Beginning in late February 2025, there is a change in how FortiGuard backend servers return contracts for FortiGate Clustering Protocol HA cluster members.

When FortiGate on HA has a different account registration (example below), the FortiGuard update will fail:
FGVM04TMXXXXXX03 is registered to account 'account_1@fortinet.com', while FGVM04TMXXXXXX04 is registered to account 'account_2@fortinet.com'.

Affected clusters are unable to perform firmware upgrades and cannot download antivirus and other UTM signatures. Web Rating continues to function as expected.

This issue also happens when one of the FortiGates in the HA cluster is not registered to an account. Ensure that both HAs are registered under the same account. 

Diagnose commands:

diagnose debug disable

diagnose debug reset

diagnose debug application update -1
diagnose debug enable
execute update-now

When completed, clear the debugging with the following command:

diagnose debug disable

diagnose debug reset

Debug log output and error:

upd_act_report_fmg_list[846]-ContractItem (1) does not contain all HA (2): FGVM04TMXXXXXX03
<>
upd_status_set_ha_expiry[1532]-Serial Number: FGVM04TMXXXXXX03 - contract processed
upd_status_set_ha_expiry[1498]-Extracting contract... (SupportLevelDesc=06:Web/Online*10:8x5*20:Premium)
<>
upd_status_set_ha_expiry[1547]-Missing contracts, got 1, expect 2
upd_status_set_ha_expiry[1565]-Reset expiry
do_update[690]-UPDATE failed

Solution: 

Make sure that FortiGate HA cluster members are registered to the same account.

The steps below can be used to resolve the issue and transfer an account in the GUI:

• Go to Dashboard -> Status.
• In the Licenses widget, select the Support link, then select Transfer FortiGate to Another Account.
• Select next. Review the information, then select Transfer.

FGVM04TMXXXXXX03 and FGVM04TMXXXXXX04 are registered to account 'account_2@fortinet.com'.

 
Debug log output :

upd_act_HA_contract_info[717]-ContractItem FGVM04TM24004202*FGVM04TM24004203

<>

upd_status_set_ha_expiry[1532]-Serial Number: FGVM04TMXXXXXX03 - contract processed

upd_status_set_ha_expiry[1498]-Extracting contract...(SerialNumber=FGVM04TMXXXXXX04|Contract=AVDB-1-06-20250710:0:1:1:0*AVEN-1-06-20250710:0:1:1:0*COMP-1-20-20250710:0:1:1:0*

ENHN-1-20-20250710:0:1:1:0*FAZC-1-06-20250710:0:1:1:0*FCSS-1-10-20250710:0:1:1:0*FGSA-1-06-20250710:0:1:1:0*

FMGC-1-06-20250710:0:1:1:0*FMWR-1-06-20250710:0:1:1:0*FRVS-1-06-20250710:0:1:1:0*FURL-1-06-20250710:0:1:1:0*

IOTH-1-06-20250710:0:1:1:0*IPMC-1-06-20250710:0:1:1:0*ISSS-1-06-20250710:0:1:1:0*NIDS-1-06-20250710:0:1:1:0*

SPAM-1-06-20250710:0:1:1:0*SPRT-1-20-20250710:0:1:1:0*SWNC-1-06-20250710:0:1:1:0*SWNM-1-06-20250710:0:1:1:0*

SWNO-1-06-20250710:0:1:1:0*

ZHVO-1-06-20250710:0:1:1:0|AccountID=account_2@fortinet.com|Industry=Technology|Company=Fortinet Security Philippines Inc.|UserID=13XXX36)

update_status_obj[761]-SBCL contract expiry=Thu Jul 10 08:00:00 2025

 level(6) alert(0)

update_status_obj[761]-AVDB contract expiry=Thu Jul 10 08:00:00 2025

 level(6) alert(0)

<>

upd_status_set_ha_expiry[1532]-Serial Number: FGVM04TMXXXXXX04 - contract processed

upd_status_set_ha_expiry[1498]-Extracting contract...(SupportLevelDesc=06:Web/Online*10:8x5*20:Premium)

Workaround: 

FortiGates being registered to the same FortiCare account is a requirement for the FGCP clustering protocol for all versions. There are no long-term workarounds.

As a temporary workaround, an administrator can shut down the other cluster member or isolate it from the rest of the network, as shown in the article Technical Tip: How to add or replace a unit in High Availability (HA) cluster. After this, a FortiGuard update can be performed from the remaining cluster member.

diagnose debug application update -1
diagnose debug enable
execute update-now

After the update, restore the other member to the cluster.

To transfer the device registration to the correct account, either contact Fortinet user support or follow the steps outlined in the document Transfer a device to another FortiCloud account through the FortiGate GUI.

If moving the devices into the same account is not possible, FortiGate Session Life Support Protocol (FGSP) can be an alternative redundancy method for some topologies. If reconfiguring an existing FGCP HA cluster to instead use FGSP HA, an administrator would typically also configure VRRP so the secondary firewall can share the same local IP addresses as the primary. See the articles v7.6.2 Administration Guide: FGSP and v7.6.2 Administration Guide: VRRP. This should be treated as a migration or new deployment and performed during a maintenance window.

Note:

If FortiGate-VM is hosted in the cloud with a PAYG license, it shows no contract. Secondary FortiGate-VM also does not show in asset management on FortiCloud because the secondary device has been passive for a long time.
Try to do a failover HA cluster, now the secondary device acts as active and reaches a FortiGuard server. It will register in asset management on FortiCloud and also show correct support on FortiGate.

Related articles:

Technical Tip: The license still shows as expired after renewal

Technical Tip: Device License is not reflecting in FortiGate dashboard

Troubleshooting Tip: License not reflected in the GUI

Technical Tip: FortiGate license expiry date incorrect

Technical Tip: Entitlement File for Device in Air-Gap Environment