Diagram below is my current configuration for 100Ds (soon will be replace with 80Fs). Right now my dell L2 switch (D1) is connected to Interface 1 with 3 VLAN. I'm going to add a cisco switch just in case if that D1 fails, I'm thinking to do Hardware Switch for interface 1 & 2.
1. Do I need to configure LAG in Fortigate for that new hardware switch?
2. What is the prefer configuration for this scenario? (without stacking since D1 is old)
3. Since I'm going to change from int to hardware, all policies have to be created again?
May I ask what the purpose of the D1, C1 switches is? I realize this is a basic diagram but seems like you could almost get rid of them and just use D2 stack which would simplify your configuration tremendously as you could create LAGs to the upstream FortiGates.
In the current topology you cannot use LAGs since the D1 and C1 switches are not communicating over a shared control plane.
If you have to use D1,C1 as intermediate switches be cautious about using a hardware switch because now you are introducing a loop (eg between FG1, D1, D2, C1, FG1 and FG2, C1, D2, D1, FG2, etc). You'll need to ensure STP is working to block interfaces. FG can forward STP packets but will not participate in STP in the sense that both those HW Switch Ports will not go blocking state.
It's on odd topology so let's start with figuring out if it's the best (or only) one to use. Then we can see how the FortiGates can be configured. Please provide feedback on your design for now.
I'm confused why you have edge switches between your core/distribution and your FortiGates. Edge switches would normally be between the FortiGate and the ISP routers.
Either way if you can connect the FortiGates directly to the D2 stack then you can have one LAG interfaces created on the FortiGate, with links split across the D2 Stack switches (assuming those switches support multi-chassis etherchannel).
This way you can lose one FortiGate and one of your D2 switches and still have connectivity.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.