Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fwilliams
Staff & Editor
Staff & Editor

Created on ‎05-30-2022 12:53 AM Edited on ‎06-07-2025 01:09 PM By Moderator

Article Id 213404

Technical Tip: Configuring FortiGate for PXE Client booting

Description

 

This article describes the procedure to configure FortiGate for facilitating PXE booting.

 

Scope

 

FortiGate

 

Diagram

 

For-KB.JPG

 

Ensure the following configuration and infrastructure are in place before configuring FortiGate.

 

  1. TFTP PXE server hosting the installation file (know the file name).

  2. PXE-capable/enabled NIC (Network Interface Card) on the client (PXE Booting Client), and that broadcast originating from the PXE Booting Client can reach the FortiGate, which is acting as a DHCP server in this scenario:

 

Ensure that there is IP reachability between FortiGate and the TFTP PXE server (the PXE server can be on the same subnet or a different subnet than the PXE client).

 

Use case:

  1. To deploy an OS on VMs/PCs during the bootup process.
  2. If a machine has been required to boot using PXE.

 

Solution

 

Under DHCP configuration on FortiGate, provide the TFTP server IP address and file name on the server

 

config system dhcp server
    edit 1
        set next-server <IP address of a server> 

        set filename "Boot\\x64\\Images\\boot.win"  
end

next-server = example 192.168.10.1 - default type - string
set filename = some implementations might require the filename converted to HEX, some others does require the file to be in the root directory as the application can't grab inside folders. Please check the proper format on the vendor's documentation. 

 

Verifying / Troubleshooting: 

On FortiGate's SSH, use 'diagnose debug application dhcps -1' to collect more details about the DHCP transaction.

Look for the DHCPDISCOVER coming from the client, and let's make sure the client is requesting the DHCP options necessary for each implementation. Usually, options 60, 66, and 67 are pretty common. 

 

lcamilo_0-1676658667022.png

 

Make sure the FortiGate is sending out a DHCPOFFER. 

 

lcamilo_1-1676659106431.png

 

Use the packet sniffer to collect the DHCP transaction and open it on Wireshark.

filter on ports 67 and 68 UDP.

 

The DHCPDISCOVERY should look like this, and make sure it includes option 53: Technical Tip: Bootp relay.

 

lcamilo_2-1676659519589.png

 

The DHCPOFFER coming from the FortiGate should look like this: 

Make sure: 

  • The DHCP Server Identifier is the FortiGate IP.
  • It contains the Boot file name.
  • It contains option 53.
  • It contains the desired options like 60, 66, 67, or 150 ( It has been added for illustration purposes).

 

lcamilo_4-1676659820950.png

 

If the option is not visible in the DHCPOFFER, double-check if the client has included it in the DHCDISCOVERY. 


The PXE Client would also provide a nice indication that the DHCP options were received and processed correctly. 

 

lcamilo_5-1676660213081.png

 

Related articles: 

Technical Tip: Bootp relay

Technical Tip: DHCP Options

29909
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.