This issue is triggered after a firmware upgrade, where the HA cluster goes out-of-sync even though both devices are working normally.

HA out-of-sync means the primary and secondary devices no longer have same configurations, and in this case it was specifically related to firewall.service.category, which is an internal database table used to organize firewall service objects. A mismatch in this table usually happens after an upgrade or when synchronization is interrupted, causing the checksum values between the two units to differ.

While hovering over the HA device in the GUI, it shows firewall.service.category with a checksum mismatch.

Run the following command on both HA members:

diagnose system ha checksum sh root firewall.service.category

If the mismatch is associated with a different VDOM, replace root with the appropriate VDOM name:

The command displays checksum hash values for each service category like General, Web Access, File Access, etc...

If the values are different between the primary and secondary units, the database is out of sync.

Solution:

Restart the HA synchronization process on both devices.

Execute the following command on both HA members:

fnsysctl killall hasync

After restarting the process, force a full HA synchronization from the primary unit:

First, use the following command on both units: 

diagnose system ha checksum recalculate

Then, run the following:

execute ha synchronize start  <--- Only on the primary unit.

Re-run the checksum validation:

diagnose system ha checksum show root firewall.service.category

Note:
If the steps above do not resolve the issue, reboot the secondary HA device first.
After the secondary device is fully online and visible in the HA cluster, reboot the primary device during a maintenance window.

If the issue persists or additional problems occur, open a new support ticket with Fortinet TAC.

Related article:

Troubleshooting Tip: 'system.federated-upgrade' causes HA desync