topic Re: PXE boot not working through FW in General Topics

PXE boot not working through FW

AlexanderMahmuzic — Thu, 06 May 2021 09:55:34 GMT

Hi all,

I have a FW with PanOS 9.1.7 that is causing PXE boot issues with TFTP protocol.

When traffic is not routed through the firewall it all works and I have seen several threads about this problem but no solution.

DHCP server: Windows Server 2012 R2 172.18.76.23

WDS server: 172.18.76.20

DHCP option 66: 172.18.76.20

DHCP option 67: \boot\x64\wdsnbp.com

Interface VLAN 10

ip address 172.28.76.1 255.255.255.0
ip helper-address 172.18.76.23
ip helper-address 172.18.76.20

When traffic is not routed through the firewall it works, but when its routed through the firewall I can see packets being accepted and packets sent but no packets received

Does anyone have a solution for this?

Uploaded a picture of the TFTP problem

Re: PXE boot not working through FW

BPry — Sun, 09 May 2021 05:14:36 GMT

@AlexanderMahmuzic,

I'm not seeing any image that you may have attached, but it appears that you did attempt to attach one. Have you verified that the firewall isn't dropping any traffic between these clients and your 172.18.76.20 host?

I current have this setup at quite a few sites and we have to have 4011/udp open to our SCCM host with the app-id set to unknown-udp or you need to create a custom app-id or an application-override entry. That's really the only "weird" thing to get this working however.

Re: PXE boot not working through FW

AlexanderMahmuzic — Wed, 12 May 2021 11:03:45 GMT

After further investigation with wireshark on the Windows Deployment Server it seems like the TTL of TFTP is being lowered on the second read bootfile request.

So the traffic doesn't even reach the WDS anymore...

TTL is lowered with 48 less than the first packet and the "distance" is too far away so the udp traffic is dropped on a router a few hops before.

Not an issue with palo