Hi.
Before you even talk about the best way to do it, it's important to follow best practices for upgrades (backup, check release notes, reactivate license, ...):
https://devcentral.f5.com/codeshare/7-steps-checklist-before-upgrading-your-big-ip-1053
So you can follow this following Procédure:
- Check if you have a scrit running on your F5 (for backup, crl update or something like that), because you will have to set it after upgrade.
- before upgrading check Network map in order to see the status of VS, pool pool members, ... for comparing this result after upgrading (more pool memebers offline for example).
- Upgrade F5 DMZ standby (follow 7-steps-checklist-before-upgrading by JTI)
When the upgrade will be finished and your equipemnet reboot:
- Check that your asm is enable (it take time).
- check that you can see event logs in asm.
- Check if your policy is in the same mode (blocking, transparent, ...).
- check that your application work fine (especially those who embeded a policy asm)
- Check your VPN too if you have have a service like that
- Check endpoint inspection (av, fw, ...)
- ...
- Switch from Active (11.5) to standby (12.x)
Once you have tested your DMZ F5 your can do the same F5 INT.
You can upgrade your Internal F5 during your test on your DMZ f5 in order to gain time an swith once you do all your test.
Hope it's help you.
Regards
Nimbostratus
