The PXE (Preboot execution environment) called 'Pixie' is a set of standards that makes it possible to boot up a connected device (client), using a configuration provided from a TFTP server and received via network interface.

In this scenario:

This differs from the scenario described here: Configuring FortiGate for PXE Client booting.

The FortiGate in that scenario acts as a DHCP Server, while the FortiGate here acts as a DHCP Relay.

The packets flow will be as follows:

It is necessary in a firewall policy to allow packets 5 and 6 to be forwarded, as packet 5 will otherwise be discarded from the last implicit firewall policy and packet 6 will never be sent from the Server.

The firewall policy should have the following:

• The physical or virtual interface/s of PXE Client and Server (also if they’re on the same interface).
• As source IP, the scope associated to the source interface on the DHCP Server.
• As destination IP, the PXE Server IP
• All Ports used by client and server for PXE booting process.

Important notes:

• A FortiGate doesn’t support 'bootp relay', as explained here: Bootp Relay but packet 5 is not a 'bootp relay' packet.

Correlated documents and articles:

• Firewall Policy 
• PXE Boot over IPSec 
• Dynamic Host Configuration Protocol DHCP