Finally figured out an issue we've been having.
CCR 1072 has well over 1 million active connections, set the timeout to 10 minutes, still over 1 million active connnections.
I noticed that two IP addresses make up the majority of those addresses, they're hammering on all of our subnets. The port scanner portion of the firewall is blocking them but they're still being listed under the connections tab and take up massive resources, completely bog down the 72 core router and use a ton of RAM.
Black hole the addresses seems to help but aside from manually watching the router what can be done?
The firewall filter forward rules are preventing them from doing any damage but they are still using nearly a million connections and causing issues with the router.