Technical Tip: FortiMail 7.6.4 – chattr sync-disable not working for mandatory fields in HA

Description

This article describes how 'chattr sync-disable' behaves in FortiMail 7.6.4 when used with mandatory fields in HA.

In this version, mandatory fields can no longer be excluded from HA synchronization. This is a change from previous releases, where this configuration was allowed.

Scope

FortiMail 7.6.4GA.

Solution

After upgrading to 7.6.4:

• 'chattr sync-disable' fails for mandatory fields.

• Changes on the secondary unit are rejected or overwritten.

• It is not possible to configure different values on HA members for mandatory fields.

Example error:

config profile authentication radius

FML-1 (radius) # chattr sync-display

server : sync

FML-1 (radius) # chattr sync-disable nas-ip

FML-1 (radius) # chattr sync-disable server

HA sync cannot be disabled for mandatory attribute: 'server'

Command failed(-56). Error string:

FML-1 # config system fortisandbox

FML-1 (fortisandbox) # chattr sync-disable host

HA sync cannot be disabled for mandatory attribute: 'host'

Command failed(-56). Error string:

FML-1 # config profile authentication smtp

FML-1 (smtp) # chattr sync-disable

auth-type authentication type (auto,plain,login,cram-md5,or digest-md5)

comment comment for profile authentication SMTP

option server options

port SMTP server port number

*server SMTP server ip address or host name

try-ldap-mailhost attempt authentication using LDAP mail host

FML-1 (smtp) # chattr sync-disable server

HA sync cannot be disabled for mandatory attribute: 'server'

Command failed(-56). Error string: 

Impact:

This affects environments where HA members must use different values, such as:

• FortiSandbox integration (different per data center)

• RADIUS / authentication servers

• Any feature using mandatory fields requiring site-specific configuration

Listener and routing configurations are not affected.

Workaround:

Option A – Use hostname instead of IP:

• Configure services (e.g., FortiSandbox or RADIUS) using a hostname.

• Use different DNS resolution per HA member so the same hostname resolves to different IPs.

Option B – Use protected domain DNS (if already in use):

Example:

config system dns

chattr sync-disable protected-domain-dns-servers

    set primary <primary_dns>

    set secondary <secondary_dns>

    set protected-domain-dns-state enable

    set protected-domain-dns-servers <dc-specific_dns>

end

• Configure a protected domain (e.g., example.com).

• Use hostnames like fsa.example.com for FortiSandbox.

• Ensure DNS servers resolve differently per data center.

This allows different backend targets while keeping HA sync enabled.

Solution:
This behavior will be changed in future releases:

• FortiMail 7.6.5 GA

• FortiMail 8.0.0 GA