I’ve realized that my suggestion above regarding sniffing may be overly complex and inconsistent.
To see that the switch chip rule works for the initial DHCPDISCOVER, which is sent to a broadcast address, it is enough to make the bridge a member port of the bridge (see this for clarification of this apparent nonsense) and sniff on the bridge, no need to use an external cable.
To see that the switch chip rule works also for the subsequent DHCPREQUEST, which the client sends to the unicast address of the DHCP server it has chosen among those that have sent it a DHCPOFFER, you either need the port mirroring if connecting to the real uplink via sfp1, or instead you can attach a test DHCP server to a VLAN interface attached to the bridge to see the full process of the firewall obtaining a DHCP lease from this test server.
So to sniff the firewall’s dialog with the ISP’s DHCP server without losing the VLAN tag in the process, you’d modify the suggestion above: you wouldn’t add ether1 to the bridge, and you would connect the mirror-target port (ether5) with the sniffer port (ether2) using an external cable.