When a FortiGate device has a large address group configuration, HA configuration synchronization may fail due to high CPU utilization by the cmdbsvr daemon on the Secondary Unit.
As a result, new CLI (SSH/Console) sessions become unresponsive after authentication.

GUI access remains possible. However, configuration changes cannot be applied. If a CLI session is established on the secondary unit before HA synchronization begins, the session remains active. Once the session is disconnected, subsequent login attempts become unresponsive. The issue persists even after rebooting the devices in the HA cluster.

For example, when the maximum number of address objects supported by a FortiGate model is configured on both units in an HA cluster and added to respective address groups, the following behavior may be observed after HA synchronization begins.

CPU usage after HA synchronization starts:

Primary Unit:

06:00:51 PM up 0 days, 3 hours and 27 minutes
3U, 0N, 0S, 97I, 0WA, 0HI, 0SI, 0ST; 48377T, 36821F
dnsproxy 5601 R 96.6 0.5 16
bcm.user 2484 S < 5.1 0.2 28
hasync 5575 S < 0.3 0.6 14
fcnacd 5562 S 0.1 0.0 7
merged_daemons 5553 S 0.1 0.0 3

Secondary Unit:

06:08:02 PM up 0 days, 0 hours and 18 minutes
7U, 0N, 2S, 91I, 0WA, 0HI, 0SI, 0ST; 48377T, 36456F
wad 5870 R 99.8 0.9 25 <-- Spikes for about 80 seconds every 50 seconds.
dnsproxy 5598 R 99.6 0.5 22
cmdbsvr 5384 R 98.6 0.5 0 <--
sshd 6109 S 13.1 0.0 7
bcm.user 2484 S < 5.7 0.2 18
newcli 6080 S 0.5 0.0 2
hasync 5562 S < 0.1 0.6 4

This issue has been resolved in:
v7.6.6 (scheduled to be released in April 2026).
v8.0.0 (scheduled to be released in March 2026).
These timelines for firmware release are estimated and may be subject to change.