firewall between lan to lan

That will never work. As long as the users share the same network (same port on Fortigate and same network number), they will never see the Fortigate, and they will not be filtered/blocked with the policies. The only way I could think of is to use multiple IP addresses on the interfaces, and use internal and DMZ to accomplish this. The easiest way would be to pick up a low end router.

Think about it this way: If you remove the Fortigate, all the devices are now on the same network, and can see each other. The only way to stop the flow of traffic between them is to place them on different sides of a routing device, or change their network numbers so that they are in effect are speaking different languages. The only way the Fortigate can effect thier communication is if it sits between them somehow. If they plug into the same switch, you could separate them by VLAN, but by using the same subnets, they will see each other. This is assuming a class C subnet. If you used a split subnet (192.168.10.x/28), you could break them down as: 192.168.10.0/255.255.255.192 (1-62) 192.168.10.64/255.255.255.192 (65-126) 192.168.10.128/255.255.255.192 (129-190) 192.168.10.192/255.255.255.192 (193-254) They will not be able to see between the subnets, unless you make the appropriate changes on the Fortigate. I am assuming here that you will be giving each subnet the same privileges on the port, and using a straight 24 bit subnet on the port of the Fortigate, and that the Fortigate will treat the incoming addresses as such. I have never done this and I know that Crisco routers don' t do this well. It may work, or it may not. It' s just an idea that I had. Maybe someone out there has messed with split subnetting and can give more insight into this scenario. Good luck.