Hello everyone, After finalizing the bulk registration using the Persistent Agent, I’m wondering what’s considered the best practice to register a brand new device.The issue I’m seeing is kind of a chicken and egg problem:New devices can’t access the network because they get isolated (no Persistent Agent yet) But to deploy the Persistent Agent with GPO, the device first needs to join the domain And to join the domain, it needs network access first...How are you guys usually handling first time onboarding for new company devices after the first enrollement ?BR,

There are two possibilities:Allow access to AD/DC from the isolation network through ‘Allowed Domains’ in FNAC and firewall policies in the network/security devices (may limit it only for dedicated isolation scopes where corporate PC are expected).Make the agent available for download through the portal and EPC, agent guide:https://docs.fortinet.com/document/fortinac-f/7.6.0/persistent-agent-deployment-and-configuration/385270/deployment-methods#_Toc137569219

ByteHaven

Explorer III

Solved

Best Practice for First-Time Device Registration

Forum|Forum|28 days ago
May 12, 2026
1 reply
78 views

Hello everyone,

After finalizing the bulk registration using the Persistent Agent, I’m wondering what’s considered the best practice to register a brand new device.

The issue I’m seeing is kind of a chicken and egg problem:

New devices can’t access the network because they get isolated (no Persistent Agent yet)
But to deploy the Persistent Agent with GPO, the device first needs to join the domain
And to join the domain, it needs network access first...

How are you guys usually handling first time onboarding for new company devices after the first enrollement ?

BR,

Best answer by ebilcari

There are two possibilities:

Allow access to AD/DC from the isolation network through ‘Allowed Domains’ in FNAC and firewall policies in the network/security devices (may limit it only for dedicated isolation scopes where corporate PC are expected).
Make the agent available for download through the portal and EPC, agent guide: https://docs.fortinet.com/document/fortinac-f/7.6.0/persistent-agent-deployment-and-configuration/385270/deployment-methods#_Toc137569219

ebilcariAnswer

Staff

There are two possibilities:

Allow access to AD/DC from the isolation network through ‘Allowed Domains’ in FNAC and firewall policies in the network/security devices (may limit it only for dedicated isolation scopes where corporate PC are expected).
Make the agent available for download through the portal and EPC, agent guide: https://docs.fortinet.com/document/fortinac-f/7.6.0/persistent-agent-deployment-and-configuration/385270/deployment-methods#_Toc137569219

Emirjon

AEK

SuperUser

Hi Emirjon

I usually allow hosts in isolation to access domain via these ports to authenticate: 88,135,389,445,636.

Please correct me if I’m wrong because probably it doesn’t need all these ports open.

AEK

ebilcari

Staff

I think all those ports are required. I always check Microsoft documentation to refresh my memory :)

The best way would be to monitor the activity on the firewall and then restrict access by allowing only the ports that are actually used, based on observed traffic.

Emirjon

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded