FireWall-1, FloodGate-1, VPN-1 Table Saturation Denial of Service Vulnerability
Most companies allow http outbound. Run this command as root from an internal system, I give your FW about 10 to 15 minutes. If your internal network is a 10.x.x.x, try 172.16.*.*
nmap -sP 10.*.*.*
nmap is a very powerful port scanner. With this command it does only a PING and TCP sweep (default port 80), but uses an ACK instead of a SYN.
To verify that your connections table is quickly growing, try "fw tab -t connections -s" at 10 second intervals.
Tested on ver 4.0 SP3 on Solaris x86 2.6.