The full restoration of FortiNAC requires that administrators already have stored locally or in a remote location, the system configuration files and the database file.

Location of these files in FortiNAC:

1. System configuration files:

• Stored at /bsc/backups/<Hostname>.
• The system files contain configuration settings such as the Config Wizard, DHCP Scopes, routes, etc.
• These files are located under the folder with the respective server Hostname.
• In this example, the FortiNAC hostname is 'naclab1'. All configuration files are located in the folder /bsc/backups/naclab1/.

2. Database file: 

• Stored as /bsc/backups/database/FortiNAC_DataBase_BackUp_<yy_mm_dd_hh_mm_ss>_<Hostname>.gz.
• The database file contains all Network inventory devices, User & Host profiles, Policies, and other configurations applied through the Administration UI.
• Alarms and Events, Connection Logs, and Scan Results are not included.

System files and Database files should be regularly backed up and stored in remote locations. The following KB article, Technical Tip: FortiNAC Hardening, provides recommendations on keeping backup plans and procedures in place.

The following scenario shows the restoration procedure when FortiNAC is manually factory reset. However, the same steps can be applied when it is required to deploy FortiNAC to a new VM instance or if the system has crashed and it is required to restore services from scratch.

Step 1. Confirm Backup files are stored in a remote location or on a local machine where tftp/ftp/scp access to FortiNAC is available.

Using a TFTP server application such as Tftpd64, it is possible to retrieve and transfer files with FortiNAC-F.

Store the System files and Database files on the local machine.

The system files are grouped under the folder named according to the Hostname of the FortiNAC server. In this case, it is 'naclab1'.

It is required to archive and compress this folder to be able to transfer it as a single file using the TFTP protocol.

naclab1 # execute enter-shell

naclab1:~$ cp -r /bsc/backups/naclab1 /home/admin/

naclab1:~$ tar -czf naclab1.tar.gz naclab1/

naclab1:~$ ll

total XXXX

.

.

1504692 -rw-r--r-- 1 admin admin 1540798445 Jan 17 11:42  naclab1.tar.gz

naclab1:~$ tftp -pr naclab1.tar.gz 10.10.10.3

naclab1:$ cd /bsc/backups/database/

naclab1:/bsc/backups/database$ tftp -pr FortiNAC_DataBase_BackUp_2025_01_17_11_46_50_naclab1.gz 10.10.10.3

naclab1:$ exit

naclab1 #

Step 2. Factory Reset FortiNAC from CLI:

After confirmation of having successfully stored both files on the local machine, proceed with the Factory reset.

If FortiNAC is being deployed to a new VM, this step is not required. This can be used in cases of system crashes or db corruptions, if it is required to deploy FortiNAC on the same VM.

naclab1 # execute reset all-settings
This operation will reset the system to factory defaults!
Do you want to continue? (y/N) y

This will clear all configurations and remove the license from the Appliance.

Step 3. Apply the initial configuration:

Using the console, check the system status and assign the initial IP configuration to port1.

Log in to the FortiNAC CLI using the following credentials:

User name = admin
Password = <blank>

Figure 1. FortiNAC initial configuration after Factory reset.

The user will be prompted to enter a new CLI password to proceed.

1. Assign the IP address to the management port1 and configure the default route.
   
   naclab1 # config system interface
   naclab1 (interface) # edit port1
   naclab1 (port1) # set ip 10.10.10.6/24
   naclab1 (port1) # set allowaccess https-adminui ping radius radius-acct radius-local snmp ssh
   naclab1 (port1) # next
   naclab1 (interface) # end
   naclab1 # config system route
   naclab1 (route) # edit 1
   naclab1 (1) # set device port1
   naclab1 (1) # set gateway 10.10.10.1
   naclab1 (1) # next
   naclab1 (route) # end
   naclab1 #
   
   
2. Get the license file.

Important consideration:

In case FortiNAC is being deployed to a new VM instance, it is required to update the license with the MAC and UUID of the new VM. This is done by creating a new Customer Support ticket in the Support Portal and sharing the MAC and UUID of the new VM.

This information can be collected from FortiNAC CLI:

naclab1 # get system license
EFFECTIVE:
serial = FNVMCATMXXXXXX
type = NetworkControlApplicationServer
level = PRO
count = 100000
expiration = 365 days
expired = false
mac = XXXXXXXXXX
uuid = XXXXXXXXXXXXX
certificates = [XXXXXX, XXXXXXX]

Once the change is applied by Customer support, proceed to support.fortinet.com and download the license file for the respective Serial Number.

Figure 2. License file download from support.fortinet.com

Apply the license file directly from the TFTP server:

fortinac # exec license import tftp FNVMCATMXXXXXXlic 10.10.10.3

Connect to TFTP server 10.10.10.3 ...

Retrieve license from TFTP server OK.

fortinac #

A couple of minutes might be required for the license to become effective.

Technical Tip: How to add a license to FortiNAC-F 7.* from the CLI provides more details and alternative methods for license import.

Validate license is valid:

fortinac # get system status

Version: FortiNAC-HyperV v7.4.0,build0427,240228 (GA)

Serial-Number: FNVMCATMXXXXXX

License Status: Valid

License Expiration Date: Wed Jun 25 11:19:15 2025

Hostname: fortinac

Release Version Information: GA

System Time: Fri Jan 17 11:24:19 2025

fortinac #

Step 4. Restore the system files:

Using TFTP, transfer both the system files and the database file to the FortiNAC /home/admin directory.

fortinac # execute enter-shell

fortinac:~$ tftp -gr naclab1.tar.gz 10.10.10.3

fortinac:~$ tftp -gr FortiNAC_DataBase_BackUp_2025_01_17_11_46_50_naclab1.gz 10.10.10.3

fortinac:~$ ll

total 1506372

      4 -rwxr-xr-x 1 admin admin        241 Mar  9  2018 .profile*

      4 -rwxr-xr-x 1 admin admin        410 Mar  9  2018 .bashrc*

      4 drwxr-xr-x 3 admin admin       4096 Jan 17 11:05 .cache/

      4 -rw------- 1 admin admin         25 Jan 17 11:21 .bash_history

1504692 -rw-r--r-- 1 admin admin 1540798445 Jan 17 11:41 naclab1.tar.gz

   1664 -rw-r--r-- 1 admin admin    1703555 Jan 17 11:41 FortiNAC_DataBase_BackUp_2025_01_17_11_46_50_naclab1.gz

fortinac:~$

Extract the system files from the compressed archive.

fortinac:~$ tar -xzf naclab1.tar.gz

fortinac:~$ ll

      4 drwxr-xr-x 3 admin admin       4096 Jan 17 11:43 naclab1/

All system files are stored in the folder 'naclab1'. Move the folder to the /bsc/backups/ path to perform the restore operation.

fortinac:~$ mv naclab1 /bsc/backups/

fortinac:~$ ll /bsc/backups/naclab1/

total xxxx

     4 -rw-r--r-- 1 admin admin       109 Jan 17 10:29 naclab1.20250117.root.tar.gz

   608 -rw-r--r-- 1 admin admin    621288 Jan 17 10:29 naclab1.20250117.etc.tar.gz

   512 -rw-r--r-- 1 admin admin    524148 Jan 17 10:29 naclab1.20250117.bsc-www.tar.gz

     4 -rw-r--r-- 1 admin admin       154 Jan 17 10:29 naclab1.20250117.bsc-VPN.tar.gz

     4 -rw-r--r-- 1 admin admin       162 Jan 17 10:29 naclab1.20250117.bsc-Remediation.tar.gz

     4 -rw-r--r-- 1 admin admin       162 Jan 17 10:29 naclab1.20250117.bsc-Registration.tar.gz

     4 -rw-r--r-- 1 admin admin       153 Jan 17 10:29 naclab1.20250117.bsc-Hub.tar.gz

     4 -rw-r--r-- 1 admin admin       156 Jan 17 10:29 naclab1.20250117.bsc-DeadEnd.tar.gz

     8 -rw-r--r-- 1 admin admin      4144 Jan 17 10:29 naclab1.20250117.bsc-CommonJspFiles.tar.gz

     4 -rw-r--r-- 1 admin admin       164 Jan 17 10:29 naclab1.20250117.bsc-Authentication.tar.gz

    20 -rw-r--r-- 1 admin admin     17062 Jan 17 10:29 naclab1.20250117.bsc-.runtime-data.tar.gz

750888 -rw-r--r-- 1 admin admin 768903119 Jan 17 10:29 naclab1.20250117.home-admin.tar.gz

    16 -rw-r--r-- 1 admin admin     12341 Jan 17 10:29 naclab1.20250117.bsc-siteConfiguration.tar.gz

    44 -rw-r--r-- 1 admin admin     41550 Jan 17 10:29 naclab1.20250117.bsc-campusMgr-master_loader-telnetMibs.tar.gz

     4 -rw-r--r-- 1 admin admin       148 Jan 17 10:29 naclab1.20250117.bsc-campusMgr-master_loader-customTraps.tar.gz

     4 -rw-r--r-- 1 admin admin       156 Jan 17 10:29 naclab1.20250117.bsc-campusMgr-master_loader-.cmrc.maintenance.gz

     4 -rw-r--r-- 1 admin admin       404 Jan 17 10:29 naclab1.20250117.bsc-campusMgr-master_loader-.cmrc.gz

     4 -rw-r--r-- 1 admin admin       469 Jan 17 10:29 naclab1.20250117.bsc-campusMgr-master_loader-.cmrc.copy.gz

     4 -rw-r--r-- 1 admin admin       167 Jan 17 10:29 naclab1.20250117.bsc-campusMgr-master_loader-.cmas.maintenance.gz

     4 -rw-r--r-- 1 admin admin       405 Jan 17 10:29 naclab1.20250117.bsc-campusMgr-master_loader-.cmas.gz

     4 -rw-r--r-- 1 admin admin       531 Jan 17 10:29 naclab1.20250117.bsc-campusMgr-master_loader-.cmas.copy.gz

     4 -rw-r--r-- 1 admin admin       207 Jan 17 10:29 naclab1.20250117.bsc-campusMgr-master_loader-.cm.maintenance.gz

     4 -rw-r--r-- 1 admin admin       424 Jan 17 10:29 naclab1.20250117.bsc-campusMgr-master_loader-.cm.gz

     4 -rw-r--r-- 1 admin admin       194 Jan 17 10:29 naclab1.20250117.bsc-campusMgr-master_loader-.cm.copy.gz

     4 -rw-r--r-- 1 admin admin      1068 Jan 17 10:29 naclab1.20250117.bsc-campusMgr-bin-.yams.gz

     4 -rw-r--r-- 1 admin admin        52 Jan 17 10:29 naclab1.20250117.bsc-campusMgr-bin-.sshaccountInfo.gz

     4 -rw-r--r-- 1 admin admin       244 Jan 17 10:29 naclab1.20250117.bsc-campusMgr-bin-.networkConfig.gz

     8 -rw-r--r-- 1 admin admin      7252 Jan 17 10:29 naclab1.20250117.bsc-campusMgr-bin-.config.properties.gz

     4 -rw-r--r-- 1 admin admin       409 Jan 17 10:29 naclab1.20250117.bsc-campusMgr-bin-.backup_config.gz

     8 -rw-r--r-- 1 admin admin      7603 Jan 17 10:29 naclab1.20250117.bsc-campusMgr-agent-scanConfig.tar.gz

     4 -rw-r--r-- 1 admin admin       142 Jan 17 10:29 naclab1.20250117.bsc-campusMgr-agent-customScanConfig.tar.gz

     8 -rw-r--r-- 1 admin admin      6174 Jan 17 10:29 naclab1.20250117.bsc-campusMgr-.licenseKey.gz

   128 -rw-r--r-- 1 admin admin    130501 Jan 17 10:29 naclab1.20250117.bsc-campusMgr-.keystore.gz

fortinac:~$

Perform the system files restoration by specifying the folder name and the date when the backup was taken in the following format:

Format: 

execute restore backup local 'Hostname' 'Year-Month-Day'.

fortinac # execute restore backup local naclab1 2025-01-17

A reboot is required to complete the backup restoration.

Do you wish to reboot now? (y/N) y

FortiNAC v7.2 and older do not have the CLI option to automatically restore files. To restore the system files, follow the steps in the FortiNAC backup/restore document.

Step 5. Access the FortiNAC GUI:

After the reboot, FortiNAC GUI can be accessed with the following credentials:

User: root

Password: YAMS

Accept the license agreement and set the Admin UI password and CLI password.  Check that the Config Wizard has successfully imported the Isolation settings and routes. Go to System -> ConfigWizard -> Summary.

Figure 3. Confirm that system files restoration has been correctly imported.

Once confirmed that all isolation scopes and routes are in place, select 'Apply' to submit the configuration. After the configuration is applied, select 'Reboot'.

Step 6. Restore the Database file:

As soon as FortiNAC is up and running after the reboot, move the Database file to the correct path to be able to restore it.

naclab1# execute enter-shell

naclab1:~$ mv FortiNAC_DataBase_BackUp_2025_01_17_11_46_50_naclab1.gz /bsc/backups/database/

naclab1:~$ ll /bsc/backups/database/

total 1664

1664 -rw-r--r-- 1 admin admin 1703555 Jan 17 11:41 FortiNAC_DataBase_BackUp_2025_01_17_11_46_50_naclab1.gz

naclab1:~$

At this point, the restore process can be done through the GUI or CLI. 

1. GUI method: Go to System -> Settings -> System Management -> Database Backup/Restore.

Figure 4. Restore the Database through GUI

2. CLI method.

naclab1 # execute restore database local FortiNAC_DataBase_BackUp_2025_01_17_11_46_50_naclab1.gz

Restoring FortiNAC_DataBase_BackUp_2025_01_17_11_46_50_naclab1.gz...

Restore complete

naclab1 #

The restore procedure is finished. At this point, it is recommended to evaluate event logs for any unexpected error events or failures and perform fine-tuning and hardening of the appliance.

Restore process in High-Availability Environments.

In such scenarios, the process for the Primary server stays the same.

For the Secondary Server, it is only required to have the System configuration files restored (step 4). The database will be automatically replicated once the HA is established.

When restoring an HA setup, both servers should be initially restored separately as standalone servers.

Steps:

1. Import license and restore primary system configuration files on the Primary server.
2. Import license and restore secondary system configuration files on the Secondary server.
3. Confirm both servers are working as standalone servers and Isolation scopes are correctly updated on both.
4. Restore the Database backup on the primary. Confirm Inventory is populated and FortiNAC has the correct interpretation of hosts and is able to learn hosts.
5. Establish the HA process as per the High Availability (FortiNAC-OS) document.
6. Test it: 3: Perform Failover Test.

Related documents:

Backup/restore operations

Technical Tip: Performance issue and some general recommendations

Technical Tip: How to add a license to FortiNAC-F 7.* from the CLI

Technical Tip: Useful CLI commands in FortiNAC-OS for troubleshooting

Technical Tip: FortiNAC general troubleshooting guide

Technical Tip: FortiNAC Hardening