Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 1987 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Firewall PXE boot v18

Michael Ives

Hi all,

I'm having some trouble getting PXE boot working on our XG210 firewalls.

We have the XG acting as the DHCP server for our LAN, and in that LAN we have a PXE server that we use to image laptops (PXE server and LAN clients share the same switch and same VLAN). This is a small site, so although not best practice, was working well for us when we had our Palo Alto firewall.

I have set options 66 and 67 in the console for the LAN DHCP scope, and yet when trying to PXE boot it does not work. I can see that it fails at the DHCP negotiation stage, but I see no reason as to why.

I've read various old posts about using business application rules, but as we're using v18 these no longer exist, and the NAT rules all seem aimed at external to internal NAT'ing.

Has anybody got this working, and would be willing to offer some advice on how to sort it, please?

Kind Regards

Michael



This thread was automatically locked due to age.
  • 0

    Hello Michael,

    I'm testing the same setup. I set DHCP Option to the IP of my WDS server and set Option 67 to the boot image. The client gets an IP address an tries to load the boot image from the firewall instead of the WDS Server. For this issue I implemented a NAT Rule that forwards all tftp Traffic from the firewall IP to the WDS Server IP. A newer (EFI) Notebook downloads the boot image and stops after that. Another (old BIOS) notebook attaches some control characters to the Bootfilename and fails to load the boot image.

    When I configure on Sophos the IP Helper and forward the DHCP Traffic to a Windows DHCP everything works. But in this setup I have some issues with the IPSec Tunnel mode (this setup is actually not supported).

    Ben

  • 0 in reply to Ben@Network

    Hi Ben,

    Albeit frustrating, I’m glad it’s not just me. 

    would you mind sharing your NAT rule please? I’m curious as to whether mine is correct, and your devices get ips and mine don’t.

     Michael

  • 0 in reply to Michael Ives

    Hello Michael,

    I used the DNAT Assistant:

    And the result is this firewall rule:

    and this NAT Rule:

    Hope this helps you.

    Ben

  • 0 in reply to Ben@Network

    Hi Ben,

    Thanks for this.

    Sadly, it's still not working for us. I have engaged Sophos support on the matter too, so hopefully, they will be able to resolve it for me.

    Kind Regards

    Michael

  • 0 in reply to Michael Ives

    Please try changing your firewall rule destination to a network address range not a IP address.

    Ian