FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

SR-IOV allows VMs to communicate directly with the PCIe devices to enable high speed IO with low delay, particularly for above 10Gbps NIC, if the hardware and system BIOS supports it.
It creates a virtual PCI device called VF and the VMs are mapped to the virtual interface.
When the VF is used for HA links for FortiGate-KVM, the permanent Hardware address is changed to the FGCP virtual address, causing HA OUT-OF-SYNC.

# diag hardware device nic port2

Name:                    port2
Driver:                  ixgbevf
Version:                 4.0.3
FW version:              N/A
Bus:                     0000:00:05.0
Hwaddr:                  00:09:0f:09:00:01
Permanent Hwaddr:        00:09:0f:09:00:01

On the server, mac address is changed as well.

# ip link show

vf 4 MAC 00:09:0f:09:00:01, vlan 1001, spoof checking off, link-state auto, trust on, query_rss off

With SRIOV, the only method for HA interface is to use unicast ha, not to change the mac address.

Further information is available here.