Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmreddy
Staff
Staff

Created on ‎08-23-2024 05:22 AM Edited on ‎09-24-2025 07:28 AM By Community Manager

Article Id 335832

Troubleshooting Tip: HA showing as out of sync due to mismatch in FMWP rules

Description This article describes how to resolve an issue where HA is showing as out of sync due to a mismatch in FMWP rules.
Scope All FortiGates and all supported versions of FortiOS - NAT or transparent mode.
Solution

HA will show as 'out of sync' when FMWP rules are present in one of the firewalls but not in the other.

 

In the primary rules as below:

 

config rule fmwp "HTTP.Chunk.Length.Invalid."
end


config rule fmwp "Fortinet.FortiGate.Cookie.Buffer.Overflow."
end


config rule fmwp "FortiOS.SSL.VPN.Web.Portal.Improper.Authentication."
end


config rule fmwp "FortiOS.SSL.VPN.Web.Portal.Information.Disclosure."
end


config rule fmwp "FortiOS.NodeJS.Proxy.Authentication.Bypass."
end


config rule fmwp "FortiOS.Malformed.RADIUS.Server.Response.Authentication.Bypass."
end


config rule fmwp "FortiOS.HTTPD.Content-Length.Memory.Corruption."
end


config rule fmwp "FortiOS.Httpsd.Daemon.Format.String."
end


config rule fmwp "FortiOS.Guest.Management.XSS."
end


config rule fmwp "FG-VD-54575.0day."
end


config rule fmwp "HTTP2.RST_STREAM.Rapid.Reset.DoS."
end

 

In the secondary device, there will be no rules.

 

config rule fmwp

end

 

In the primary device, the version will be up to date. However, in the secondary, the version will be 0.

 

diagnose autoupdate versions | grep -A3 'FMWP'

 

FMWP Definitions:
---------
Version: 0.00000
Contract Expiry Date: Thu May 1 2025
Last Updated using manual update on Mon Jan 1 00:00:00 2001
Last Update Attempt: n/a
Result: Updates Installed

 

FMWP Definitions
---------
Version: 24.00020
Contract Expiry Date: Thu May 1 2025
Last Updated using manual update on Tue Feb 13 17:03:00 2024
Last Update Attempt: n/a
Result: Updates Installed

 

The reason for this is that either the device is in an air-gapped network or the scheduled update is disabled.


Solution:

Execute the command 'execute update-now' to update the license, where the FMWP definition will get updated, and the FMWP rules will get updated in the missing firewall, and will show the device in sync.

 

diagnose debug application update -1

diagnose debug enable

execute update-now

 

Troubleshooting commands:

 

diagnose autoupdate versions | grep -A3 FMWP
fnsysctl ls /etc/fmwp.rules -l
get system ha status
diagnose sys ha checksum cluster
diagnose sys ha checksum recalculate

 

Manually force the HA synchronization using the commands below:

Force the Backup unit to synchronize with the Primary unit. On the Backup unit:

 

execute ha synchronize start

 

A simple recalculation of checksums might help. On the Primary unit:

 

diagnose sys ha checksum recalculate <-- Then check again if synchronized.

 

On backup units:

 

diagnose sys ha checksum recalculate <-- Then check again if synchronized.

Note:

If the cluster continues to stay out of sync, try failing over to the secondary unit and perform the same command again:

 

diagnose debug application update -1

diagnose debug enable

execute update-now
5956
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.