I am seeing firewall live view showing multiple flows at similar time intervals with a destination port 22 and its saying its allowed because it the rule of let anything out from the firewall host itself. It is generated, the view shows, from the firewall. Is there a service that would send something out on towards this destination port (TCP Port 22) to multiple ip's.
Are you using ssh for anything?
Not that I was aware of. Oddly enough I removed the NTOPNG service/package and haven't seen an occurrence since then.
Ntopng scans for vulnerabilities in your network including SSH on port 22 ...
Ok. That explains it I think. Port 22, Port 8080, Port 80 were being sent traffic from the firewall interface to one of the lan interfaces and towards some wan ip's off of spectrum network, which seems odd. But I am new and glad to have a valid answer. Thanks!