I've seen this before when the attack is against a port/user that did not currently have a mapping through the MX. I'd check and see if the details of the event show a PC or port that would have been active at the time, if there was no active flow, then the "attack" would have been denied at the firewall and recorded by IDS/IPS but it would have never been blocked at that level, as the firewall would've denied it first.
... View more
