Proventia 100's have four interfaces, two used to monitor/pass traffic,
one to administer the Proventia appliance and one to send RSKills (only
used when not in inline appliance configuration). Proventia can be
configured as "passive monitoring" or "inline appliance." When you
configure it as an inline appliance, its presence on the network is
invisible from the two monitor/pass-through ports. That leaves the
administration port, which has three ports open: 22/tcp (SSH 1.9),
901/tcp and 2298/tcp. No Apache web server (vuln #1 and #3) and no SSH
daemon version 1.33 or 1.5 (vuln #2) on this box.
Could it be that your external penetration test sent traffic *through*
the Proventia to devices behind the Proventia? Alternately, the pen test
is flawed - but try to convince them of that.