We recently had all 28 of our network scanned for vulnerabilities as part of our annual PCI audit. We have the same model MX and the same firewall rules in place on all 28 networks. The findings were interesting. Almost exactly half of the networks failed the scan due to vulnerabilities for TCP traffic on port 80.
If my firewall rules are all the same, and the devices on the network are 95% the same, why would half of the networks fail the scans and the other half pass?
Why doesn't IDS or IPS see the port scanning and block it?
I'm sure there are a million variables that could cause the pass/fail variances between theoretically identical network configs, despite that any ideas would be helpful.
Your scan is probably being triggered by the Local Status Page on the MX.
You can disable it under Network-wide > General if you're not using them.
There was a security vuln with these pages last year as well. Are all your MX on the same version?
Are there webserver or webservices behind those networks that failed? Vulnerability could be found with those applications/services and not the MX, if it allowing the traffic needed.
This was a scan from the outside right? And the MX's have a NAT from the outside to a server on the inside?
As @SoCalRacer says, this is probably an issue on those servers.
Might check some of these resources