Malicious site - mis-reporting or misunderstanding?

I am getting a lot of "Blocked malicious site X from accessing machine Y" messages on Firewalla Blue.

I am happy that it is blocking stuff, but I would like to understand why it is doing it.  I suspect I am seeing these messages because they are valid and I do not understand them, but I am concerned that I have a poor network setup and the messages are really telling me that I could do better.

The network is one at home, with several machines connected, but I'll simplify and look at the worst affected one.

• I have a linux server running a service on 192.168.1.4:8080/service
• There is a second linux server running Apache2, listening on 192.168.1.8:443 and with a reverse-proxy to the first server at 192.168.1.8:443/service . I'm using Letsencrypt for the ssl.
• I have a fibre router providing my internet connection.  This is set up
• - to port-forward traffic on 443 to the Apache server
• - to port-forward ssh on 22 to another system, and 1193 to Firewalla
• - to (as far as I can tell from the docs) not port-forward any other ports
• Firewalla is directly connected to the router, as designed

My limited understanding is that the router should be saying "not port 443/22/1193, so ignore the incoming connection".  But Firwalla is reporting large numbers of "malicious site X was blocked from 192.168.1.4 on destination port 45902"

I thought the router would simply ignore that, due to the port not being forwarded, so it would never enter my network.  I'm glad that Firewalla is stopping it, but I would like to know why it has to, and if I could stop it earlier.

Plus, I'd like to understand the method that a potential attack on a port my router is not forwarding could be destined to a machine behind a router firewall and proxy.  (I'd understand it if it reported port 443 - that's being forwarded!)