Forum Discussion

gijo_342173's avatar
gijo_342173
Icon for Nimbostratus rankNimbostratus
Aug 23, 2018

Upgrading 4200 from BIG IP 11.5.4 to 12.x

I currently have a 4200 with following modules LTM, APM and ASM running on 11.5.4 code. We would like to go the 12.x code. What is the best practice do this code upgrade? Our DMZ F5's are configured with the virtual's pool member as the virtuals on the inside F5. This was configured as a security measure is my understanding. I was thinking of upgrading one F5 at a time in the HA pair a night and give it a 24 hr period to see if the applications behave. I think one would need to upgrade an the DMZ F5 and the Internal F5 one device each per HA the same night. In case there is an issue with the apps we can failover to the redundant box running on code 11.

 

1 Reply

  • Hi.

     

    Before you even talk about the best way to do it, it's important to follow best practices for upgrades (backup, check release notes, reactivate license, ...):

     

    https://devcentral.f5.com/codeshare/7-steps-checklist-before-upgrading-your-big-ip-1053

     

    So you can follow this following Procédure:

     

    • Check if you have a scrit running on your F5 (for backup, crl update or something like that), because you will have to set it after upgrade.
    • before upgrading check Network map in order to see the status of VS, pool pool members, ... for comparing this result after upgrading (more pool memebers offline for example).
    • Upgrade F5 DMZ standby (follow 7-steps-checklist-before-upgrading by JTI) When the upgrade will be finished and your equipemnet reboot:
    • Check that your asm is enable (it take time).
    • check that you can see event logs in asm.
    • Check if your policy is in the same mode (blocking, transparent, ...).
    • check that your application work fine (especially those who embeded a policy asm)
    • Check your VPN too if you have have a service like that
    • Check endpoint inspection (av, fw, ...)
    • ...
    • Switch from Active (11.5) to standby (12.x)

    Once you have tested your DMZ F5 your can do the same F5 INT.

     

    You can upgrade your Internal F5 during your test on your DMZ f5 in order to gain time an swith once you do all your test.

     

    Hope it's help you.

     

    Regards