In 5.8 and later versions automatic rules are generated for traffic related to features connections are opened to or from the NGFW nodes themselves:
So when you enable DHCP server feature on one of the firewall interfaces, automatic rules are created and should allow DHCP requests from clients, and DHCP replies from the firewall nodes. When DHCP server feature is enabled, firewall should be listening to UDP port 67 (bootps):
root@fw-sg-5-10-2:~# netstat -pan |grep 67
udp 0 0 0.0.0.0:67 0.0.0.0:* 12602/dhcpd
If FW is listening to DHCP requests, then next step would be to tcpdump on the interface that is configured as DHCP server.
I had failed to look at the port.
I see the system is not listening on that port....
Will give customer support a call.
Found the problem. I was uploading my new policy....but had not hit the "save" icon.
Did not understand that the a "save" had to be performed prior to "upload" of policy.
Client help was able to figure it out for me.