Hello,
The netstat command you issued would show the follow header in its output (this helps identify the fields):
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name Timer
For the entries that you highlighted in bold, the only unexpected one is the first:
tcp 0 0 11.17.58.93:58103 11.13.88.88:63358 ESTABLISHED 0 187864 18250/klzagent keepalive (1859.39/0/0)
which as you can see says 18250/klzagent for the pid/program name, so this is not due to Elasticsearch but due to an agent process with the name klzagent (probably Tivoli).
The various ephemeral ports you've highlighted are related to inter-node communication or due to Java clients; in either case related to the transport module.
Sometimes the particular node (11.17.58.93) needs to connect to another Elasticsearch node and thus connects to a target IP port 9300; to do this it needs to use a local port which is picked from the ephemeral port range. This is very normal in TCP/IP, see also here. You would see a similar situation on your workstation when your browser connects to some web page over http e.g. to port 80. From a firewall PoV, you'd handle it the same way as a managed laptop; allow all outgoing connections to port 9300 and for increased security restrict the allowable destination ports to all node IPs of Elasticsearch. Be careful with the latter as you'll likely forget to add new IPs to the rule f you scale Elasticsearch to more nodes.
For other highlighted items where the local address shows an 11.17.58.93:9300 and foreign is <node_ip>:<ephemeral_port>, this is the reverse of the above i.e. this particular node is "the server" and receiving transport connections from other ports. To paraphrase my example above, in this case, the web server is this node. From a firewall PoV you'd allow all incoming connections to ports 9300 from any source IP addresses in the list of Elasticsearch node IP addresess.
Additionally, if you have client applications in Java using the Transport Client -- deprecated in 7.0.0 -- you'll need to whitelist those IP addresses as well, as they also connect to port 9300.
Finally Elasticsearch will pick a port to bind for Transport from a range specified in transport.port; take a look at the https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-transport.html for more details.
Dimitris