At a previous job we had a few sites with restricted outbound internet ports. You will be surprised how many are required for general internet access on a corporate network. There are a fair number of internet based applications that end up using other ports. Our rule bases were different at the two sites one had about 40-50 permitted ports the other about 20-30. There were also more specific rules for particular applications with specified destination addresses.
We also then had to respond to and research tickets for "internet not working" and then get approvals to permit additional ports. These would be either general for the internet rule expansion or specific to an application or exception.
I was not there when it was first turned on, but I understand the process of discovering these ports was disruptive for users as they are not well documented. But the result was stronger security for the site and a fuller understanding of what was being used on from internet hosts.
To do the discover, I would approach it like this.
Create the rule you suggest before the general internet rule
(perhaps without the ftp. This is a vector to egress data and might be better on a site approved basis.)
Monitor the general rule and see what other ports are in use, research the destination site/ip address, contact the users and see whether it should be added to the general rule or tracked as an exception with a specific rule.
keep going until there is virutally no traffic on the general rule or only traffic you want to block. Then convert the permit to deny with log.