It is sometimes necessary to sniffer traffic of entire network range on FortiGate.
It is maybe necessary to add multiple ports in OR expression or negate a specific host.

Note.

It is catching hosts of the whole network range 10.56.240.0/22 and icmp or port 80 or 443 for the network range.

Fortigate # diagnose sniffer packet any 'net 10.56.240.0/22 and (icmp or port (80 or 443))' 4 20
Using Original Sniffing Mode
interfaces=[any]
filters=[net 10.56.240.0/22 and (icmp or port (80 or 443))]
1.227035 port1 in 192.168.91.15.55366 -> 10.56.241.63.80: ack 1236888472
1.227066 port1 in 192.168.91.15.55381 -> 10.56.241.63.80: ack 1356479631
1.228958 port1 out 10.56.241.63.80 -> 192.168.91.15.55382: fin 2291724501 ack 378001807
1.229323 port1 in 192.168.91.15.55382 -> 10.56.241.63.80: ack 2291724502
1.491197 port1 in 192.168.91.15.55406 -> 10.56.241.63.443: syn 4174361748
1.585394 port1 in 192.168.91.15 -> 10.56.241.63: icmp: echo request
1.585444 port1 out 10.56.241.63 -> 192.168.91.15: icmp: echo reply
1.773576 port1 out 10.56.241.63.80 -> 192.168.91.15.54441: psh 937313369 ack 1795059008
1.773822 port1 out 10.56.241.63.80 -> 192.168.91.15.54441: psh 937313462 ack 1795059008
1.773992 port1 out 10.56.241.63.80 -> 192.168.91.15.54441: psh 937313539 ack 1795059008
1.774094 port1 in 192.168.91.15.54441 -> 10.56.241.63.80: ack 937313539

Note.

In below example, it is catching hosts of the whole network range 10.56.240.0/22 and denying a specific host.

Fortigate# diagnose sniffer packet any 'net 10.56.240.0/22 and not host 192.168.91.15 and (icmp or port (80 or 443))' 4 20
Using Original Sniffing Mode
interfaces=[any]
filters=[net 10.56.240.0/22 and not host 192.168.91.15 and (icmp or port (80 or 443))]

29.548648 port1 in 10.56.240.113 -> 10.56.241.63: icmp: echo request
29.548722 port1 out 10.56.241.63 -> 10.56.240.113: icmp: echo reply