when I build up a 2-stage firewall (edge + internal) with complete FortiGate (I know you should use 2 manufacturer) and the internet connection will terminate on the edge firewall. Which services (and licencing) you are using on the internal firewall? Do you also do webfilter on the internal firewall or do you use the security profiles only on the edge firewall?
You can configured webfilter app control only in the edge firewall and you can take license only in edge firewall for webfilter and app control since double scanning for web traffic and application is not required.
But for AV, IPS it is recommended to take license on both the FW( edge & core). You can implement AV, IPS in both the FW since virus transmission can also happen internal to internal traffic
Please let me know if any further query is there to answer
- it makes sense to have webfiltering on edge firewalls, as webfiltering deals with outbound user traffic
- other features such as AntiVirus, AntiSpam and IPS would also be suitable for internal firewalls
-> to isolate internal networks from each other
-> to prevent any malicious traffic/attack/whatever from spreading that somehow originated inside your network (like an infected USB drive for example)
For Application Control, you can consider if you also need to monitor/block application traffic in your internal network (for example VNC or TeamViewer or RDP) and whether it makes more sense to leverage this at the edge; you might want to apply Application Control both internally and at the edge.