inbound 443 & 80 connections

There's no way to  selectively filter out RST packets, but you can filter out all HTTP/S responses not automatically accepted by conntrack by dropping them with a firewall rule.  Since you only showed lines from the Live Log, I can't give any more precise advice.

Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.

Cheers - Bob

thanks bob, will this help?

2017:10:23-00:01:04 gw2 ulogd[4789]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth4" srcmac="00:1a:8c:4c:0f:7c" srcip="216.58.198.164" dstip="10.1.3.151" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="60538" tcpflags="RST"
2017:10:23-00:01:07 gw2 ulogd[4789]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth4" srcmac="00:1a:8c:4c:0f:7c" srcip="216.58.198.164" dstip="10.1.3.151" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="60538" tcpflags="RST"

thanks bob, will this help?

2017:10:23-00:01:04 gw2 ulogd[4789]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth4" srcmac="00:1a:8c:4c:0f:7c" srcip="216.58.198.164" dstip="10.1.3.151" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="60538" tcpflags="RST"
2017:10:23-00:01:07 gw2 ulogd[4789]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth4" srcmac="00:1a:8c:4c:0f:7c" srcip="216.58.198.164" dstip="10.1.3.151" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="60538" tcpflags="RST"

That's strange.  Usually, we see fwrule="60001" (drop out of the INPUT chain to an IP on an external interface).  This is a drop out of the OUTPUT chain to an internal IP.  Are you sure you don't have an Ethernet problem between the UTM and the device at 10.1.3.151?  Maybe an issue with that device?

To just get rid of these drops, add a Service definition "HTTPS Response"="443->1:65536" and a firewall rule at the bottom of the list like 'Internet -> HTTPS Response -> {10.1.3.151} : Drop'.

Cheers - Bob

no it happens to multiple devices on the 10.1.3 range, i am not getting any reports of issues when browsing though !!

Lee

Tried to create the rule to drop and stop logging but doesnt seem to work.

Lee

I'd have thought that that would work, Lee.  Are you still seeing "60003" default drops?

Cheers - Bob

Yes Bob, getting a bit frustrating now !!!

2017:10:27-15:24:26 gw2 ulogd[32740]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth4" srcmac="00:1a:8c:4c:0f:7c" srcip="157.240.1.52" dstip="10.1.3.97" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="57864" tcpflags="RST"