The security scan does not look at what is actively listening or connecting to but rather what potentially can be connected to. It means that the firewall should be set to block things like MS RPC and such. What we do is have a listening server that listens and connects to all protocol ports. The data collector will attempt to connect to our listener. If we can, then the firewall is not filtering that protocol in particular.