FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article presents a list of TCP and UDP ports, used by the FSSO Collector Agent software of later versions of minimum 5.0.0276.

For open ports of FortiGate and other products see.

More configuration on FortiGate.

UDP/8002 – DC Agent keepalive and push logon info to Collector Agent
TCP/8001 – FortiGate to FSSO Collector Agent connection (SSL)
TCP/8000 – FortiGate to FSSO Collector Agent connection
TCP/8000 – NTLM

TCP/135, TCP/139, UDP/137 – Workstation check, polling mode (fallback method)
TCP/445 – Remote access to logon events, Workstation check (remote registry)
TCP/389 – Group lookup using LDAP
TCP/636 - Group lookup using LDAPS
TCP/3268 – Group lookup using LDAP with global catalog
TCP/3269 – Group lookup using LDAPS with global catalog
UDP/53 – DNS for resolving hostnames of the logon events.

Be sure to allow inbound connection to the FSSO Collector Agent by the integrated Windows Firewall.

To test the connection from a FortiGate run the following commands.
# diag debug enable
# diag debug auth fsso server
# exec telnet <CollectorAgentIP> 8000