Having a firewall between Automation Engine and Agent means to deal with firewall configurations. To do this correctly it's necessary to know, how connections are opened / initiated and how the data transfer works.
For an easy understanding the following Example is used.

Example:  Agent  IP: 10.0.0.1   Port: 2300
Service Manager (Agent) Port: 8871
CP1  IP: 10.0.1.1   Port: 2217
CP2   IP: 10.0.1.2   Port: 2218

 Automation Engine – Agent

The TCP/IP communication of an Automic Automation Engine System works in the following way: 
The Agent opens / initiates a TCP/IP connection to the Automation Engine / Communication Process (CP). The connection is never opened / initiated in the other direction.

Example:  The connection is initiated from the Agent to IP: 10.0.1.1; Port: 2217.
This address and port is specified with the "cp" parameter in the Agent's ini file.

Note: Using "telnet 10.0.1.1 2217" on the agent's computer is an easy way to figure out, if it works!

For load balancing on the CPs the Agent opens / initiates a TCP/IP connection to each CP of the System during its startup. A list of the CPs is stored in the Agent's ini file within the CP_LIST section. This section is always updated at the agent startup.
The connection to the CP which reports the lowest connection count will be kept, all outer connections to CPs are closed.

Example:  There is also a connection initiated from the Agent to IP: 10.0.1.2; Port: 2218.
This address and port is specified at the "cp_list" in the Agent's ini file.
One of the two connections will be closed during the startup and one will be kept open for bi-directional communication between Agent and Engine.

Therefore we recommend to specify all CP Ports on the firewall.
The local port of the Agent is not used for the communication, it's not necessary to consider it at the firewall configuration.

Example: There is no need to configure the Agent port 2300 at the firewall.

Exception using File Transfer:

In case of the File Transfer of the Automation Engine (MFT) the Agent port is used for the connections between the Agents! So this needs to be considered at the firewall configuration.
Some details on that can be found in the documentation "Inside UC4 Guide" – "File Transfer" - "FileTransfer Procedure".

Service Manager

The local port of the Service Manager is not used for the communication, it's not necessary to consider it at the firewall configuration.

Example: There is no need to configurator the Service Manager port 8871 at the firewall.

Exception using Service Manager Dialog or System Overview to access Service Manager:

In case of a Service Manger Dialog – which is not local at the same computer as the Agent – or the System Overview is used to access the Service Manger the Service Manager Port need to be considered at the firewall configuration.
The TCP/IP connection is always opened / initiated from the Service Manager Dialog to the Service Manager. Once its open data will be exchanged bi-directional.