Wow, thanks for showing me how little we know about the FortiGate 80E.

With that said, this is a remote site, have over 300Mbps WAN pipe.

Only looking to have all subnets /VLANS talk with each other.

We tried adding the VLANS under the primary LAN port in the FortiGate only able to talk to the one subnet defined on that port or the primary LAN on port 1, we created 3 sub interfaces as VLAN1, Vlan2, Vlan3 but the devices on the Cisco switches can't ping anything. not sure on the Policy to create for allowing all Subnets/IP's/VLANS to talk to each other each other. what are we doing wrong.

Thank you

Here's some docs on VLAN config: https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/402940/vlan

So yep you'll need firewall policies to all all the traffic from each VLAN. So source int will be VLAN X and dst int will be VLAN Y (and vice versa most likely). If you don't have these policies defined, no traffic will flow. Also if you don't allow ICMP access on the VLAN interface, you won't be pinging the VLAN interface either.

I would be careful about pulling all your VLANs up to the FGT-80E especially if you WAN pipe is over 300mbps.

Do you need all your VLANs on the Firewall? You have a perfectly capable L3 switch right now which supports ACLs.

just to add my 2 cents...

If you need to connect/allow each VLAN to each other VLAN, then you will need a couple of policies. Pro tip: create the policy for one direction, then right click it in the policy table and "clone reverse". This cuts your effort by 50%.

As for the design, consider building an aggregate link of more than 1 interface to the switch. You don't have to assign it an IP address. Create your VLANs as subinterfaces of this trunk. This way, any VLAN can use the aggregated bandwidth if needed (i.e. for backup jobs).

Link aggregation uses the standard LACP protocol which (even) Cisco supports.

And yes, I admit the 80E is no burner with a max of 4 Gbps, but I've seen a lot of VLANs not utilizing nearly as much bandwidth as physically provided. IMHO even with routing the FGT should be fine.

If not, upgrade to an 100F or 200F.

Ok, reading the VLAN guide, this is great, sub interfaces created, assigned DHCP to give IPs, and this is working for the laptop/desktop's, created policy to allow VLAN 1 to talk with VLAN 3, and another to allow VLAN 3 to talk with VLAN 1, but we can't ping anything or SMB file shares. We even created Static routes then removed when they failed to work. What are we missing my friend, I'm shaking my head from left to right, the answer is there.

Thank you

Just to be clear when you say "this is working" are you referring to DHCP address assignment only? And no traffic is flowing between the VLANs at all?

If so let's make sure devices in VLAN 1 and VLAN 3 can ping the gateway address on the FortiGate.

Also let's make sure the 3750 is not getting involved anymore. That is, devices are not using it as the default gateway still. If so then the firewall won't work if only one half of the session is flowing through it. (broken session state).

Let's finally review your policies for VLAN 1 <--> VLAN 3. Can you please show screenshot or config snippet?

Hello, my friend, we did as you said, checked our work, and we found the mistakes, or missing items as you mentioned. Guess what, everything is working, Wow - have we thanked you yet, thank you so very much my new friend. Let me ask do you live in the US, if so allow us to show our appreciation by buying you lunch. or you chose how we can give you something in return.

Thank you 

We found one problem: all VMWare hosts not able to talk anymore, they are on the LAN gateway of the FortiGate firewall, not able to talk to anyone, do we need another policy for local LAN traffic to talk among themselves? 

After checking this new issue, looks like nothing on the Cisco 3750 switch can talk to the FortiGate firewall, not able to ping the LAN address of the firewall same subnet on 3750 has SVI IP address, firewall not able to ping the 3750 either. 

Thank you

Are VMWare hosts all on the same VLAN? Are they using the FortiGate as the default gateway? If they are all on the same VLAN they should be able to talk to each other as that traffic won't be filtered by the Fortigate (it will remain local to the switch as L2 traffic). If they are on different VLANs then yes you need policies on the FGT allowing the traffic in question.

You need to allow ICMP PING access on the FortiGate VLAN interface otherwise it will not respond to pings. Please ensure you have this enabled for any future testing.

If you are moving all your VLANs to the FortiGate firewall you do not need SVI IP addresses on the 3750 anymore. In fact this could be a source of conflict if some devices are using the SVI on 3750 as default gateway and some are using the VLAN interface on FGT as default gateway. Please check for conflicts there.