Sorry, I think I didn't describe the issue very well.
Host Port Scan and Sweep scan are configured to detect more that 100 inactive ports in 30 seconds, and usually it works fine: when there is a scan, 100 drops can be seen on the log and then the Host Port Scan detection appears.
But, when policies are pushed, a Sweep Port Scan Detect alert appears on the logs just at the time of the policy installation. It says that the source of the scan is the external IP address of the GW and the service is http and/or https (port 80 and/or 443). Searching on the logs, there is not any drop coming from the external IP addres of the GW before the Sweep scan detection. So, we have not found any reason for this detection to appear.
There is no source NAT on this GW, so, internal IPs are not being hidden behind the external IP of the GW.