I'm getting alerts from my firewall that my Heavy Forwarder Unix box (only program that's installed) is initiating TCP scans and sweeps. I have Universal Forwarders installed that should be pushing data to the Heavy Forwarder, but I don't see any reason why the HF is doing any scanning. My understanding is that a forwarder will initiate a connection with a destination, so it should be the UFs contacting the HF, not the other way around. The HF local/input doesn't specify anything outside of defaults and a local log file. Does anyone know why these TCP scans are taking place? Is there any other config or log file I can look into to obtain additional information? Thanks
I would suggest doing a packet capture on the Heavy Forwarder to understand what in fact is occurring. This appears to be anomalous behavior and could indicate you have a compromised system.