Technical Tip: config-sync HA out of sync after upgrading from v7.4.10 to v7.6.6 (Security Fabric enabled)

In a certain setup that requires license sharing, FortiProxy has to be configured with the config-sync HA feature and security fabric enabled. The config-sync HA will show as in sync before FortiProxy v7.6.2. In the example below, the FortiProxy with the hostname of Primary will always be the primary since override is enabled, unless an issue occurs.

Config Sync setup:

Primary # show system ha
config system ha
    set group-id 333
    set group-name <groupname>
    set mode config-sync-only
    set password <password>
    set hbdev "port10" 0
    set ha-mgmt-status enable
        config ha-mgmt-interfaces
            edit 1
                set interface "port9"
                set gateway 10.47.31.254
            next
        end
    set override enable
    set priority 200
    set unicast-status enable
        config unicast-peers
            edit 1
                set peer-ip 10.188.5.212
            next
        end
end

Secondary # show system ha
config system ha

    set group-id 333
    set group-name <groupname>
    set mode config-sync-only
    set password <password>
    set hbdev "port10" 0
    set ha-mgmt-status enable
        config ha-mgmt-interfaces
            edit 1
                set interface "port9"
                set gateway 10.47.31.254
            next
        end
    set override disable
    set unicast-status enable
        config unicast-peers
            edit 1
                set peer-ip 10.188.4.169
            next
        end
end

The unit with the hostname of Secondary is configured as the security fabric root, while Primary is configured as the downstream device:

Secondary # show system csf
config system csf
    set status enable
    set uid "35fc862f3bdb726605d9aeb69557adc5"
    set group-name <groupname>
    set group-password <password>
        config trusted-list
            edit "Primary"
                set serial "FPXVMXXXXXXXXXXX"
                set index 1
            next
        end
end

Primary # show system csf
config system csf
    set status enable
    set uid "17a34c101f202f89dbe59c7ee1926cf8"
    set upstream "10.47.5.212"
end

The HA synchronization status is in-sync when it is in v7.4.10. However, after upgrading to FortiProxy v7.6.6, the config-sync status never gets in sync. Rebooting the FortiProxy would not resolve the issue either. Further investigation on the HA checksum indicates that there is a table missing in the Primary (Downstream unit):

It is also possible to verify the relevant via CLI:

Secondary - Security Fabric root:

Secondary # diagnose sys ha checksum show global | grep automation
system.replacemsg.automation: 4552da2092b8a08ea3c962fa309a3886
automation.setting: 00000000000000000000000000000000
system.automation-condition: 00000000000000000000000000000000

Primary - Downstream unit:

Primary # diagnose sys ha checksum show global | grep automation
system.replacemsg.automation: 4552da2092b8a08ea3c962fa309a3886
automation.setting: 00000000000000000000000000000000

Note that the table for system.automation-condition is not available in Primary (Downstream unit). The root cause of this issue is that automation settings will be discarded when a unit is being added to a security fabric as a downstream device:

To resolve this issue, run the following command on the Primary unit. No downtime or reboot is required:

config automation setting
    set fabric-sync disable
end

Disabling the parameter stops the units from synchronizing automation settings within the security fabric. The table will be restored in the downstream unit (Primary) after running the command stated above:

Primary # diagnose sys ha checksum show global | grep automation
system.replacemsg.automation: 4552da2092b8a08ea3c962fa309a3886
automation.setting: 9b5e6d86cb25d73b0200438085c8e79b
system.automation-condition: 00000000000000000000000000000000

HA status will show that it is in sync:

Primary # get system ha status
HA Health Status: OK
Model: FortiProxy-KVM
Mode: ConfigSync
Group Name: <groupname>
Group ID: 333
Debug: 0
Cluster Uptime: 1 days 19h:0m:21s
Cluster state change time: 2026-03-04 16:44:14
Primary selected using:
<2026/03/04 16:44:14> vcluster-1: FPXVMXXXXXXXXXXX is selected as the primary because its override priority is larger than peer member FPXVMYYYYYYYYYYY.
<2026/03/04 16:43:33> vcluster-1: FPXVMXXXXXXXXXXX is selected as the primary because it's the only member in the cluster.
<2026/03/02 23:17:44> vcluster-1: FPXVMXXXXXXXXXXX is selected as the primary because its override priority is larger than peer member FPXVMYYYYYYYYYYY.
override: enable
Configuration Status:
FPXVMXXXXXXXXXXX (updated 3 seconds ago): in-sync
FPXVMXXXXXXXXXXX chksum dump: 24 b4 da f8 29 08 70 05 e8 56 86 29 82 2c 14 ec
FPXVMYYYYYYYYYYY(updated 4 seconds ago): in-sync
FPXVMYYYYYYYYYYY chksum dump: 24 b4 da f8 29 08 70 05 e8 56 86 29 82 2c 14 ec
System Usage stats:
FPXVMXXXXXXXXXXX(updated 3 seconds ago):
sessions=12, average-cpu-user/nice/system/idle=0%/0%/0%/99%, memory=45%
FPXVMYYYYYYYYYYY(updated 4 seconds ago):
sessions=15, average-cpu-user/nice/system/idle=0%/0%/0%/99%, memory=44%
HBDEV stats:
FPXVMXXXXXXXXXXX(updated 3 seconds ago):
port10: physical/00, up, rx-bytes/packets/dropped/errors=371442298/847617/0/0, tx=434882272/835076/0/0
FPXVMYYYYYYYYYYY(updated 4 seconds ago):
port10: physical/00, up, rx-bytes/packets/dropped/errors=16442762/32164/0/0, tx=13526325/30918/0/0
number of member: 2
Primary , FPXVMXXXXXXXXXXX, HA cluster index = 1
Secondary , FPXVMYYYYYYYYYYY, HA cluster index = 0
number of vcluster: 1
vcluster 1: work 0.0.0.0
Primary: FPXVMXXXXXXXXXXX, HA operating index = 0

Related documents:

FortiProxy v7.6.2 CLI Reference: config automation setting 

FortiProxy v7.6.6 License Sharing Deployment: Enabling license sharing