In some of the user's closed environments or with no internet access to get an update from FortiGuard, it is required to get an update from FortiManager.

The connection between FortiGate and FortiManager can be troubleshoot using update debug, and missing contracts can be observed  as shown in the example below:

upd_status_set_ha_expiry[1511]-Serial Number: FGXXX- contract processed
upd_status_set_ha_expiry[1526]-Missing contracts, got 1, expect 2 <-----
upd_status_set_ha_expiry[1544]-Reset expiry
__update_upd_comp_by_settings[494]-Disabling NIDSDB/ISDB/MUDB components.
__update_upd_comp_by_settings[498]-Disabling APPDB/IOTDB components.

do_update[678]-UPDATE failed

The update debug to be used on FortiGate:

diagnose debug reset
diagnose debug application update -1

diagnose debug console timestamp enable

diagnose debug enable

execute update-now

To disable the debug:

   diagnose debug disable

The issue is caused by FortiManager only updating 1 contract out of 2; it is required to request account entitlement or contract and upload to FortiManager:

Requesting account entitlement files
Uploading account entitlement files

A Fortinet Customer Service ticket can be created for contract and license issues, such as when HA cluster members are not registered to one account and a FortiManager ticket is required if the upload failed.