This article suggests the remote probe uses TCP/23560 only. https://kb.paessler.com/en/topic/61462-which-ports-does-prtg-use-on-my-system
However, this discussion suggests the remote probe will communicate on a dynamic high port https://kb.paessler.com/en/topic/69754-remote-probe-connection
I have read other discussions which suggest the probe-to-core connection is both ways. So the first KB article appears to be incorrect? Or at least not explaining the requirements fully?
Assuming I have core server on my corporate LAN, and a remote probe on a public internet IP, I would need the following rule on the corporate firewall
Allow, inbound, from probe_public_ip, from any port (then NAT to TCP/23560)
...And a similar rule on my remote probe...
Allow, inbound, from corporate_WAN_IP, from any port, to TCP/2350
This all seems a bit open to me. Is there any way to lock it down further?