Are the alerts in question being thrown by traffic directed to the MX's WAN/Public IP? If so, you're going to see "Allowed" as a decision, because the IDS sees and processes packets before the inbound firewall does. If there are no port forwards, or other static NAT rules in place that permit that traffic, the IDS will alert that it's seen a payload matching a signature, and start waiting for additional traffic to drop. If no more comes - in this case, because the packet in question never gets a response because the inbound firewall dropped it - the IDS effectively cannot block any further traffic, so it notes it as Allowed.
... View more