While most of the configuration will be synced between HA FortiGates, there are certain configurations (specifically the 'set' commands) that will not sync between the FortiGate.

Due to the nature of the configuration, set the config independently.

This is a list of the configurations that will not sync:

config system interface

    edit [port]

        set management-ip X.X.X.X/X

    next

end

config system global

    set hostname [string]

end

Note: The interface that is specified for the ha-mgmt-interface will not have its configuration synced under 'config system interface'.

config system ha

    set group-id [0-255]
    set group-name [string]
    set mode [standalone|a-p|a-a]
    set password [string]
    set sync-config [enable|disable]
    set encryption [enable|disable]
    set authentication [enable|disable]
        config ha-mgmt-interfaces

            edit [ID]
                set dst [class_ip&net_netmask]
                set gateway [ipv4-address]
                set gateway6 [ipv6-address]
            next

     end
 set override [enable|disable]

    set priority [0-255]
    set override-wait-time [0-3600]
        config secondary-vcluster

            set override [enable|disable]
            set priority [0-255]
            next

     end

end

It is also possible to set up a vdom-exception to specify any of the following configurations to not sync between the cluster units.

If VDOM mode is disabled then the object(s) configured will apply to the whole device.

If VDOM mode is enabled then the object(s) configured will apply to the scope specified.

config system vdom-exception

    edit 1

        set object [object]
        set scope [all|inclusive|exclusive]*
        set vdom [name1],[name2]..*

    next

end

List of objects that can be independently configured:

log.fortianalyzer.setting
log.fortianalyzer.override-setting
log.fortianalyzer2.setting
log.fortianalyzer2.override-setting
log.fortianalyzer3.setting
log.fortianalyzer3.override-setting
log.fortianalyzer-cloud.setting
log.fortianalyzer-cloud.override-setting
log.syslogd.setting
log.syslogd.override-setting
log.syslogd2.setting
log.syslogd2.override-setting
log.syslogd3.setting
log.syslogd3.override-setting
log.syslogd4.setting
log.syslogd4.override-setting
system.gre-tunnel
system.central-management
system.csf
user.radius
system.cluster-sync*
system.standalone-cluster*
system.interface*
vpn.ipsec.phase1-interface*
vpn.ipsec.phase2-interface*
router.bgp*
router.route-map*
router.prefix-list*
firewall.ippool*
firewall.ippool6*
router.static*
router.static6*
firewall.vip*
firewall.vip6*
system.sdwan*
system.saml*
router.policy*
router.policy6*

These configurations are only available on VM models.

Note:

If a configuration was not pushed to the secondary device, manually push the settings to it. These commands need to be the type of both firewalls:

Primary FortiGate:

diagnose sys ha checksum recalculate

execute ha synchronize start

Secondary FortiGate:

Access from the primary FortiGate: execute ha manage <type question mark to know the id> <username> hit enter to enter the password on the next line, then type the commands:

diagnose sys ha checksum recalculate

execute ha synchronize start

Note:

In HA setup, each device maintains its own SNMP indexing, if two FortiGates are configured identically and have the same interfaces, the SNMP index values for those interfaces may not match so snmp-index is exempted in HA sync.

External threat feeds are not synced by HA.  External threat feeds are configured at the individual device level and are not part of the HA synchronization process. 

Open a TAC Support Team case if further assistance is required.