There may be cases wherein the user's internal web server is using port 8008.

Accessing the server from the same subnet is working.

But the traffic is not working from different subnets that is passing through FortiGate.

This happened because port 8008 is already being used by FortiGate for WebFilter FortiGuard override.

config webfilter fortiguard
    set cache-mode ttl
    set cache-prefix-match enable
    set cache-mem-permille 1
    set ovrd-auth-port-http 8008 <----
    set ovrd-auth-port-https 8010
    set ovrd-auth-port-https-flow 8015
    set ovrd-auth-port-warning 8020
    set ovrd-auth-https enable
    set warn-auth-https enable
    set close-ports disable
    set request-packet-size-limit 0
    set embed-image enable
end

To solve this, the default port needs to be changed.

config webfilter fortiguard

    set ovrd-auth-port-http 8040 ==> for example

end

The 'ovrd-auth-port-http' is a setting in FortiGate's web filter configuration that defines the specific port used for HTTP override authentication.

When a user tries to access a blocked website, this port handles the login page where they can authenticate to bypass the filter. Changing the port can help with custom network setups or avoid conflicts with other services.