FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 195769
Occasionally, FortiGuard will send updates to FortiGates for existing predefined certificates as part of a certificate bundled update. In some cases, the certificate uses a new name, which ends up being considered "new configuration" on the Firewalls.

An example of new configuration that may show up in the FortiGate configuration as a result:
# config vpn certificate ca
    edit "Entrust_Root_Certification_Authority_-_G2"
        set range global
        set source fortiguard
This configuration entry cannot be deleted by an admin user.

When the FortiGate is managed by FortiManager, the FortiGate will attempt to notify FortiManager of these configuration changes using auto-update.

If the FortiManager does not receive these updates, you will not only see the FortiGate show up on the FortiManager as out-of-sync, you may also observe that FortiManager attempts to delete the new certificate during the next install attempt.

This problem should only arise if FortiGates are running firmware older than FortiOS 5.6.9 or 6.0.5.  

As of FortiOS 5.6.10, 6.0.5 & 6.2.0, FortiOS should no longer record CA certificates learned from a certificate bundle update from FortiGuard in config vpn certificate ca (as tracked in bug id 517702)

The most common reason for this is that auto-update is disabled on the FortiManager.  

# config system admin setting
   set auto-update disable

By default auto-update is enabled but some administrators chose to disable this feature to force all changes to be made only on the FortiManager.

Even if a FortiManager had auto-update enabled at the time of the certificate update, it is still possible that auto-update might fail.


In order to allow FortiManager to learn about the configuration change from the FortiGate, try one of the following:

1) Enable auto-update on FortiManager

This may be sufficient if the FortiGate are still attempting to resend auto-updates.  Auto-update is the preferred method.

If auto-update is insufficient, a retrieve should correct the issue.  After a retrieve, policy package status will show as "Unknown" for that FortiGate and a further Install is required to correct the package status.

2a) Manually issue a retrieve from the FortiManager for each affected FortiGate

Or if the # of managed FortiGates is quite large, you could use the following method of triggering a retrieve instead:

2b) Run a script with the following command against the remote FortiGates in order to trigger a retrieve:
# diag fdsm cfg-upload <comment>