From your topology. You may try to setup like below:

Enable VDOM and create  VDOM, same number as your VLAN number.

For example,

Create Vdom1 , change to TP mode , Create VLAN 10 interface on port1 (trunk port ), assign to Vdom1

assign port2 to Vdom1. Create policy on Vdom1 , permit traffic port2->VLAN10.

Thanks.

Trying to make the thing more simple, I followed this tutorial from Fortinet for at last the diferente vlans can access the internet: http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/VLANs.103.17.html

But even making the procedures it is not possible to go out to internet. I took some prints of my Fortigate and my HP switch that has the VLANs and the routes pointing to Fortigate.

(I made a more simple lab with just Vlan 10 and Vlan 20)

Suggestion

Try drawing a topology sheet with the ports and vlans that you are using between the in/out members. This might give use a better example of what your doing or trying to do.

Try to set up VLAN interface on FGT's DMZ port, it should works.

FG60D "internal" combined port1/port2... as switch port by default.

Or you can remove default policy/dhcp server /static routes associated with "internal" interface, change to "interface " mode, then set up port1 as you mentions. Thanks.

 

[The switch created the vlans routes itself after that]   - Then I created two default routes, poiting to fortigate subinterfaces, one for each VLAN: 0.0.0.0 0.0.0.0 192.168.10.254 0.0.0.0 0.0.0.0 192.168.20.254

I wouldn't do  this but that's your call. I would just pass the vlans 10/20 thru to the HP and use the HP switch as a layer2 switch. The reason why one of the 2 is in your HP route table is probably due to it doesn't have ECMP function and the lower_ip_address gw of 192.168.10.254 is the preferred route.

now back to your diagram, on  the wan port to ISPA is your goal is to pass these 2 vlans 10/20 out thru that port?

you answered my 1st question of this is a layer2 transparent firewall?

Yes it is in Transparent Mode since the switch is doing the vlan Routing.  

Is this not the case?

Emnoc is really confused ;) If this is a layer2 transparent firewall design, your device would not be using "routing" for carrying customer traffic.

Want I would do if vlans 10/20/40/50 are to being carried, is to

1: trunk them on your HP SWITCH PORT #1

2: Pass these out to  WAN1 port

now if your really needing  NAT/ROUTED mode, which I think that's what you really need. Than do what you have done already on  the HP, terminate your SVI Layer3 interfaces for vlan 10/20/40/50

And then place a /30 or whatever between the HP port1 to FGT PORT1. Assign the FGT a address and the HP will use that as it's next-hop gateway to the ISPA. Than you can perform SNAT and controls from the HP internal LANs out to the internet ( your FGT is the gatekeep per se ).

This will not allow for filtering between VLANs localize to the HP. If you need filtering between vlans defined on the HP

e.g

allow wifi to desktop

allow desktop out to wan

but deny camaras to the wan

and allow wifi to the wan only

than you probably want the Layer3  interfaces nailed down on the FGT. You can do this with subinterfaces and vlans tags

e.g ( using port #1 on the FGT )

config sys int

   edit L3-10

      set vdom root

      set alias DESKTOP

      set vanid 10

      set ip 192.168.10.254/24

      set type vlan

      set interface  port1

  next

    edit L3-20

      set vdom root

      set alias SEC_CAMS

      set vanid 20

      set ip 192.168.20.254/24

      set type vlan

      set interface  port1

  next

  edit L3-50

      set vdom root

      set alias WIFI

      set vanid 50

      set ip 192.168.50.254/24

      set type vlan

      set interface  port1

  next

end

And on the WAN you config your current l3 address that you posted earlier in the diagram. Than apply the correct firewall policies to allow traffic from vlan2vlan or vlan2 wan

Please advise if this makes any sense and what mode your are deploying routed or transparent. I think you really trying todo routed mode