Go to System -> HA and check if the secondary firewall is out of sync. Hover over the status, and it will show that it is out of sync due to 'antivirus.profile'.

The difference can be checked through the CLI using the following command, which will provide the checksum for all the available antivirus profiles in the current Firewall:

diagnose sys ha checksum show <vdom_name> antivirus.profile  <----- Run this command on both FortiGates in the cluster.

For example, the command would be:

diagnose sys ha checksum show root antivirus.profile

 The output from each FortiGate should then be compared to check for any differences in the checksum.

'FGT1':

'FGT2':

As shown in the figure above, Default_PT has a different hash value on both the HA peers.

To identify what exactly is not matching in the Default_PT antivirus profile, the below checksum can be verified on both peers.

diagnose sys ha checksum show root antivirus.profile Default_PT
[name]='Default_PT': b251f1842a156d1fc81e44f0cd8c30f1
[http]:
[av-scan]='block': 2bf0c854ff2e0380fcc679b7779f6912
[ftp]:
[av-scan]='block': 2bf0c854ff2e0380fcc679b7779f6912
[imap]:
[av-scan]='block': 2bf0c854ff2e0380fcc679b7779f6912
[pop3]:
[av-scan]='block': 2bf0c854ff2e0380fcc679b7779f6912
[smtp]:
[av-scan]='block': 2bf0c854ff2e0380fcc679b7779f6912

Run the same command on both primary and secondary devices, and it will reflect what exactly under Default_PT is not matching.

Review and edit the Antivirus Profile that does not match to identify any differences. Once the discrepancies are resolved, the HA pair will synchronize again.

Related article:

Troubleshooting Tip: How to troubleshoot HA synchronization issue using GUI and CLI on FortiGate/For...