With just over a year of hands-on experience, I still have great deal to learn regarding FortiGate configuration so I'm hoping to hear from some experts regarding how to use FortiGate as a core switch.  I'm managing about 40x FortiGate firewalls (mostly 200F) at a moderatley sized school board with 40 elementary and secondary schools.  Theconfigurations were setup by one or more predecessors before I took over the responsbility.  For the most part, we only have a single ISP link and a single internal switch link on each FortiGate.  Depending upon the size of the site, we could have anywhere from 1-5 campus switch stacks at each site with anywhere from 2-6 switches per stack.  The largest site would have about 18 switches across 4x switch stacks.  All switch stacks are aggregated with a core switch stack where there is a single uplink into the firewall.  Layer3 switching (routing between VLANs) is done on the Fortigate Firewall.  OSPF and BGP are not currently in use, althouth we could move towards OSPF eventually.  For now, all routes are static.

Questions:

If we were to connect all switch stacks directly into the Fortigate, bypassing the core switch stack (so as many as  18x switches across 5 switch stacks uplinked to one FortiGate), what do we need to consider regarding bandwith, CPU, memory capacity on the FortiGate?  If we're already doing the Layer3 switching on the FortiGate, would be introducing additional load on the 200F?  One extra load might be any inter-vlan traffic.  I mean any traffic within the same VLAN.  For example, if all students are on VLAN50, currently this traffic would not be leaving the switch layer.  Furthermore, most traffic should be north-south and not east-west.

If there are no major concerns with the afore mentioned design, what might be the best practices be to setup the FortiGate?  Do we use the switch capability within the FortiGate or do we setup individual zones?

Hope some experts can help.

Thank you in advance.

Bill