FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 255601

This article describes that the cluster may show out of sync in 'application.list' after an upgrade and how to fix it.


Scope FortiGate cluster after upgrade to v7.2.x.

Log into both cluster units, and enter the following commands:


config application list

show | grep "allow-dns" -f


'set options allow-dns' is a default setting and default values are not shown in the 'show' command.

Only via 'show full'.


Thus, if some outputs are visible:


config application list
    edit "WhatsApp-Block"

       set other-application-log enable
       set options allow-dns   <----


There are two options to overcome the issue, if you see the output of above command on Primary only:


  1. The option is actually not needed.

On the GUI, navigate to Security Profile -> Application Control -> 'double-click' the profile stated from the CLI output, disable the option 'Allow and Log DNS Traffic', and select 'OK'.


     2. The option is actually needed:

Re-enter the profile, enable the option 'Allow and Log DNS Traffic' again, and select 'OK'.




After that, the setting  should not be visible with the 'show' command:


sh application list | grep "allow-dns" -f


There are two options to overcome the issue, if you see the output of the below command on Secondary only:


config application list

show | grep "allow-dns" -f


Go inside the application list profile that you have from the output of the above command, first unset the option and come out of the profile, again go into the profile and set the option to allow-dns , let's say the profile name is "WhatsApp-Block"


config application list

    edit "WhatsApp-Block"

        unset options


        edit "WhatsApp-Block"

            set options allow-dns



And now the cluster should be in sync again.