It would be expected that if only UDP 12222 were allowed outbound through the firewall, the AP would be able to form a CAPWAP client but would be unable reach the HiveManager to successfully push configuration updates. By default, a HiveAP will use UDP 12222 to establish CAPWAP and TCP 22 to form a secure connection to the HiveManager to push complete configuration updates. The HiveAP can fail over to use TCP 80 for CAPWAP and TCP 443 for configuration updates, but if a successful CAPWAP connection is formed over UDP 12222 the AP will continue to look to open an SCP connection over TCP 22. I have excerpted the following from our Help documentation for more detail; should you need more information on this subject I would recommend calling our ATAC team at (866) 365-9918 and someone on our Support team will be able to assist you further.
Services and Firewall Policies (from Help System):
It is likely that the policy set on most firewalls already permits outbound traffic on TCP port 80 for HTTP, but it is less likely that they permit outbound traffic on UDP port 12222 for CAPWAP. To avoid having to reconfigure the firewall, you can configure devices behind the firewall to communicate with HiveManager Online using HTTP on TCP port 80 instead of CAPWAP UDP port 12222. Furthermore, if outbound traffic must pass through an HTTP proxy server, you can configure devices to send CAPWAP over HTTP to the proxy server. Note that HiveManager Online uses HTTP only for monitoring devices and pushing delta config updates. When downloading files such as HiveOS image files, full configurations, captive web portal pages, and certificates from HiveManager Online to devices, devices use HTTPS. (With a physical HiveManager appliance, the devices use SSH for these file downloads.) In addition, for uploading packet captures to either HiveManager or HiveManager Online, devices use HTTPS. Therefore, if there is a firewall in front of the devices, it must allow the following types of outbound services:
To HiveManager: CAPWAP (UDP port 12222), SSH (TCP 22), and HTTPS (TCP 443)
To HiveManager Online: CAPWAP (UDP 12222), SSH (TCP 22), and HTTPS (TCP 443); or
HTTP (TCP 80) and HTTPS (TCP 443)