If you login to a CR you can see connections incoming to the CR agent. This should by default only be allowed to/from other CRs and management any not require custom firewall rules after configuration.

agent: 2024/02/05 16:17:00 http: TLS handshake error from xx.xx.xx.xx:59618: read tcp xx.xx.xx.xx8080->xx.xx.xx.xx:59618: read: connection reset by peer