I get thousands of unsolicited inbound traffic/hit's on the Watchguard everyday that are being dropped at the FW and I'll assume the same is happening for you. One should be concerned about inbound from a remote IP if it's due to some solicitation by a machine behind the SW that sent outbound to a remote IP.
You can use this instead of dumping the logs into Excel as it works with your TZ170 and does all the analysis for you. And you'll be able to see traffic flow in real time a lot better with WW or go back in time with WW.
You want to know about those other port numbers and what can use them or what they are dedicated for like port 1433 the Microsoft SQL Server Database port, then Google is your friend. You got MS SQL Server running on a machine with port 1433 opened/forwarded exposing the machine with SQL Server running to the public Internet. If you don't, then you should forget about and the others too.
As long as your firewall is blocking unknown or unassociated connections, a log is of casual use only. "If it's working, don't change it".
Those are the "official" uses registered with IANA. However, there is nothing that requires that only this or that service use this or that port. Face it - how many virus/trojan/worm writers have sent a note to IANA asking that a port number be associated with their mal-ware.
Port numbers are defined into three groups by IANA.
The Well Known Ports are those from 0 through 1023.
The Registered Ports are those from 1024 through 49151
The Dynamic and/or Private Ports are those from 49152 through 65535
Well known ports are assigned by the IANA and on most well designed systems can only be used by system (or root) processes or by programs executed by privileged users. These are the ports used by "standard" processes, like telnet (23), mail transport (25), DHCP/BOOTP servers (68), web service (80), and so on. The idea is that this is a standard, and a client wanting to use this or that service defaults to using the well known port for that service. This is not to say that someone can't configure a server to operate on a different port - the problem is that others will not know (without you telling them) that you moved the service to a different port.
The Registered Ports are listed by the IANA and on most well designed systems can be used by ordinary user processes or programs executed by ordinary users. As far as microsoft is concerned, there is no difference between well known and registered ports, as they don't use the process separation concept. The Dynamic and/or Private Ports are less commonly used by services, and are often used as the outgoing end of a connection.
No - 1433 is used by MS SQL server, and most often connection attempts to that port are looking to exploit security holes in that server. I believe the connections to 4899 are looking for known holes in the RAdmin (remote administration) server. 6129 was a zombie controller called DameWare. 15118 is a new one to me.
The bottom line is that your firewall is blocking these connection attempts and that is all that matters. The fact that some host in Korea or Kenya attempted to connect to a trojan that you don't have installed is of no use what-so-ever.
You're correct about the firewall dropping these probes so I am safe and can ignore them. I was just curious about what the probes were attempting to achieve. Is there a web site that details what attacks on certain ports re trying to achieve?
One other thing I had noticed was that a lot of the probes appear in the log in pairs and then never appear in the log again that month. I have been assuming that these are using spoofed addresses.