Origin of outbound WAN connection
I know this is probably much more simple than I am trying to make it, but I could use someone to help clarify this. I am seeing traffic originating from my firewalls WAN address and making outbound connections to adware sites. I know for a fact that this traffic is from a machine on the LAN. I am not currently running a proxy on the firewall. Without a proxy, is there anyway to tie that traffic back to the originating host on my LAN?
Go to Diagnostics>pfTop
You can view your active connections by IP Pair. You may need to increase the "Maximum # of States"
Also, consider installing pfTopNG package. It will give you a GUI of your traffic flow and logging capability.
The state table (Diagnostics -> States) will also show the assocations between the WAN interface states and the LAN interface states.