The Internal application is running on port 2000 and traffic from the source towards the destination with destination port 2000 goes through the FortiGate.

However, FortiGate initiated the connection instead of the application hosted on the server. 

Here the client IP is 10.10.10.150 and the server where the application is hosted is 192.168.17.160.

The Ingress Interface is 'wan1', where the client packet ingresses into the FortiGate.

The egress Interface is 'port1', where the traffic should egress towards the server where the application is hosted on port 2000.

Note:

It is straightforward traffic without any destination NAT involvement. 

The client initiates the connection by sending the SYN packet. However, instead of forwarding it to the egress interface, FortiGate responds directly. This indicates that FortiGate is using port 2000 locally.

2025-02-05 11:42:36.246032 wan1 in 10.10.10.150.65431 -> 192.168.17.160.2000: syn 2805313764
2025-02-05 11:42:36.246166 wan1 out 192.168.17.160.2000 -> 10.10.10.150.65431: syn 4202466622 ack 2805313765
2025-02-05 11:42:36.246413 wan1 in 10.10.10.150.65431 -> 192.168.17.160.2000: ack 4202466623
2025-02-05 11:42:36.246454 wan1 in 10.10.10.150.65431 -> 192.168.17.160.2000: psh 2805313765 ack 4202466623
2025-02-05 11:42:36.246481 wan1 out 192.168.17.160.2000 -> 10.10.10.150.65431: ack 2805313770

To identify where the port is being used, check the configuration on FortiGate. One way is to use 'grep':

show full | grep 2000

In this case, port 2000 is used for SCCP.

To resolve the issue, change the application port on the server or modify the local port on FortiGate.

config system settings
(settings) # set sccp-port 4000
end