Rule to Allow TFTP Server

Hello,

are these devices in different network segments / on different interfaces of the firewall?

Gutentag jprusch!

Thanks for trying to help out here. The switch and the device I am running the TFTP server on are both receiving IP addresses from the same pool (our organizations Wired VLAN).

Forgive me if I am misunderstanding the second part of your question. But we only have one Firewall box installed on our campus and all of the devices I am working on are behind it. Additionally the devices are on the same VLAN so there shouldn't be an issue occurring with filtering between VLANs.

If I port forward on the Firewall, would I also need to port forward on the router that is assigning the TFTP servers IP address?

I realize this may be impossible to troubleshoot without more specifics or a full detail of my topology, but I appreciate your thoughts.

Gutentag jprusch!

Thanks for trying to help out here. The switch and the device I am running the TFTP server on are both receiving IP addresses from the same pool (our organizations Wired VLAN).

Forgive me if I am misunderstanding the second part of your question. But we only have one Firewall box installed on our campus and all of the devices I am working on are behind it. Additionally the devices are on the same VLAN so there shouldn't be an issue occurring with filtering between VLANs.

If I port forward on the Firewall, would I also need to port forward on the router that is assigning the TFTP servers IP address?

I realize this may be impossible to troubleshoot without more specifics or a full detail of my topology, but I appreciate your thoughts.

Hello,

if your devices are in the same (v)lan, then you don‘t need to forward any ports on the firewall, as the packets do not „go“ through the gateway. The corresponding devices on the same segment talk directly with each other and send their ip packets to the partner without contacting firewall or router. So you should troubleshoot your switches and the Win10 pc, why they can‘t establish a TFTP session. I would start with the command line of the switch: try to ping the ip of the win10 pc. If this succeeds, then look at the local firewall of the windows pc and disable it. Try tftp again.

PhilippRusch

Thank you so much for clarifying these concepts to me. I thought maybe a global rule on the firewall needed to be defined to open up a port on a specific IP address regardless of it was internal or external traffic. This is excellent advice. I did allow TFTP services on the local firewall of the Win 10 PC hosting the TFTP server, but I will follow these steps and report back, hopefully tomorrow.

Thank you so much for taking the time educate me!

as stated by Philipp, mostly you don't need a UTM-Firewall-Rule if TFTP-Server and-client reside on the same subnet.
The is an exception i've seen sometimes ... the UTM segments these subnet using a Bridge-Interface.
If so ... TFTP is not simple to handle. First you need the TFTP-Connection-Trackin-Helper (Network Protection / Firewall / Advanced / Connection Tracking Helpers) ... otherwise you have to open a lot of "High-Ports". Also the direction of TFTP-Session is a problem often. Mostly the swtich initiates the session. Use Firewall-Livelog and Switch-IP as filter to check connection attempts.

@jprusch I followed your trouble shooting steps exactly and it worked! Was able to ping the Win 10 PC's IP address on the switch. Disabled the local firewall settings on the PC and the config file came right over!

Can't thank you enough. Great peace of mind knowing these configurations will be backed up in case something unexpected happens.

Happy New Year to you, my friend!

dirkkotte Thank you for taking the time to explain this. Fortunately, jprusch's more basic troubleshooting proved a success. I appreciate you both taking time out of your schedule's educate me on some firewall and networking fundamentals!