Hi

In your case, as the hosts are grouped in floors, I think the quickest and simplest solution is to connect each Cisco switch to a different port of the FortiGate.

Then create 2 firewall rules as follow:

Rule 1 (restricted):

• Source intf: portX
• Dest intf: WAN
• Source: All
• Dest: IP or FQDN address object that identifies your Webmail location
• Service: HTTP, HTTPS
• Security profiles: Use defaults

Rule 2 (unrestricted):

• Source intf: portY
• Dest intf: WAN
• Source: All
• Dest: All
• Service: All
• Security profiles: Use defaults

Hope it helps.

If those SG350s are configured as just L2 switches, it's very simple.
1. Draw a diagram to have the connection from FGT to F2 SW, from F2 SW to F1 SW, then add both VLAN paths from the FGT to F2 SW as well as FGT to F1 SW via F2 SW.
2. configure two VLAN sub-interfaces on the physical interface of FGT-F2 SW at the FGT, with two different subnets.
3. configure F2 SW to "pass" the F1 SW VLAN from the port from FGT and the port to F1 SW, in addition to accepting the F2 SW VLAN
4. configure F1 SW port connected to F2 SW to accept the VLAN coming in.
5. configure proper sets of policies for F1-VLAN -> X1 and F2-VLAN -> X1 independently. 

As long as switches are L2 switch, they wouldn't be able to talk each others without coming through the FGT so if you don't create a policy for that at the FGT, they're never able to talk.
Once you drew the diagram, the steps above would become very obvious.

Toshi

I should have mentioned that the Floor 2 switch is connected to the Floor 1 switch and cannot physically be connected directly into the FGT.

So AEK solution won't work

Toshi_Esumi, these are just L2 switches, will try to configure what you described and report back if it'll work.

Thank you

Here is how to configure VLANs on FortiGate 600E and Cisco SG350 switches to keep floors separate

Step 1 Define VLANs on FortiGate 600E
Since FortiGate is the router and DHCP server, VLAN interfaces need to be configured

1 Log in to FortiGate GUI
2 Go to Network then Interfaces
3 Click Create New then Interface
4 Configure VLAN for Floor 1
- Name VLAN Floor1
- Interface X2 or the interface connecting to Floor 2 switch
- Type VLAN
- VLAN ID 10 example
- IP Netmask 192 168 10 1 and 24
- DHCP Server Enable
- DHCP Range 192 168 10 10 to 192 168 10 200
- DNS Use FortiGate or specify a preferred DNS
5 Click OK
6 Repeat the steps for VLAN for Floor 2
- Name VLAN Floor2
- Interface X2
- Type VLAN
- VLAN ID 20
- IP Netmask 192 168 20 1 and 24
- DHCP Server Enable
- DHCP Range 192 168 20 10 to 192 168 20 200
7 Click OK

Step 2 Configure VLANs on Cisco SG350 Switches
Each floor has its own Cisco SG350 switch, VLANs must be assigned and trunk ports configured

1 Log in to the Cisco SG350 switch Web GUI for Floor 1
2 Go to VLAN Management then VLAN Settings
3 Click Add and create
- VLAN ID 10
- Name Floor1
4 Click Apply
5 Repeat the process for Floor 2 switch
- VLAN ID 20
- Name Floor2

Step 2 Assign VLANs to Ports
1 Go to VLAN Management then Port to VLAN
2 Assign workstation ports to Access Mode
- Floor 1 Workstation Ports VLAN 10 Access
- Floor 2 Workstation Ports VLAN 20 Access
3 Assign the uplink port to FortiGate X2 as Trunk Mode
- Port connected to FortiGate Trunk
- Allowed VLANs 10 and 20
4 Connect the two Cisco SG350 switches together
- Choose one uplink port on each switch
- Set it as a trunk port carrying VLANs 10 and 20
- Enable Tagged VLANs for 10 and 20 on this port

Step 3 Configure Firewall Rules on FortiGate
To block communication between VLANs but allow internet access, firewall policies need to be created

1 Go to Policy and Objects then IPv4 Policy
2 Click Create New

Step 3 Block Inter VLAN Communication
1 Name Block Floor1 to Floor2
2 Incoming Interface VLAN Floor1
3 Outgoing Interface VLAN Floor2
4 Source All
5 Destination All
6 Action Deny
7 Click OK
8 Repeat the same rule but switch the incoming and outgoing interfaces

Step 3 Allow Internet Access for VLANs
1 Name Allow Floor1 Internet
2 Incoming Interface VLAN Floor1
3 Outgoing Interface WAN X1
4 Source All
5 Destination All
6 Action Accept
7 Enable NAT
8 Click OK
9 Repeat the rule for VLAN Floor2

Step 4 Apply Web Filtering and Internet Restrictions
If internet access needs to be restricted to specific websites, web filtering can be used

1 Go to Security Profiles then Web Filter
2 Create a new profile
- Enable Web Filtering
- Block specific categories or URLs
- Click Apply
3 Go to Policy and Objects then IPv4 Policy
4 Edit the Allow Floor1 Internet rule
- Enable Web Filter and select the created profile
- Click OK
5 Repeat for the Allow Floor2 Internet rule

Final Setup Overview
VLANs are configured separately on FortiGate and Cisco SG350 switches
Trunk ports are used to pass VLANs between FortiGate and switches
Firewall rules prevent VLANs from communicating while allowing internet access
Web filtering is applied to restrict access to certain websites

Testing
Check if VLANs are isolated
- Try to ping a workstation on VLAN 10 from VLAN 20
- The ping should fail
Check internet access
- Workstations should access the internet but follow filtering rules
Verify VLAN assignments
- Run show vlan on the Cisco SG350 to confirm VLAN configurations

Conclusion
VLAN 10 and VLAN 20 cannot communicate with each other
Both VLANs share the same internet connection
Internet access is filtered based on policies

Let me know if adjustments are needed