When the FortiGate configuration under central management is reverted from backup mode to normal mode, the following logs may be observed in the FortiGate -> Log & Report -> System Events.

date=2025-02-28 time=17:59:18 eventtime=1740783557417919061 tz="-0500" logid="0100044546" type="event" subtype="system" level="information" vd="root" logdesc="Attribute configured" user="FortiManager" ui="fgfm_tunnel" action="Edit" cfgtid=1156710400 cfgpath="system.central-management" cfgattr="mode[backup->normal]" msg="Edit system.central-management "

The above event log indicates that FortiManager has reverted the FortiGate configuration from backup mode to normal mode.

This issue occurs when a FortiGate, configured in backup mode under central management, is added to a normal mode ADOM in FortiManager instead of being assigned to a backup mode ADOM.

To resolve the issue, create a Backup ADOM in FortiManager and assign the FortiGate to the Backup ADOM.

Backup mode is used when regular changes are made directly on the FortiGate, with FortiManager acting solely as a configuration repository.

For more details on when to use normal and backup modes on FortiGate, refer to the admin guide article Normal vs Backup mode.