After restarting a FortiGate that does not have a disk, connections to URLs/IP addresses in the imported Threat feed list are blocked by FortiGate.
The Threat feed gets updated immediately post-restart but takes about 30 minutes to fully load, as indicated in the system event logs below

System events:

--------------
time=12:30:59 eventtime=1724182259173226854 tz="-0700" logid="0100022222" type="event" subtype="system" level="notice" vd="root" logdesc="Threat feed loaded" action="load" msg="success. limit(278419): block(0.0) allow(0.0) ext(0.0)" informationsource="proxy" new_status="mem(limit/max/shm): 1921/0/0 limit(~278419) rebuild=3 reattach=0 err(0):open=0 add=0 build=0 attach=0 block(0): build=0 err:sys=0 nof=0 ver=0 patt=0 ovfl=0.0 allow(0): build=0 err:sys=0 nof=0 ver=0 patt=0 ovfl=0.0 ext-res(206): build=3 err:sys=0 nof=0 ver=0 patt=0 ovfl=0.0 " desc="ftgd-cat-threat-feed"

time=12:00:59 eventtime=1724180458950421757 tz="-0700" logid="0100022220" type="event" subtype="system" level="information" vd="root" logdesc="Threat feed updated" status="success" msg="Threat feed 'ext-root.msthreatfeed' updated successfully" desc="threat-feed"

time=12:00:02 eventtime=1724180393209072140 tz="-0700" logid="0100032009" type="event" subtype="system" level="information" vd="root" logdesc="FortiGate started" msg="Fortigate started"

In the forticron debugs, no output is observed during the feed loading process, but the following debug messages appear only after approximately 30 minutes.

diagnose debug application forticron -1
diagnose debug enable
.
fcron_update_ext_func()-981: update ver: 5
ext_if_up_to_date()-3552: '56c9b7e0-5f24-51ef-eca8-8e6eb6a00db4' is up to date

This issue has been resolved in v7.4.8 and v7.6.1.

Workaround:
Restart the wad process. Sessions handled by the WAD daemon(proxy inspection) may be terminated, causing momentary disruption when the daemon is restarted: Technical Tip: How to restart the WAD process