Hello,
You can use the command "show threat-detection scanning-threat target" to see which of your servers is being attacked as per the firewall. Also, you can use the command "show threat-detection statistics host " to see what kind of traffic that host was sending. That could give you a fair idea why the firewall is shunning the hosts. But typically, the firewall will classify a host as an attacker when it sees too many half open connections for that host. So, in your case, if the remote site host tries to open connection to your WEB server and tries it multiple times (sometimes it happens if they are using a proxy), then the firewall could classify that host as an attacker.
Hope this helps.
Regards,
NT