Strange services on the firewall

The UNIX administrator asked me to scan his systems that are withing the scope of our Certification and Accreditation package. We have an auditor coming in next week to check our progress toward obtaining “authority to operate” and he wanted to make sure his systems were clean.
I found that our recently upgraded firewall now had several ports in the 37,xxx range that would act as a proxy. So basically, I could point my browser’s proxy settings to the firewall on those ports and it would let me out without the usual security filtering. A bit more scanning revealed that these services were enabled on other Solaris 10 servers, not just the firewall.
I hadn’t uncovered this before because my vulnerability scanner doesn’t scan all 65k TCP ports. I only uncovered it because one one server, these services operated on different ports that were scanned.
So once again, I’m not happy with how my vulnerability scanner has operated. But more importantly we’re left with the lesson that we need to run scans before systems move into production.
lsof isn’t a default part of Solaris so the Unix guys are still investigating what is providing those services. I left it to them to track it down since I had a few other things to do.