The ZD was not designed as a cloud service and so you'll find it a bit limited in terms of flexibility in ports/protocols.
But from your description above it sounds like you are just using SSH or web UI from the remote site? In that case, you have a well-known (< 1024) going in, but TCP uses a random high port (w established bit set) coming back - so you can't block those, but they should be outbound (and thus not much of a security concern anyway...). You can filter on whether the established bit is set however (for TCP at least..)
You don't really want well-known ports in both directions - that would be a security concern.
The best practice model would be to tunnel all AP/ZD traffic inside a VPN tunnel provided by another device.
Yes that is exactly it - i am remote from site and logging into web UI from far away. I blocked all outgoing ports above 10000 TCP and UDP. This service is running in a hotel - not a corporate office, so no real need to support every little obscure service. What i found was that every time i opened port range 49152 - 65535 things worked again. So i concluded the ZD was using high range ports - just not sure why it was doing that.
So what you say above makes perfect sense. Cant tunnel traffic in a VPN as we go over satellite for the WAN link - too much of a performance hit unless we get into expensive WAN accelerators on both ends of the link.