Hi all,

I think i have a very simple question. We have a server making a lot of HTTPS connections to different IP's. We have a a specific rule in our ACL for this traffic. When building the firewall rules, i still noticed a lot of hits on the permit ip any-any rule so i digged deeper.

I found that this same server was building outbound TCP connections, but with the source port of tcp/443. Like this:

2019-04-02 08:40:36	Local6.Notice	192.168.20.71	Apr 02 2019 08:41:07: %ASA-5-106100: access-list LSPXSG4_access_in permitted tcp LSPXSG4/LSPAPPAMD211(443) -> Zorgnet/172.24.140.201(14728) hit-cnt 1 first hit [0x221dee80, 0x00000000]

Ofcourse, i can make a ACL entry that permits this traffic based on the Source Service, but i would like to know/investigate why this is happening. 
Am i right by saying that the above entry is a new TCP Connection with Source Port of 443?
I'm a bit clueless on where to start troubleshooting/capturing. Obviously it would be best to start at the source (the server) but if i would want to capture traffic there, what should i look at? Source Port 443 and some kind of TCP Syn filter or anything?

Edit:
I did a Wireshark capture on the source (LSPAPPAMD211). I waited for the access-list to get a new hit with tcp/443 as the source port. I checked that TCP connection in WireShark based on the destination port (random port number). I looked at it but i didn't see anything weird.

If anyone has a idea why this traffic is generating hits on the any-any rule that would be great. I want to get rid of the any-any rule.