After a couple of years of struggling with the very same problem, I have finally found a solution without a next-server, if such an option simply doesn’t exist in fortigate.
Yes, you need 66 and 67 options in fortigate in a hex format, that’s alright.
What helped me was set two Virtual IPs:
- For Both Virtual IPs You choose external interface as your client subnet, external ip your gateway, mapped ip is your PXE server IP, and external service port in the first VIP is 69, and 4011 in the second.
- You create two Fireall policies for machines to go freely to those Virtual IPs you just created.