Correct TO Firewall setup? Threat attempts

Hi,

Currently I have the following setup:
ISP -> TO with Firewall -> second Hardware Firewall -> internal Network

If I look at the logfile of the 2nd Firewall I see quite some threat attempts, sometimes DoS attacks etc. from the internet. E.g. today there was a DoS attack on the WAN port of the 2nd FW: source Port 80 TCP, destination Port 44156/44162/44163/44165 TCP (they were all closed on both FW). But attack was not successful (touch wood). Port 80 TCP of TO is filtered but it seems that this port was involved.
TO has no usual open ports beside 8080 TCP, lord only knows why it is always open.
Honeypot function is not activated.
The TO Firewall setup is the factory version, I did not yet change anything since using it.
Why do these threat attempts reach the 2nd firewall at all? I assume that if the TO Firewall is working/set up correctly, the 2nd Firewall should be more or less bored and in idle mode but not under fire like it is. True or not?
Anything I can change in TO to fix this?

Thank you!

true, that should be idle or at least much less work to do. But if port 80 was closed on TO, how could it got into your second router? how did you check what ports do you have open on both router?

Earlier I tried several portscan websites but I prefer nmap.
A few minutes ago I just did a nmap scan on a Windows PC which is directly connected to the TO.
Now 22, 53, 80 and 443 TCP are shown OPEN. If I try a website portscan I get the result, that e.g. 80 TCP is filtered. I think that setup is more relevant than doing the scan while connected to the 2nd Router, because then the picture is even worse but in reality TO is the first Router after the ISP feed.