Reference
What firewall ports does Sendense need?
One outbound port from each SNA covers normal operation. Only direct site-to-site replication needs more.
The Short Answer
Each SNA needs a single always-on outbound encrypted connection to SHA, using one outbound TCP port (443 by default). No inbound firewall rules are required at the site for normal operation.
That one connection carries enrollment, control, health heartbeats, backup data, and hub-routed replication traffic.
The One Exception
Direct site-to-site replication (the Direct P2P route policy, or Automatic when the direct path is reachable) additionally requires that the source SNA can reach the target SNA across your site-to-site network on the replication ports Sendense assigns to that appliance. If you only use the Via SHA route, nothing extra is needed.
Controller traffic stays local
Replication traffic between the target SNA and Sendense Controllers stays inside the recovery site. It never needs a firewall rule between sites.
Related Docs