This article explains the rollout processes for updates to the Cato Cloud and services.
As part of an ongoing process of improvement and maintenance, we deploy new features, security updates, and enhancements to Cato Cloud. Updates are deployed gradually to ensure minimal impact on customers and end-users. In addition, new versions of Cato Socket firmware and Clients are also gradually rolled out to customers.
In the rare case that an issue is detected with a Cato Cloud update, rollback and recovery features help to maintain the stability and resiliency of the network.
The descriptions in this article are based on sites and licensed ZTNA remote users that follow Cato's recommended settings and configurations. For more information, see Cato's Best Practices for Updates to the Cato Service below.
The Cato Cloud service includes two main components: PoPs and the Cato Management Application (the console to manage your account settings).
This is the cadence for gradually updating the components in the Cato service:
-
PoPs in the Cato Cloud - Bi-weekly, Cato PoPs are updated with new features, updates, security patches and protections, infrastructure enhancements, and more.
- From Sunday, the content is gradually rolled out to the PoPs over two weeks.
- During the Sunday maintenance window for PoP updates, the relevant sites and ZTNA users automatically reconnect to the same PoP. The update process can take up to 10 seconds to complete, with minimal impact.
The Cato PoP is constructed of many compute nodes. Each can serve any remote user or site. During the update, Cato's resiliency features ensure that other PoPs in the Cato Cloud continue to process traffic and flows for the relevant sites and remote users. - If an issue is detected during the two-week rollout, the Cato Cloud has self-healing tools that automatically roll back to the previous version. After Cato resolves the issue, the fixed version is gradually deployed during a future maintenance window.
-
Cato Management Application (CMA) - The CMA is updated every Sunday. There is no impact on customer networks during the update.
- New features are gradually activated for customer accounts in the CMA over the same two-week rollout period as the PoPs. This means that a feature that is announced in the weekly Release Notes can take up to two weeks to be available in a specific account.
To view the current maintenance status and upcoming maintenance windows for specific PoPs and the CMA, see this page.
Cato uses automated continuous integration and continuous deployment (CI/CD) processes to evaluate and approve the code for each deployment.
These are the stages that Cato follows to roll out new content:
- Automation and CI/CD - Content is tested and validated for the upcoming deployment
-
Early Availability (EA) - Customers can choose to test new features as part of Cato's EA program
For more information about EA features, see these EA Documentation articles
- General Availability (GA) - Content is gradually rolled out to all customers during Cato's scheduled maintenance window (as explained in the previous section)
Cato's Security team is constantly working to create patches and protections to defend the Cato Cloud. We may deploy security updates, new anti-malware signatures, and protections to the PoPs even outside the scheduled maintenance windows. Deploying these security updates doesn't impact sites or SDP users.
- For IPsec and Cloud Interconnect sites, we strongly recommend that you configure a secondary tunnel that connects to a different PoP than the primary tunnel. For sites that only connect to one PoP with a primary tunnel, it's possible that the regular Cato service updates can impact them for a few minutes.
- For Socket version upgrades, Cato manages the Socket firmware upgrades and version control for Socket sites to make sure that they are running up-to-date versions. For more information, see Understanding Cato's Managed Socket Upgrade Service.
- For Cato Client version upgrades, we recommend that you use Cato's managed upgrade service to make sure that the Clients are using the most up-to-date versions. For more information, see Best Practices for Cato Client Upgrades.
0 comments
Please sign in to leave a comment.