When a FortiGate is operating as a standalone unit with configuration synchronization enabled, the primary device registers successfully with FortiCloud but it may disconnect after a short period of time. For details on how to configure this feature, refer to the official guide: Using Standalone Configuration Synchronization — FortiGate 6.2.0 Cookbook.

Configuration Example:

Enable standalone configuration synchronization on the primary device:

config system ha
    set password **********
    set hbdev ha1 50 ha2 100
    set priority 255
    set override enable
    set standalone-config-sync enable
end

Registering the Device with FortiCloud:

execute fortiguard-log login <account> <password> <domain>

Verify registration:

FGT1# diagnose fdsm contract-controller-update
Protocol=2.1|Response=202|Firmware=FAZ-4K-FW-2.50-100|SerialNumber=FAMS000000000000|Persistent=false|ResponseItem=HomeServer:g101.forti
gate.forticloud.com*AlterServer:g101.fortigate.forticloud.com*AccountType:regular*Contract:20251210*NextRequest:86400*UploadConfig:Fals
e*ManagementMode:Local*ManagementID:411061651

Result=Success   <----- FortiGate successfully registered on FortiCloud.

HA status:

get system ha status
path=system, objname=ha, tablename=(null), size=5912
HA Health Status:
WARNING: FG201E4Q17900771 has hbdev down;
WARNING: FG201ETK19900991 has hbdev down;
Model: FortiGate-201E
Mode: ConfigSync
Group Name:
Group ID: 0
Debug: 0
Cluster Uptime: 0 days 0:0:51
Cluster state change time: 2019-09-03 17:46:07
Primary selected using:
<2019/09/03 17:46:07> FG201ETK19900991 is selected as the primary because it has the largest value of override priority.
ses_pickup: disable
override: disable
Configuration Status:
FG201E4Q17900771(updated 3 seconds ago): out-of-sync
FG201ETK19900991(updated 1 seconds ago): in-sync
System Usage stats:
FG201E4Q17900771(updated 3 seconds ago):
sessions=1, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=16%
FG201ETK19900991(updated 1 seconds ago):
sessions=1, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=16%
HBDEV stats:
FG201E4Q17900771(updated 3 seconds ago):
wan2: physical/1000auto, up, rx-bytes/packets/dropped/errors=114918/266/0/0, tx=76752/178/0/0
ha: physical/00, down, rx-bytes/packets/dropped/errors=0/0/0/0, tx=0/0/0/0
FG201ETK19900991(updated 1 seconds ago):
wan2: physical/1000auto, up, rx-bytes/packets/dropped/errors=83024/192/0/0, tx=120216/278/0/0
ha: physical/00, down, rx-bytes/packets/dropped/errors=0/0/0/0, tx=0/0/0/0
Secondary: FortiGate-201E, FG201E4Q17900771, HA cluster index = 1
Primary: FortiGate-201E, FG201ETK19900991, HA cluster index = 0
number of vcluster: 1
vcluster 1: work 169.254.0.1
Secondary: FG201E4Q17900771, HA operating index = 1
Primary: FG201ETK19900991, HA operating index = 0

The device successfully registers with FortiCloud, but it disconnects automatically later.

Collect debug logs during disconnection by running the following commands:

diagnose debug enable
diagnose debug application forticldd -1
diagnose fdsm log-controller-update
diagnose fdsm contract-controller-update
diagnose test application forticldd 1
diagnose test application forticldd 3

Example output showing a FortiGate Cloud account ID reset to null after a successful login:

FTG01 # [210] fds_on_sys_fds_change: trace
[669] fds_https_stop_server: 173.243.132.23:443
[37] fds_queue_task: req-111 is added to log-controller
[616] fds_https_start_server: server: 173.243.132.23:443
[617] fds_https_start_server: source-ip: 0.0.0.0:0
[115] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
[115] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory_Backup.cer, root ca Fortinet_CA_Backup, idx 1
[484] ssl_ctx_use_builtin_store: Loaded Fortinet Trusted Certs
[504] ssl_ctx_use_builtin_store: Enable CRL checking.
[511] ssl_ctx_use_builtin_store: Enable OCSP Stapling.
[814] ssl_ctx_create_new: SSL CTX is created
[841] ssl_new: SSL object is created
[908] ssl_set_hostname: Set hostname 'fortinet-ca2.fortinet.com'
[93] https_create: proxy server 0.0.0.0 port:0
[194] ssl_add_ftgd_hostname_check: Add hostname checking 'logctrl1.fortinet.com'
[573] __tcps_tcp_start_connect: sockfd=11, server=173.243.132.23:443, use_harelay=0, use_proxy=0
[577] __tcps_tcp_start_connect: ret=-1
[582] __tcps_tcp_start_connect: errno=115(Operation now in progress)
[870] tcps_connect: 173.243.132.23:443 -- ret 0, state 0x0(Intialized) -> 0x11(Connecting)
[98] fds_print_msg: FCPC: len=214
[105] fds_print_msg: Protocol=2.0
[105] fds_print_msg: Command=Update
[105] fds_print_msg: Firmware=FGT80F-FW-7.02-1740
[105] fds_print_msg: SerialNumber=FGT80FTK24004149
[105] fds_print_msg: PhysicalSN=FGT80FTK24004149
[105] fds_print_msg: TimeZone=-4
[105] fds_print_msg: TimeZoneInMin=-240
[105] fds_print_msg: DataItem=AccountID:security@fortinet.ca
[105] fds_print_msg: Vdom:root
[98] fds_print_msg: http req: len=261
[105] fds_print_msg: POST https://173.243.132.23:443/FCPService/Controller HTTP/1.1
[105] fds_print_msg: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
[105] fds_print_msg: Host: 173.243.132.23:443
[105] fds_print_msg: Cache-Control: no-cache
[105] fds_print_msg: Connection: close
[105] fds_print_msg: Content-Type: application/octet-stream
[105] fds_print_msg: Content-Length: 406
[513] fds_https_connect: http request to 173.243.132.23:443: header=261, ext=406.
[247] fds_https_send: sent 404 bytes: pos=0, len=404
[262] fds_https_send: sent the entire request to server: 209.40.117.133:443
[247] fds_https_send: sent 261 bytes: pos=0, len=261
[254] fds_https_send: 173.243.132.23:443: sent 261 byte header, now send 406-byte body
[707] __ssl_info_callback: SSL negotiation finished successfully
[707] __ssl_info_callback: SSL negotiation finished successfully
[707] __ssl_info_callback: SSLv3/TLS read server session ticket
[707] __ssl_info_callback: SSL negotiation finished successfully
[707] __ssl_info_callback: SSL negotiation finished successfully
[707] __ssl_info_callback: SSLv3/TLS read server session ticket
[2016] ctrl_upd_res: Reset management servers and id
[1864] fds_set_schedule: Set schedule off, type=0
[1864] fds_set_schedule: Set schedule off, type=1
[1864] fds_set_schedule: Set schedule off, type=2
[471] fds_free_tsk: cmd=4; req.noreply=0
[1864] fds_set_schedule: Set schedule off, type=0
[1864] fds_set_schedule: Set schedule off, type=1
[1864] fds_set_schedule: Set schedule off, type=2
[471] fds_free_tsk: cmd=4; req.noreply=0
[3497] fds_handle_request: Received cmd 116 from pid-15613, len 0
[527] fds_send_reply: Sending 8 bytes data.
[3497] fds_handle_request: Received cmd 116 from pid-15613, len 0
[527] fds_send_reply: Sending 8 bytes data.
[3497] fds_handle_request: Received cmd 116 from pid-15613, len 0
[527] fds_send_reply: Sending 8 bytes data.
0: config system fortiguard
0: set service-account-id "" <----- FortiGate Cloud account id is reset to null immediately after successful login or join (which is done by another FortiGate).
0: end

Root cause:

This behavior occurs because "standalone-config-sync enable" is set, combined with valid "hbdev" settings makes the unit behave like an HA cluster. When only one device is registered on FortiCloud, conflicts can occur causing disconnections.

Solution:

1. Add the other unit (FortiGate 2) to the same FortiGate Cloud account.

Run the command below to get the operating index of the other firewall

get system ha status

Example:

Master: FGT6HD3914800069, HA operating index = 0

Slave : FGT6HD3914800153, HA operating index = 1

After getting access, register the Firewall to FortiCloud.

execute fortiguard-log login <account> <password> <domain>

Or:

2. Disable standalone configuration sync:

config system ha
    set hbdev "a" 100
    set standalone-config-sync enable <----- Solution (set it to disable).
    set override enable
    set priority 255
end