In most cases, there is no need to allow any ports through the firewall. However, if you have a firewall that is restricting outbound traffic, you'll need to allow the following ports outbound to your controller IP address:
UDP 3478 Port used for STUN.
TCP 8080 Port used for device and controller communication.
TCP 8443 Port used for controller GUI/API as seen in a web browser.
TCP 8880 Port used for HTTP portal redirection. TCP 8843 Port used for HTTPS portal redirection.
TCP 6789 Port used for UniFi mobile speed test.