Hi Mark, this is a weak KB article, but probably will give some insight.
(found with query "ports" - 4th result)
The ZD was not designed as a cloud service and so you'll find it a bit limited in terms of flexibility in ports/protocols.
But from your description above it sounds like you are just using SSH or web UI from the remote site? In that case, you have a well-known (< 1024) going in, but TCP uses a random high port (w established bit set) coming back - so you can't block those, but they should be outbound (and thus not much of a security concern anyway...). You can filter on whether the established bit is set however (for TCP at least..)
You don't really want well-known ports in both directions - that would be a security concern.
The best practice model would be to tunnel all AP/ZD traffic inside a VPN tunnel provided by another device.