Hello,
@dwolcot1 wrote:
We see denied traffic sourced from random public ip's on the web destined to IP addresses that we do not own not in our public subnet or affilitated with our firewall (interfaces, NAT, etc)
Are You sure about the direction of this traffic? Is it coming TO You, and NOT from You?
if this traffic is really coming _FROM_ Your internal LAN _to_ the internet, that's a well-known symptom of infected/botnet device on Your internal LAN.
Usually ISPs drop such traffic on their edge routers using uRPF but the BW on CE-PE link is consumed anyway.
If that's not the case - traffic is indeed coming TO You from ISP router, then it usually is a sign of unknown unicast flood in ISP switched infrastructure. Basically, more often than not there is a L2 switch between You and ISP router You may not know about, acting as port extender for the simple reason that switch port cost is way lower than router' port cost.
Hence, if there are other customers of the same ISP on the same VLAN as Yourself and if the ISP router' ARP timeout is longer than switch MAC timeout (which is typically the case with default timeouts), then this L2 switch will flood the packets destined to other customer(s) whose MAC addresses timed out, to all ports in that shared VLAN.
HTH
Thx
Alex