This article describes how to sync out-of-sync HA devices after a firmware upgrade.
Scope
FortiGate.
Solution
There would be a few scenarios post-upgrade of FortiGate HA devices, where the secondary HA device is not in sync with the primary even after all configurations match. Some default address objects could be missing, like ISDB value for Microsoft or Google sites, which causes out-of-sync.
After upgrading the device check on both devices for any configuration errors.:diagnose debug config-error-log read
In the below example, the firewall address object checksum value is different on both devices which caused the device out of sync.
Try to manual sync by recalculating the checksum
If the above step does not work, try to reboot the Secondary FortiGate and wait for sync.
Try to update the ISDB using the below process after failing over to secondary:
diag debug disable diag debug enable diag debug application update -1 execute update-now
After the update is completed to stop debugs:
diag debug disable
Check if the database of ISDB is updated on both devices by running the below command :
diagnose autoupdate versions | grep Industrial -A 5 Industrial Attack Definitions --------- Version: 27.00775 signed Contract Expiry Date: Sat Oct 3 2026 Last Updated using scheduled update on Thu Apr 25 12:56:20 2024 Last Update Attempt: Sat Apr 27 01:20:26 2024
If the device still shows out of sync, use the below to manually modify the primary unit configuration file and restore it to the secondary unit.