Have inbound firewall rules been enabled in your network? If so, you must create firewall rules to control what is blocked. If this feature is off, then everything is blocked by default. https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Blocking_Inbound_Traffic_on_MX_Security_Appliances Are there any inbound NAT/Forwarding Rules to the server? Port forward, 1:1, anything? https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Port_Forwarding_and_NAT_Rules_on_the_MX I just had a thought. Is this server a DNS server for other clients? If so, if another client is making DNS requests for a "bad" DNS zone, they will appear to come from this server (client sends request to this server, this server then sends DNS request). Is this server running an HTTP proxy, or anything else like that? Is this a web server? If so, it may be that something is using an exploit in the web app, and proxying requests through it. The server would show up as clean on a scan then. It is simply being used to hide what the attacker is really doing.
... View more