I'm not sure I follow the whole flow, but I think the issue is that your custom service is not created correctly and you are then not using that service in your policy.
set service "Altigen" protocol tcp src-port 10032-10032 dst-port 10032-10032
set service "Altigen" + tcp src-port 10064-10064 dst-port 10064-10064
set service "Altigen" + udp src-port 5060-5060 dst-port 5060-5060
set service "Altigen" + udp src-port 10060-10060 dst-port 10060-65535
set service "Altigen" + udp src-port 49152-49212 dst-port 49152-49212
These all have the same ports for source and destination. Typically in your situation the source will be all ports 0-65535 and the destination ports will be the ones you have listed. The source device requesting the connection can be coming in on any port. But the request is always delivered to the expected port of the protocol.
Then based on your description I assume this is the policy rule meant to allow the connections.
set policy id 3 name "Phones" from "Untrust" to "Trust" "Any" "VIP(64.199.159.199)" "ANY" permit
This policy should reference you custom service name Altigen instead of any as the service in the policy.
Depending on the phone system and how it works you may also need to enable the alg for sip or h323.