During the PXE boot imaging process a VM will grab an IP, network configuration, and destination provisioning server IP/Port to download an image for the VM. During this process NSX ARP, DHCP, and VMware Tools haven't provided a binding IP/MAC yet for group membership. Causing this traffic to be dropped by DFW clean up rule. Example below shows the requested information a VM would need to connect to a Provisioning Server.  

NSX 4.X

The VM hasn't been booted up with an IP matching to the MAC address and this can be observed in ARP/DHCP/VMware-Tools bindings because it is still in the provisioning process.

Checking the VM's Virtual Interface in NSX shows IP Address "Not Set." 


Viewing Discovered or Realized Bindings show no entries

AND

Client IP's or range will need to be added directly to the Source group in DFW rule providing access to the Destination DHCP/Provisioning Server.  

If DHCP is blocked and never makes it to the provisioning stage please use this article for PXE setup.
https://knowledge.broadcom.com/external/article?articleNumber=320299