Chapter 10 Install and System Administration for FortiOS 5.0 : FortiGuard : Troubleshooting : Port assignment
  
Port assignment
FortiGate units contact the FortiGuard Distribution Network (FDN) for the latest list of FDN servers by sending UDP packets with typical source ports of 1027 or 1031, and destination ports of 53 or 8888. The FDN reply packets have a destination port of 1027 or 1031.
If your ISP blocks UDP packets in this port range, the FortiGate unit cannot receive the FDN reply packets. As a result, the FortiGate unit will not receive the complete FDN server list.
If your ISP blocks the lower range of UDP ports (around 1024), you can configure your FortiGate unit to use higher-numbered ports, using the CLI command…
config system global
set ip-src-port-range <start port>-<end port>
end
…where the <start port> and <end port> are numbers ranging of 1024 to 25000.
For example, you could configure the FortiGate unit to not use ports lower than 2048 or ports higher than the following range:
config system global
set ip-src-port-range 2048-20000
end
Trial and error may be required to select the best source port range. You can also contact your ISP to determine the best range to use. Push updates might be unavailable if:
there is a NAT device installed between the unit and the FDN
your unit connects to the Internet using a proxy server.
See Also
Web-based manager verification
CLI verification
FortiGuard Services
Antivirus and IPS
Web filtering
Email filtering
Security tools
Troubleshooting