You shouldn’t need any port configuration.
Unless you are operating a service e.g. your own web site, or some particular games, you will not need
port forwarding or port triggering.
Your router will generally block incoming traffic (to the controller) if it has not already “called outbound”.
However, outbound traffic initiated (by the controller) will allow a “return channel” for communication.
It should just work if your are configured as a typical home network,
i.e. not blocking outbound traffic at the router the way a corporate network might.
Easiest network security is with controller operating with a (1) Guest Network using (2) Wireless Isolation
(by whatever name your router mfg calls them).
(During setup your phone must be on the Guest Network. You can ‘Forget’ it after configuration.)
Then the controller is not in contact with your other home network devices e.g. PCs,
but able to contact the Rachio servers in the cloud as necessary.
Use a password manager to generate a strong password, or use a suitably long pass phrase.
(For the router too. And disallow router admin access from the WAN side.)
(Not sure what the character limits are for Rachio devices off the top of my head.)
No guarantees but these precautions make it highly unlikely you will be part of the next big DoS attack.