Unless you are ever instructed otherwise by McAfee support, you can install any/all patches through the Admin Console or, if you are willing, the command line.
Patching HA systems used to be more delicate, but I believe that it isn't that much of a problem any more. The cluster will continue to function, but during the time where the appliances are running different versions, configuration changes will not be shared.
Personally, I'd install the package to the standby appliance first. Then I'd re-boot the active appliance, so that the standby takes over. I'd run it for a while to make sure that everything is OK. If it is I'd then update the other appliance (which is now the standby). If the new package causes a problem, you can then opt to re-boot it (to bring the original active unit back into play) and then do whatever is necessary to get the updated appliance back the to the original version (rollback, boot to alternative slice or even re-build and re-join to the cluster).
With regards to the lack of release notes, I agree. I've looked through the KB and can't find a, 8.2.1P01 release note entry.
Hold on - I've just noticed that there's a readme section for this package which can be accessed in the Admin Console.
This is what it has to say for itself:-
For a fast path connection, fast path socket lock is released during
TCP connection drop with a reset.
Resolve an issue in PIM/SM multicast routing where receipt of PIM protocol
Register packet can cause system kernel to crash.
This patch adds more diagnostic data to be printed to system console when
kernel crashes. The new panic screen format is not active until explicitly
enabled via syctl or tunnable variable:
Resolve an issue with the ipfilter session sharing code where a race condition
could sometimes cause a kernel panic under rare circumstances.
Prevent a potential crash in BPF.
Resolves a synchronization issue in IPSec VPNs that could lead to
Resolves an issue that could lead to kernel panics when using IPS
on certain proxied traffic.
Resolves an issue where turning IPS scanning on for UDP traffic could
impact application scanning on that data.
Resolves a kernel issue where, with some policy configurations, the firewall
would delay HTTP requests for several seconds.
Improve session synchronization between members of an HA cluster
to avoid situations where the initial session packets can be processed
by the wrong node.
Fix IP Filter Locking issue.
UDP handle race between packet reception and socket close.
Disables default transmit chksum offload capability for loopback
interfaces, resolving issues where packets are sent through loopback.
Correct an issue in the HTTP proxy when processing traffic related
to virus scanning.
Resolve an issue where the HTTP proxy could crash while performing
Add support for the "1/n-1 record splitting" technique used to protect
against the BEAST attack on SSL/TLS.
Resolve an issue where sfredirectp could crash when a non-transparent
HTTP request is made to it directly.
Correct an issue where httpp with IPS enabled would cause the /secureos
partition fill with unnecessary files.
Improve the stability of the password warder and the H.323 proxy.
Update auditbotd to be resilient in processing audit w/out attack zone.
Relax validation constraints so that rules allowing generic traffic
(non-decrypted SSL, non-HTTP, or non-smart proxy traffic) only need to
ensure that the generic app defenses are similar in those cases where
the rules use different app defenses while using overlapping endpoints
and late binding applications.
Integrate OpenSSL updates for CVE-2011-4576, CVE-2011-4619,
CVE-2012-2110, and CVE-2012-2131.
Fix communication errors with the entrelayd daemon.
Update policy logic which drives whether or not v6 AAAA queries are
generated by the firewall, so that v6 queries will only be made if
a v6 interface is enabled.
Perform additional validation on ACL queries to ensure that the
acl daemon will not become unresponsive due to a bad value in the query.
Correct an issue whereby the SNMP proxy can generate an invalid ACL query
and cause the connection to fail as a result.
thx for your answer.
Your second post, is what I mean with changelog. which comes always directly with the package.
You descibed the usal way for HA, which I normaly do too.
But I run sometimes in trouble with patching a HA cluster, so I ask here before. (Cluster wont sync after patching, so a complete reinstall of one node was necessary)
Under 7.x there was always a pdf document for the patches available.
However, we will see, what happen next weekend.