Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Satory
New Contributor III

Created on ‎04-07-2023 10:11 AM

PXE and SCCM

We have the following setup: 

A FortiGate router in the middle of the network with few cisco switches, which host several VLAns.

Also we have a MS SCCM server in vlan 10 and a bunch of workstations in vlan 20, which should be booted trough PXE/SCCM and network install the OS.

 

So far we installed IP and DHCP on vlan 20, the PCs go till getting an IP address, but the SCCM boot and install is failing with "no boot device detected". How may I setup an working environment - the DHCP should stay on FortiGate. I tried to put ip helper-address on cisco in vlan 20, but that did not helped.

Labels:
2846
0 Kudos
9 REPLIES 9
gfleming
Staff
Staff

Created on ‎04-07-2023 07:44 PM

Is the FortiGate doing the inter-VLAN routing? Or is the Cisco?

If the FortiGate is doing the routing you need to ensure there is a FW policy allowing the PXE Boot traffic.

 

Do you know what protocol/ports the PXE boot is using? DO you need to make any special DHCP server configurations to make it work? Have you done that?

Cheers,
Graham
2826
0 Kudos
Satory
New Contributor III
In response to gfleming

Created on ‎04-10-2023 01:00 PM

Yes, the FortiGate is doing the routing and there is a rule, allowing the traffic.

2794
0 Kudos
gfleming
Staff
Staff
In response to Satory

Created on ‎04-10-2023 01:49 PM

And the rest of my questions?

 

Do you know what protocol/ports the PXE boot is using? DO you need to make any special DHCP server configurations to make it work? Have you done that?

Cheers,
Graham
2792
0 Kudos
Satory
New Contributor III
In response to gfleming

Created on ‎04-11-2023 02:32 AM

To be honest I have no idea - this is a standard laptop, which uses PXE boot from the boot menu. I believe it is using DHCP and then TFTP to download the files needed.
But this is completely different to the previous setup, where we have a IP Helper targeting the DHCP and SCCM server, which worked without problems. We have replaced the CISCO inter-vlan routing with the Fortigate device.

2785
0 Kudos
gfleming
Staff
Staff
In response to Satory

Created on ‎04-11-2023 09:26 AM

Given this is a Fortinet support forum we can't really help you with your SCCM and PXE boot configs. You'll need to know what the requirements are for those to work before we can help you on the FortiGate side—if it even is a FortiGate issue.

 

Has your DHCP server changed? Was it on the Cisco before? What was/is the DHCP config options?

 

Have you confirmed TFTP is being used? Have you seen policy hits on the FortiGate? Have you looked at packet caps/sniffers?

Cheers,
Graham
2777
0 Kudos
Wi3tse
New Contributor II
In response to gfleming

Created on ‎04-19-2023 11:34 PM

Hi Graham,

 

For PXE to work with SCCM we need a SECOND IP helper, next to the DHCP IP helper.

 

This is because the DHCP scope options are officially not support by Microsoft.

(I know it works, but running unsupported configs is never a good idea)

 

PXE clients don't start - Windows Server | Microsoft Learn

 

You can set an EXTRA IP helper on Cisco with cli: Router(config-if)# ip helper-address 172.16.1.2

 

On a Checkpoint with: set iphelper 172.16.1.2

 

What is the Fortinet equivalent of these commands?

 

Kind regards,

 

Wietse van Assema

 

 

Can you tell us how the above is done on a Fortinet

 

2698
gfleming
Staff
Staff
In response to Wi3tse

Created on ‎04-20-2023 08:35 AM

It is very simple to do the same on FortiGate:

 

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/783526/dhcp-servers-and-rela...

Cheers,
Graham
2678
0 Kudos
Satory
New Contributor III

Created on ‎04-20-2023 04:00 AM

The only solution I have found is to use the CISCO switch and define ip helper addresses.
The drawback - you have to define IP address of the switch in the same VLan, which is a security issue and we cannot use the FortiGate itself to do the ip helper, which is NOT OK!

2688
0 Kudos
gfleming
Staff
Staff
In response to Satory

Created on ‎04-20-2023 08:35 AM

You can absolutely use FortiGate to do DHCP relay (helper):

 

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/783526/dhcp-servers-and-rela...

Cheers,
Graham
2678
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.