Probably not that widely used feature having Cluster VIP in one subnet and actual interfaces in different as described in ClusterXL admin guide, "Cluster IP Addresses on Different Subnets" section:

Yesterday I noticed interesting behaviour whilst performing multi-version cluster upgrade (R80.30 > R80.40)

After doing initial upgrade on FW2, I attempted to download and install latest Jumbo but gateway failed to connect to Checkpoint services. Logs showed drops on Sync interface on FW1 with source IP of FW2 external interface, say side-B in the diagram 192.168.2.2, destination being updates.checkpoint.com. 

Normally this is covered by implied rules as interface IPs and VIPs are part of the cluster.

In this case 192.168.2.2 was not considered as cluster IP so I had to add explicit rule to allow traffic from 192.168.2.x IP addresses out to Checkpoint services and then it all started working. Including other services like updatable objects.

In more practical terms this was the change in the rule (note that IPs differ from example diagram above)

 After pushing policy (separately as they run different versions) to both members all started working.

In case it helps someone else!