the port 1000 is the HTTP port on FGT, the port 1003 is the HTTPS variant, as indicated by the previous poster.
On FAC, inside the portal settings, top right, you will see an excellent explanation of the complete captive portal flow. The flow roughly is (ignoring TLS):
1) DNS request for IP of some external page
2) HTTP connect to that IP
3) FGT blocks the request, replies with a 302/303 redirect that contains https://fac.xxzxzxzxx.YY/portal
4) DNS request for IP of fac.xxzyzyzyy.YY
5) HTTP request to fac.xxzyzyzyy.YY/portal
6) HTTP redirect from FAC with 301 (moved) to instruct client to go to http://fac.xxzyzyzyy.YY/portal/
7) Same as 4)
8) HTTP request to fac.xxzyzyzyy.YY/portal/
You can of course save some step 6-7 if you add the / after your link.
A packet capture will help you greatly to see when the error comes up and what resource is requested, what port is the client then talking to and to want device.