If you use Smart-1 Cloud for management, the only thing you'd need to open up is HTTPS.
This uses a HTTPS tunnel for the various needed ports.
Unfortunately, this is not available for on-premise management at present.
The main ports needed from the gateways to the management are (at a minimum):
- TCP 257 (Logging)
- TCP 18264 (ICA Services)
- TCP 18191 (SIC, Policy Installation)
- TCP 18210 (Pull certificates from the ICA)
From management to gateways, you need at minimum:
- TCP 256 (Policy Install)
- TCP 18208 (CPRID)
There may be others if you use SAM rules (TCP 18183), use SmartView Monitor (TCP 18202), or have other management infrastructure.