Is it happens only to this public IP? or it's a general issue? are connections to this IP really never opens? (you can try: 'telnet 185.46.212.88 443' from a workstation) or you just saw such logs and you wonder what that means?
it seems to me that the same origin GW is the one with the SYN, and with the SYN-ACK drop, if that is correct, and the SYN was flowing through it, theoretically it should not drop the SYN-ACK because of assymetry.
can you verify if that is on the same connections though ? it could be completely different connections (the accepted and the dropped).
you can do this by comparing the source IP and src port of the accept log, to the dst port of the blocked log.
for specific test you can do this:
run: tcpdump -nnei ethX host 185.46.212.88
replace ethX with your outgoing interface.
on a separate window run: fw ctl zdebug + drop | grep 185.46.212.88
(please notice that the zdebug can cause high CPU)
then open new connection from a workstation to this IP.
break the tcpdump and the zdebug with ctrl +c , and run: 'fw ctl debug 0' to reset debugging.
see if you got SYN + SYN-ACK on the same connection (verify by the source port+src ip, etc)
see if you have any drop on the zdebug + drop output on that connection (again, compare to the source port, etc)
in case it is the same connection, and syn-ack is dropped, watch what is the time difference between the SYN and the SYN-ACK. if there is some time difference compare it to your "tcp start timeout" in global properties > stateful inspeciton. and verify if the reply returned within the "allowed" time frame or not.
if the syn-ack arrived within the start timeframe and still dropped we should investigate the connection table maybe. but i'm doubt this is the case.
