For his version of Bitdefender GravityZone, the management is on cloud.
On computers (WSs, Servers, …) must be installed a “client”.
The update of the client is done from Cloud. Also, the client communicate all time with the Management Console from Cloud.
Usual, during installation of the client, the installer software automatically open local firewall ports for communication with the Cloud. Connecting the WS direct to LTE, the client communicate with the Cloud. So, is not a WS issue.
Check the outbound path on NS (also @pike suggested that):
For testing only, create an “any to any” rule, from GREEN to RED to see if in this case everything is OK.
If yes, disable the rule and create another rule from GREEN to RED with 8443 and 7074 ports, opened, and check again.
Also, check the proxy path, as @mrmarkuz suggested. Do you use Proxy with SSL?
Did you have a router between NS and ISP? Maybe the issue is there.
You may need also a port forwarding rule (Inbound traffic) on NS, from RED to GREEN to open 7074 port for “Communication messages received from endpoints linked to Endpoint Security Relay”, if available.
Maybe it helps: