This article describes that after enabling the FortiManager Cloud connector from the FortiGate, if a port scan is performed against the external interface (WAN) of the FortiGate, then the ports 541, 53, 80, and 443 show us as 'open' even though they are disabled at the interface level.
For a port scan that reveals ports 541, 53, 80, and 443 are open with respect to an external interface that has 'FMG-Access' enabled in the interface, but other administrative access disabled, the reasons why the said ports show open are as below:
FOR PORT 541:
Port 542 is utilized for IPv6 connection.
FOR PORT 53 (DNS):
FOR PORT 80 and 443: