Hardware switch ports are no different from ordinary physical ports in that respect. That is, if you use the port "as is", it's untagged and not part of a VLAN. If you create a VLAN with the switch as the base port, it will tag the traffic with the specified VLAN ID.
More or less. It's something that really commonly throws people, but VLAN 1 is not actually tagged. Once you're doing VLANs typically the most sensible thing to do is start making all the ports on your switch bind to a specific VLAN and only allow 1 to be present on the ports connecting switches to other switches or any devices where LLDP and STP should still do their jobs to minimize mayhem and confusion. Basically, VLAN 1 should become a "human free zone" and everything that isn't switching equipment should be talking inside different VLANs.
If you're trunking (where multiple VLANs share the same segment because they're all encapsulated) your ports and including VLAN 1 in the list, that's probably where things are going wrong because traffic is being allowed to freely go from other VLANs to VLAN1, which then goes pretty much everywhere.
It's best to think of the HW Switch on a FortiGate as a simple bridge. It's not a fully-featured switch. Do not treat it the same way as you would a standalone switch. HW Switch just means all the ports are bridged together. You can also add VLAN tags to the bridge so any downstream devices sending tagged traffic will get handled appropriately by the bridged ports.
Layer2 PortChannels are also not really a thing. You can create a new LACP interface with multiple ports but this removes the ports and the LACP from the HW switch. You could re-join all of these ports together by using a software switch but this is terrible for performance.
So again, it's best not to treat the ports on a FortiGate as a standalone switch. Yes, you can bridge them together but switching is best left to dedicated downstream network switches.
So, back to your loop. Can you provide us a brief summary of your topology? Do you have two switches connected to your FGT? And those switches are interconnected as well? If so you'll need to enable STP to ensure one of the links is blocked.
A software switch processes all of its traffic on the FortiGate CPU. A hardware switch processes all of the traffic on the switch fabric bypassing the CPU. You will most likely kill the CPU if you are running a bunch of traffic over the switchports in a software switch.
Layer2 PortChannels aren't a thing because by default when you create a new interface on a FortiGate it is typically a L3 interface. The FortiGate is a router, not a switch. You can create a PortChannel with no address info but you can't join it to a hardware switch. You an create a software switch, however, and join it all together that way.
Another alternative, depending on your hardware, you can consider is using a VLAN Switch. This might help with what you want to do:
Unlike Cisco switches, if you create a new interface on an FGT as VLAN and set vlanid 1 like below, it's a tagged interface. Only the parent interface, in your case "internal", is untagged. The hard-switch doesn't support "native VLAN" either. The FortiSwitch(FSW) or VLAN switch with most of "F"-series FGTs support the native VLAN.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.