This topic comes up quite freqently, and even in the official Imperva documentation we found different versions: what is the correct order when upgrading SecureSphere Components?
So here’s the official order (major updates and also patches):
First, upgrade the gateways, then do the MX (Management Server). For the Gateways, if in VRRP: start with the slave, then update the VRRP master.
After that, take care of the agents (if any are in use – agents are not used in WAF scenarios).
Generally, if possible, all systems should be on the same release level!
In rare individual cases have I’ve also seen instructions from support to upgrade individual components (a client was advised to use a version 12 agent in an 11.5 environment). But please always get permission from Imperva Support here!
And, before doing a major upgrade (12.5 to 13 for example): always ask support for an upgrade validation!