05-06-2021 02:51 AM - edited 05-06-2021 02:55 AM
I have a FW with PanOS 9.1.7 that is causing PXE boot issues with TFTP protocol.
When traffic is not routed through the firewall it all works and I have seen several threads about this problem but no solution.
DHCP server: Windows Server 2012 R2 172.18.76.23
WDS server: 172.18.76.20
DHCP option 66: 172.18.76.20
DHCP option 67: \boot\x64\wdsnbp.com
Interface VLAN 10
ip address 172.28.76.1 255.255.255.0
ip helper-address 172.18.76.23
ip helper-address 172.18.76.20
When traffic is not routed through the firewall it works, but when its routed through the firewall I can see packets being accepted and packets sent but no packets received
Does anyone have a solution for this?
Uploaded a picture of the TFTP problem
05-08-2021 10:14 PM
I'm not seeing any image that you may have attached, but it appears that you did attempt to attach one. Have you verified that the firewall isn't dropping any traffic between these clients and your 172.18.76.20 host?
I current have this setup at quite a few sites and we have to have 4011/udp open to our SCCM host with the app-id set to unknown-udp or you need to create a custom app-id or an application-override entry. That's really the only "weird" thing to get this working however.
05-12-2021 04:03 AM
After further investigation with wireshark on the Windows Deployment Server it seems like the TTL of TFTP is being lowered on the second read bootfile request.
So the traffic doesn't even reach the WDS anymore...
TTL is lowered with 48 less than the first packet and the "distance" is too far away so the udp traffic is dropped on a router a few hops before.
Not an issue with palo
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!