “Passed” is always a nice feeling.
Thoughts on the Exam
This exam covered the BIG-IP DNS module which focuses mainly on DNS functionality. While I did not think this exam was terribly difficult, I did not get every question correct and I have some experience with this particular module. I felt the questions were pretty straight-forward and helped introduced some items or objects that you may or may not be using within your environment. For example, I have used BIG-IP DNS to resolve more than just A records such as MX, SRV, and TXT records in one environment, but in another environment, I’ve only used this module to handle Wide IPs. There are so many ways to utilize BIG-IP DNS that every environment will likely introduce something new which is always nice to see. There’s a lot of information in this module so make sure to use the blueprint to your advantage.
Getting 100% is not the goal. You get the same certification if you score 70% or 100%. A Pass is a Pass.
How Do I Become BIG-IP DNS Certified?
The exam required to become BIG-IP DNS certified is the 302 exam. As usual, F5 does a really nice job of providing a visual of this pathway:
As with any 300-level certification, you must first pass both the 101 and 201 exams to become a BIG-IP Certified! Administrator. Once you have gone that far, all 300-level exams become available to you.
Study Material
Operations Guide
What did I use to study? Like I mentioned earlier, I do have access to this module in a production environment and responsible for management of the device. Even with that level of access, I built a lab environment in AWS so that I could play around with some of the settings as I went through the Operations Guide and some F5 articles. One of the things that really helped me was looking at the GUI and then looking for a F5 article that talked about the settings in a particular section so I could better understand them. This section of the Operations Guide talks about DNS services:
There are too many F5 articles to list out but building a lab is necessary, in my opinion. It allows you to screw things up and understand why you screwed it up. You can build out a lab in Azure as well since F5 has Virtual Editions in their marketplace. Please use whatever is comfortable to you and make sure to keep an eye on those charges, if you end up using one of these cloud environments.
Practice Exams
Practice exams are vital and should be considered a necessity when attempting any 200 or 300-level exam. As I’ve said in other blog posts around these certifications, they give you a similar experience as you have on exam day even if the questions are not on the exam. I love having these available to me and you can purchase 1 practice exam for $25 or 2 for $40 dollars. You have 90 days to use them. I, typically, take one at the beginning of the process and then one about a week or so before exam day so I can get an idea on how I’ll do on the exam. The practice exams are offered here:
Well, I’m on the path to taking the 402 and becoming an F5 Certified! Solution Expert – Cloud. I plan to take this exam at the end of September so we’ll see how it goes. This exam is focused more around cloud technologies and how F5 will fit into these architectures. Cloud is all about sizing and the larger you go with a particular VM, the more expensive it becomes. So I’m interested in learning more about cost-efficiency and what changes now that you don’t have access to Layer 2 anymore.
It’s finally over gang! As you can see above, I was successful in passing the 401 exam and achieving that nice looking blue badge. I’ll admit that I wasn’t a fan of the color changes to the badges but I have come around and really like that blue.
Thoughts on the Exam
Overall, I thought it was a tough exam. I think the toughest part of the exam was trying to answer questions on technologies that I do not actively use or have experience in but I understand why you might be tested on those. This certification exam tests your knowledge on all things F5 and while during the 300-level exams, you are tested on configurations for a given module but here, you need to know everything so you can education or influence your customer on the right solution. It only makes sense so once your understand that, you’ll be fine. The exam itself is tough and can make you question yourself as an engineer but like anything, it will be worth it once you pass.
I won’t say what is on the actual exam but the blueprint does a good job of pointing all that information out so that’s a good place to start.
The lack of practice exams is a killer!
So You Want To Take That 401?
Here is a visual of what you will need to achieve to be able to sit for the 401:
It’s a long journey but you will learn so much if you put the time into it. Overall, you will take 6 exams to become eligible for the 401 exam which results in 4 certifications so it is not like you are taking all 6 exams with nothing to show for it. The one great thing about the process is that each higher level exam will renew the one below it. For example, a 300-level exam will refresh the 201 and a 400-level will renew every certification that is required for it.
What Did I Use to Study?
With the lack of practice exams for 401 and not really knowing how the questions might be asked, I created my own study guide comprised of a combination of F5 resources and Youtube videos. I placed the word document in a repository on my Github but also copied it into a ReadMe file on that repository as well. You can find it below:
I think I’m done taking F5 exams for the rest of the year, so I think I’ll plan to learn some things that I’ve been putting off. I like to play around on TryHackMe and I really want to learn some Node.js and Javascript as well as play around in Azure. I also want to build out some labs in Azure and AWS so really I will just continue to learn.
I really hope these posts will help someone but at least, I can look back and just exhale on what I’ve accomplished in 2021. Take care and keep learning new things!
Yep. If you were paying attention, I passed 301b just a couple of weeks ago and since I enjoy punishment, I decided to schedule 304 immediately after it. I was a little cautious since I do not care for taking exams so close together but I’ll explain later in the post as to why I needed to take it so quickly. But before I do that, I will go through my experience with APM and what I used to pass this exam. I hope you enjoy it and find it helpful.
Working with APM – A Real Mystery
I was introduced to Access Policy Manager back in 2015 on version 11.6 by John Bailey and John Alam (two visionaries!). I had no clue on what it was or how I could use it in our environment. I was lucky enough to have a great Manager, Mike Walter, who I could always go to if I felt I needed training (which I did a lot with F5). I spent a lot of time in New York City on 33rd street taking F5 trainings which were really good to get you started as well as also providing a nice lab book that could walk you through some configurations. I think we only used APM to provide logon pages for applications that could do lookups against Active Directory and do queries for group memberships, then allowing should the query return successful. That was really it but there was so much more to it that we never explored.
Once I moved on, I was able to see APM in all of its glory. I saw Portal Access being used, Kerberos for SSO, and SAML Authentication, both as an Identity Provider and a Service Provider. I was also exposed on the configuration for On-Demand Certificate authentication and SSL VPNs. These items were foreign to me from a configuration concept or how they could be leveraged but I soon began to see them in action. Those configurations are only a small sample of what APM can do for an application.
I do not really see a lot of commentary on Access Policy Manager, especially with F5 pushing Nginx, SSL Orchestrator or the new acquisition of Volterra. It definitely has a place with respect to securing applications fronted by the BIG-IP.
What Do I Need To Do? Let’s Talk Requirements
The requirements to be eligible to take this exam are really straight forward, like all the other exams. You only need to have passed 201 and be a BIG-IP Certified Administrator to be eligible. That certification allows you to take 301a, 302, and 303 in addition to 304. Here is a great illustration that shows the path and can be found here:
My Lips Are Sealed
I cannot tell you what is specifically on the exam but you can expect to be asked anything and everything that Access Policy Manager provides so knowing the big topics like AAA (Authentication, Authorization, and Accounting) or Portal Access will likely be needed as they are such a big part of APM.
I am lucky enough to have access to APM in a production environment but you could easily spin up a virtual machine in AWS or Azure and provision APM so that you could just look at the GUI to see what is available. But remember, this exam is based on code version 12.1 according to the blueprint. So use the blueprint to make sure you are studying the material needed for this exam.
My Study Materials
Practice Exams
I love the practice exams provided by F5 and Exam Studio Online. As I mentioned in my previous post, I like to take one before I start studying so I can see where I am the weakest so I can spend a little more time there. You can find them here. They are fairly inexpensive with one exam costing $25 and two costing $40. You will need a F5 Candidate username to log in though.
Operations Guide
I’ve mentioned AskF5 in my previous blog post, Becoming F5-CTS BIG-IP LTM Certified!, but AskF5 has an operations guide for Access Policy Manager which goes over licensing, use cases, high availability, and security. It is really comprehensive and is a good starting point for those who have not accessed APM in some time or are new to the module. It can be found here.
So What’s Next?
So I alluded to this earlier in the post but my Application Security Manager certification is up for renewal next month so instead of renewing it, I decided to see if I can get 401 certified before ASM expires. So yeah…I love punishment. I’ve scheduled it for the end of the month and with no practice exams available, it will be a challenge.
Regardless of the outcome, I'll be sure to write another blog post about it. Fingers crossed!
Yes! I can finally say that I have survived the one thing that haunts me and that is a certification that involves passing two exams and one that requires you pass the first exam to be eligible for the second exam. I have always preferred the one exam per certification route but I can say that I learned a lot with this path. I will try to provide what I used for both exams in the hope it will help someone who is looking to tackle this certification.
My F5 Background
Let us begin by saying that I am not new to the F5 BIG-IP nor to many of its modules. I was exposed to the BIG-IP as a SQL developer where our main relational database was being load balanced behind one of its virtual servers. One day, I had the opportunity to log in (basically the only one who was around) and had no idea how to navigate. A few years later, I would have the opportunity to manage one. This eventually turned into fourteen but things tend to multiply.
I was lucky enough to get plenty of hands-on with Local Traffic Manager, BIG-IP DNS (GTM for the old people – me included), Access Policy Manager, and Application Security Manager. This definitely made it easier for me to learn how the BIG-IP worked and how each module fit into the overall plan F5 has with making applications go faster and become more secure (applications, not the control plane CVE in 2020). It’s not impossible to pass an exam without having physical access to the BIG-IP but it definitely helps.
Let’s Talk Exams
There are two exams required to achieve the LTM certification, which is at the 300-level. The certification team at F5 actually does a great job at providing the necessary info on requirements as well as resources to study materials. While there are no official study guides for the 300-level exams, the F5 certification team provides exam blueprints as well as access to practice exams for each exam. I’ll explain where to find those later but here is an interactive guide to prerequisites for each exam.
Exam 301A – Where It All Begins
This exam will measure your ability to set up a BIG-IP device in multiple ways (i.e. Standalone, Active/Standby, or Active/Active), architect the BIG-IP so that it fits into an existing network, as well as deploying applications behind it using the many configuration options the device provides.
If you have experience in onboarding a BIG-IP into an existing network, deploying applications behind different types of virtual servers, setting up high availability with multiple BIG-IP devices, you should not have an issue with at least being in the ball park to pass this exam (minimum score of 245). Depending on your environment and exposure will determine how much you need to study.
I started out in an environment where everything was simple and had very little segmentation so no way I was passing this exam. I am no in an environment where I am exposed to more than just a standard virtual server and round robin load balancing. The Exam Blueprint can be found here so take a peek and see if there are any items that you need to do some more research.
ProTip: If you pass 301A, I would not post that you are 301A certified. Dr. Ken will be in your comments quickly to tell you this.
Exam 301B – Last Person Standing
Passing this exam will get you pass the finish line and that really nice looking purple badge! I mean that’s really what you’re after right?
This exam will test your ability to troubleshoot issues with the BIG-IP devices and application configurations. This can be anything from consolidation of redundant or unused items in an existing configuration, deploying custom alerting (I see you MIBs), upgrades and rollbacks (ouch!), and profile modifications. Time is not your friend on this one. Troubleshooting can be time consuming and these questions are no different. Again, having some experience in a production environment will help (a lot) but still not impossible if you have access to a lab. But remember, passing this will get you that fancy badge so good luck!
Oh…before I forget, you can find the Exam Blueprint here but there was a nice blog post that I found where someone was kind enough to put some information to some of the items in the blueprint. I would personally like to give “Erik” a shoutout because his blog actually filled in some gaps for me. Check it out (not spam!).
Other Study Items That Really Help…I promise!
Practice Exams
There is a practice exam for each F5 exam so both 301A and 301B both have their own exams. My personal method is to buy two ($40) and while there is only one exam, I take one early on in the study process and one before I take the exam. The questions do not appear on the exam but they do, at least, give you an idea on how the questions are formatted. This is a big part of the exam process, in my opinion. They are provided by Exam Studio Online and are located here. I do believe that this ties in with your candidate login information but don’t quote me on that. It’s been a bit since I signed up and I can barely remember my password and username.
I do recommend at least purchasing one ($25) unless you like to live dangerously and if that is the case, rock on!
Labs
While I’m lucky to have access to actual devices, I know some don’t. However, I have deployed some personal devices in Amazon Web Services where you can only pay for the time that they are running (so make sure to turn them off!). This can be helpful to learn the GUI or run TMSH commands to help with learning. You are definitely going to want some hands-on experience with these because as you navigate through the GUI and command line, you can see how items relate such as how “/sys” at the command line corresponds to the “System” section in the GUI or how “/net” allows you to list the interfaces on the BIG-IP similar to how you can see them in the “Network” section. See where I am going? It helps…trust me.
AskF5
The last resource I used and really in conjunction with the labs section is AskF5. This is a great resource that will explain configuration options for a profile, tell you the default value, and even provide some “gotcha” items in the event you plan to change a value on a profile, for example. I used these quite a bit when I wanted to learn more about certain items in a given profile or configuration that you do not configure regularly or at all. Here is an example of what it might look like:
What I like most is that you can see how often it’s updated and which version of the BIG-IP software it might apply to.
In Conclusion
My only hope for this blog post is to provide some sort of insight into what it takes to become certified with Local Traffic Manager as well as give some tips that helped me pass these exams while also minimizing spelling and grammar errors.
At the end of the day, you should take these exams because you want to and not because you feel like you have to. I use certifications as a way to keep me honest while I am learning, otherwise I feel like I would not put as much effort into it. Take them for yourself because you want to learn and not because you feel like it will validate what you know.
Thank you for taking the time to read this post and I wish you good luck!
