if the agent is operating in Passive mode (default) then you need to open/forward ports to it on the client side firewall, and you would protect those firewall/PAT entries with an ACL limited to just your public IP. in the Zabbix Agent config you would also set it to only accept your central static IP.
If the agent is operating in Active mode, then on the client firewall side it only needs to allow outbound connections (default for most situations on most firewalls) and on your server side you would open/forward the port to your zabbix server, but the ACL on this would be all of your client’s static IPs - but this only works if you can rely on all of your clients having a static IP. If you have any clients with dynamic IPs, then I recommend a VPN tunnel created from the client network to yours.