Under Central Management settings set to use FortiGate Cloud, the 'connection status' shows as down on the primary firewall after adding a new FortiGate to the cluster.
First, run the FortiCloud debug on the FortiGate:
diagnose debug application forticldd -1
diagnose debug enable
After collecting the debug output, analyze the input and look for errors. In this case, a connection error is observed:
[632] __tcps_tcp_start_connect: errno=115(Operation now in progress)
[919] tcps_connect: 173.243.132.26:443 -- ret 0, state 0x0(Intialized) -> 0x11(Connecting)
[4089] fds_handle_request: Received cmd 111 from pid-4234, len 0
[3876] fds_check_request: Account not active.
Next, run the 'diagnose fdsm log-controller-update'Â command to trigger a FortiCloud log controller update and check for errors.
diagnose fdsm log-controller-update
Account not active.
Error code: 5(Unauthorized)
If the above error is seen, it indicates that one of the FortiGate HA members has yet to be added/provisioned into FortiGate Cloud. When adding or replacing an HA member, ensure the new FortiGate is provisioned in FortiGate Cloud before joining the HA group.
To add the new HA cluster member to FortiGate Cloud:
First, break the cluster by removing the secondary FortiGate. Add and provision the Secondary FortiGate in the FortiGate Cloud account. Verify that the device appears in FortiGate Cloud. Join the new FortiGate to the HA group. Once it joins the HA group, it will automatically synchronize its FortiGate Cloud status with the primary unit.
A new HA cluster member can also be provisioned from FortiGate Cloud Portal. From page: Devices and Provisioning -> Provisioning.
Related document:
Cloud provisioning for HA pairs | 
