I was participating in a few JHF upgrades with R76SP.50 (but no VSX or VSLS systems) on 61k and 64k.
Before the upgrade:
- asg diag verify (and save the output to compare with results afterwards)
- Also save the detailed output of asg diag verify (should be in /var/log/verifier_sum.xxxxx.txt)
- Snapshots on all SGMs (and save one snapshot externaly)
- Basic network/appliaction tests (depeneds which services/blades are active on the 44k)
- Save a "show configuration"
- Check custom files like fwkern.conf
For the upgrade we also used the "60000/40000 Security Platforms R76SP.50 Upgrade Guide" which was very helpful. Would also suggest to do it in the same way as it is mentioned there (for example using the same directorys where to put and extract the JHF).
We always installed the JHF from the active chassis to all SGMs on the standby chassis and afterwards the way around. Like is is mentioned in the Upgrade Guide. Put the standby chassis to "down" state (not the SMGs) and so on. If you have troubles installing the JHF there are two parameters "force" and "no_crs" which you can use, but better contact Check Point before using those. Could be usefull if you have installed a private Hotfix before which is included in the new JHF for example.
You should also verify if you need to upgrade the SSM and CMM. You should check the chassis ID on the CMM after an upgrade.
Having a serial connection to all of the modules is always a good thing. Sometimes you have to wait some time (like SGMs are rebooting twice or something like that). Dont worry if if a modules doesn't come up straight, better wait another few minutes. Also it is recommended to do the CMM upgrades via serial console and physically removing and reinstalling the module. We also did it completly remote, which was also working, but more risk.
After the Upgrade:
- Afterwards you can do the same steps like I mentioned in "before the upgrade" and compare the results.
- If a test in asg diag verify fails, you can get a detailed view from asg diag list x from the specific failed test and so on.
- I only used snapshots, since its the recommend way. I once tried it with Backups in a Lab enviroment but results were not good.
- You can get more information about this for example from sk84160 (which describes the RMA procedure for an SGM)