As it turns out, there was a typo in the firewall rules... the traffic in question was indeed legit. D'oh!