1. Review the FortiGuard configuration of both appliances:

show system fortiguard

To access the secondary unit, use the commands:

execute ha manage [ID][username] <----- Where ID can be 0 or 1.

For more detailed information about accessing the secondary appliance, check this KB article: Technical Tip: How to access secondary unit of HA cluster via CLI.

The device has a reserved management interface and is accessible directly via the GUI using the reserved management IP.

2. After comparing the configurations, manually set the recommended configuration provided by this KB article: Troubleshooting Tip: Unable to connect to FortiGuard servers.

config system fortiguard

    set fortiguard-anycast disable

    set protocol udp

    set port 8888

    set sdns-server-ip 208.91.112.220 173.243.140.53 210.7.96.53 200.91.112.220

end

Note:

The configuration must be manually applied in both appliances over the CLI console.

3. Recalculate the checksum over the CLI console in the Primary unit:

diagnose sys ha checksum recalculate

4. After recalculating, confirm the cluster checksum:

diagnose sys ha checksum cluster

If the cluster remains out of sync, the following sequence of commands should resolve the issue and restore the cluster to a synchronized state.

1. Stop HA synchronization between members:

execute ha sync stop

2. Restart the HA sync daemon:

fnsysctl killall hasync

Note: To confirm the daemon actually restarted, check its PID before and after with:

diagnose sys process pidof hasync

If the PID changes after fnsysctl killall hasync, the process was restarted.

3. Start HA synchronization again:

execute ha sync start

4. Force a checksum recalculation to trigger a fresh comparison and synchronization:

    

diagnose sys ha checksum recalculate

Troubleshooting Tip: How to troubleshoot HA synchronization issue using GUI and CLI on FortiGate/For...