Our weekly scans show open ports for devices that have locked down rules. For example we allow inbound access for https but the external scans show ports TCP 1720, 5060 and 2000. We are also seeing TCP 1720 on non-existing IPs. I have used Tenable and NMAP scanners to verify. Any ideas?