Splunk uses port 9997 between a UF/HF and indexer . Please refer here to have a comprehensive network port diagram
Is port 9997 the only port which must be opened on the firewall. Is the port TCP?
9997 to each indexer and 8089 to the deployment server, if used - all TCP.