FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jalejoFTNT
Staff
Staff
Article Id 315820
Description This article describes how to allow PXE Boot in environments with IPSec.
Scope FortiGate.
Solution

Diagram:

JeanPhilippe_P_0-1716184172448.jpeg

 

Ensure the following infrastructure is in place before configuring FortiGate

 

  1. PXE Server (TFTP) has the installation file.
  2. The PXE Client must have enable the PXE feature on its NIC (Network Interface Card).
  3. Ensure that there is IP reachability from FortiGate to PXE Server (TFTP). In this scenario, PXE Server is behind IPSec VPN peer.

 

Context:

When the PXE Client sends DHCPDISCOVERY packet, this should arrive at the DHCP Server to receive DHCPOFFER and also, should arrive at the PXE Server to receive DHCPOFFER option 60 as well.

 

JeanPhilippe_P_1-1716184206127.png

 

For the diagram environment, it is necessary to configure:

 

config system interface
    edit "port4"
        set vdom "root"
        set dhcp-relay-service enable
        set ip 20.25.0.1 255.255.255.0
        set type physical
        set alias "from PXE Client"
        set snmp-index 3
        set dhcp-relay-ip "175.21.13.2"
        set dhcp-relay-request-all-server enable
    next
end

 

Ensure to have:

  • dhcp-relay-service enabled: DHCPDISCOVERY is a broadcast packet and to reach the PXE Server, dhcp-relay-service transforms this packet from broadcast to unicast packet.
  • Be defined dhcp-relay-ip with the PXE Server IP.
  • IPSec established routing and policies to allow the above unicast packet from FGT that acts as DHCP Server to PXE Server.

Related articles:

Configuring FortiGate for PXE Client booting