DHCP options and PXE boot

tlea · ‎06-12-2017

Hi,

we have just recently made a change in where we moved clients from one segment to a new one. We are using WDS for PXE boot and the WDS server (MDT 2013) is on a different segment than the clients. The Palo is our DHCP server for clients and we have defined some options in our DHCP scope (option 66 pointing to the WDS server and option 67 pointing to the bootfile).

This setup is not working, the PXE boot process stops telling me it cannot find the TFPT server (PXE-032). Any suggestions are much appreciated.

Regards,

Tony Lewis

TranceforLife · ‎06-12-2017

Get the PCAP from the Palo or client side (if possible) to see what palo is delivering in DHCPOFFER

_slv_ · ‎06-12-2017

Hi Tlea

I have identical situation like You

My config looks like:

On "new one" segment DHCP server You have to set option 66 and 67 - both options must point to your WDS server

Where is Your DHCP on PA or Windows servers?

REgards

SLawek

tlea · ‎06-12-2017

The DHCP is handled on the Palo Alto. Both the 66 and 67 options are set and pointing to the WDS server. Here's my config:

_slv_ · ‎06-12-2017

Hi

In my opinion something wrong is with your path \Boot\x64\wdsmgfw.efi

Maybe You can try with my path? - of course if Your WDS server have boot\x86\wdsnbp.com file - You can check it.

Are You sure that have sescurity policies thats allow traffic from 10.18.0.1/24 to 10.18.16.46?

Regards

Slawek

tlea · ‎06-12-2017

Hi Slawek and thanks for your response. I will change the boot file name to the one you are using. When it comes to security policies I'm not sure and will have to check this closer. I guess there will some policy in regards of TFTP needed?

I will check this first thing tomorrow morning.

Regards,

Tony

tlea · ‎06-13-2017

Hi Slawek, the change to boot\x86\wdsnbp.com did not help. Here's the output from the client

I'm guessing we have some problems with TFTP and I'm just thinking we might have to create a Policy-Based Forwarding rule for TFTP (port 69) between the client net and the server net? If you have any suggestions I'd be really happy!

Regards,

Tony

TranceforLife · ‎06-13-2017

Hi,

When your client receives a TFTP server information from the palo DHCP server, what can you see in the traffic logs on palo? Is your TFTP server in the same subnet as client or not (looks like it is not)? Are they in the same zone (same zone traffic is allowed by default).

tlea · ‎06-13-2017

Hi TranceforLife and thanks for your input. I cannot see any traffic using the monitor, and the TFTP server is in the server subnet, ie. not in the same subnet as the PXE client.

Regards,

Tony

TranceforLife · ‎06-13-2017

Client subnet and the server subnet are they in the same zone? If yes can you please override default Intra-zone policy or make sure you have login enabled on your current policy so you can see client attempts:

tlea · ‎06-13-2017

They are in different zones. I will make sure to follow your prevoius suggestion and enable logging, I'll post the result asap.

Regards,

Tony

TranceforLife · ‎06-13-2017

First, make sure that you allow the appropriate applications between the client/server zones!

tlea · ‎06-13-2017

Will do that. Thanks.

tlea · ‎06-13-2017

Hi, I've now checked the following;

We have a zone where the TFTP/WDS server is located (Frontend) and a zone where the PXE clients are located (Client). We have a security rule that permitts TFTP application (service > application default) between these zones. Could it be I'm not allowing the correct services, eventhough TFTP is permitted?

Regards,
Tony

TranceforLife · ‎06-13-2017

Could be. Just for test permit any any limiting security policy just for your client source ip address. What can you see in the logs?

Unlock your full community experience!

DHCP options and PXE boot

DHCP options and PXE boot

Show your appreciation!