Red Hat / CentOS uses firewalld to provide network firewall. firewalld has the concept of runtime vs. permanent rules, which help avoid getting the firewall into an unusable state. Permanent rules become live at next restart/reboot, while runtime rules disappear at restart/reboot.
Suppose one wishes to put the SSH server on a non-default port 12345 to mitigate auth log clutter. First configure the SSH server in /etc/ssh/sshd_config, then restart SSH and verify the SSH configuration is working by adding your port to firewalld (here, 12345):
If this works, make the firewalld rule permanent:
firewall-cmd --permanent --add-port=12345/tcp
SELinux will also need an updated policy to allow the SSH port change, like:
semanage port -a -t ssh_port_t -p tcp 12345