It has been awhile since I created a custom service to use in a firewall policy on a Fortinet firewall and I was having trouble. I was thinking of the service as a NAT rule where you map the port one to one such as wanting to allow SSH you would have the firewall NAT through port 22 for each the incoming and outgoing. The FortiOS is more granular than that and allows you to specify the source port of the client instead of the port that is hitting the firewall. The source port is instead the source port of the client so it could be anything from port 1024 to port 655535. Visit Fortinet knowledge center for a step by step of how to create the custom service and assign it to a policy.